Ofcom Signals Tougher Telecoms Security Enforcement in Latest Telecom Security Act Report

The recent March 2026 Ofcom report highlights where Telecommunications Providers are falling short with their compliance with the Telecom Security Act 2021 (“TSA”) and identifies key areas likely to face the greatest scrutiny over the next 12 months. In effect, it serves as a roadmap for Ofcom’s enforcement priorities. Providers that are not meeting their TSA requirements have been put firmly on notice.

Key compliance gaps

While Ofcom acknowledges significant investment across the sector and notes good progress in implementing TSA requirements, it identifies several areas where compliance with the Telecoms Security Code of Practice (“Code”) remains weak:

  • Supply chain security: Providers are not consistently applying required supply chain security measures. This is partly due to suppliers resisting oversight arrangements, but also reflects an over-reliance by purchasing providers on supplier assurances, rather than independent risk assessment.
  • Pre-contract security testing: Many medium and large providers consider meaningful security testing of equipment or services before contract award to be uneconomic or impractical. However, the Code requires testing at this stage to ensure providers understand whether deployment introduces unacceptable risks.
  • Identity and access management: Some providers are likely to miss implementation deadlines for identity and access management controls. Ofcom notes that these measures remain “work in progress” in many organisations, raising concerns about current risk exposure.
  • Incident reporting (emerging focus): Ofcom signals further work in this area, including potential changes to reporting thresholds to ensure they remain appropriate as the sector evolves.

Enforcement actions to date

Ofcom has not yet exercised its enforcement powers under the TSA. However, recent action under the General Conditions demonstrates its willingness to intervene:

  • Vonage was fined £700,000 for failing to ensure uninterrupted access to emergency services.
  • Gigaclear was fined £122,500 for breaches of resilience obligations.

While these cases fall outside the TSA, they underline Ofcom’s readiness to use its enforcement toolkit where necessary.

Why this report matters

This report is more than a status update. It is a clear statement of regulatory intent.

Over the next year, Ofcom intends to:

  • Focus on identified risk areas, including supply chain security, pre-contract testing, and identity and access management.
  • Strengthen supervision, using broader inspection powers and targeted testing to verify compliance.
  • Review incident reporting thresholds to ensure they reflect current technical realities.

Providers that have not addressed known gaps, particularly in supply chain security, pre-contract testing, and access controls should expect increased scrutiny.

Telecoms Security Act – FAQs

Q: We’re a Tier 2 provider. How concerned should we be?
Concerned enough to act. Ofcom estimates that:

  • 10% of Tier 2 providers may not be properly applying supply chain security measures
  • 25% consider pre-contract testing uneconomic
  • 10% are likely to miss identity and access management deadlines

If you fall into any of these categories, a remediation plan is essential. The report suggests a regulator building towards enforcement. The next report will likely assess whether these gaps have been addressed.

Q: We rely on a Tier 1 provider. Doesn’t their compliance cover us?
No. Ofcom is explicit: your obligations are independent. You must conduct your own supply chain risk assessments and ensure your contracts include the required security provisions. Notably, Tier 1 providers are themselves falling short in this area.

Q: We’re implementing a long-term security solution. Is that enough?
Only if you have effective interim controls. Ofcom accepts strategic solutions as an end-state, but not as a substitute for managing current risks. If critical access controls are weak today, a future implementation plan will not be sufficient.

Q: What does “meaningful pre-contract security testing” mean?
Testing must be robust enough to identify material vulnerabilities before committing to a supplier. While over half of Tier 1 providers consider this impractical, Ofcom is clear that post-contract testing is not sufficient. Security testing must be embedded in procurement, not deferred to deployment.

Q: Has Ofcom fined anyone under the TSA yet?
No. However, the absence of TSA enforcement should not be mistaken for inactivity. Ofcom is gathering evidence and identifying compliance gaps. Enforcement appears to be a matter of timing, not intent.

Q: We’re a virtual operator. Do we still have obligations?
Yes. The TSA applies to all providers of public electronic communications networks and services. If you deliver telecoms services, you are in scope regardless of infrastructure ownership. This makes robust supply chain controls particularly critical.

Further help

For advice and support on the implications of this report, please contact Ed Rea.

About Ed Rea

Ed is a co-founder and director of Arbor Law, and a senior Commercial Technology and Digital Infrastructure lawyer. He has significant experience advising on the contracts and relationships that govern how technology and digital infrastructure is built, bought, sold and delivered.