UK telecom providers are undergoing a transformative digital revolution. The rollout of 5G, fibre broadband networks, and IoT, coupled with the introduction of AI, is driving innovation, improving operational efficiency, and enhancing customer experiences. These advancements are reshaping telecom operators into Digital Service Providers positioning them as essential enablers of the UK’s digital economy.
However, this rapid transformation comes with significant challenges. The expanded digital landscape introduces new vulnerabilities, from an extended supply chain to increasingly complex networks and private cloud technologies. Telecom operators must defend against an ever-evolving array of cyber threats, including well-funded advanced persistent threat groups and nation-state-sponsored attackers.
Islam Rashad: expanded digital landscape introduces new vulnerabilities
Cyberattacks on telecom providers can disrupt public services, impact national operations, and paralyse daily life. Recognising these risks, the National Cyber Security Centre introduced the Telecoms Security Act . This legally binding framework, an amendment to the Communications Act 2003, requires telecom providers to implement robust security measures to safeguard their 5G workloads and core broadband networks.
Telecoms Security Act .requires telecom providers to implement security measures to safeguard 5G and broadband networks.
TSA Framework: Compliance Roadmap
The TSA mandates 21 compliance control packages, to be phased in by March 2028. These measures aim to bolster security and resilience across public electronic communication networks and services (PECN).
The Code of Practice offers detailed guidance on meeting these new security obligations. It aligns with the legal framework established under sections 105A to 105D of the Communications Act 2003, which was updated by the TSA in 2021.
In March 2024, Ofcom began auditing Tier 1 providers’ compliance annually under Section 135 of the Communications Act. As Tier 1 providers progress, attention is now shifting to Tier 2 providers, who must achieve their initial compliance milestones by March 2025.
Complexity of Compliance
The TSA’s Code of Practice provides valuable insights into meeting compliance requirements. However, its extensive and complex control measures pose challenges for telecom providers. Achieving compliance requires more than a checklist approach—it demands a collaborative effort across technical and procurement teams, supported by a governance framework. This includes creating a clear roadmap to achieve phased compliance over the coming years.
Challenges in Compliance
Meeting TSA compliance requires substantial investment in resources, expertise, and modern technology. Providers must navigate multiple projects and interdependencies across systems, stakeholders, and business units.
Key challenges include:
Infrastructure Upgrades
Modernising and hardening existing systems.
Financial Strain
Particularly for Tier 2 providers, who face economic pressures.
Operational Disruptions
Integrating new security measures may cause downtime.
Regulatory Adaptation
Staying compliant with evolving regulations diverts focus from core business activities.
The sector’s high level of mergers and acquisitions adds complexity, requiring providers to manage compliance during organizational changes.
Implementation
Implementing TSA requirements involves introducing advanced cybersecurity measures like real-time threat detection and machine learning-powered analytics. Providers must integrate these technologies into existing systems, plan deployments, and conduct rigorous testing.
Hurdles
Legacy Systems
Many providers rely on outdated infrastructure, which carries technical debt and risks. Replacing these systems is time-intensive and costly.
Human Expertise
Skilled cybersecurity professionals are essential for proactive threat hunting and enhancing automated detections.
Overcoming Compliance Barriers
To succeed, providers must define compliance boundaries, establish governance frameworks, and align business strategies with technical priorities. Developing an actionable roadmap enables providers to address dependencies and streamline projects efficiently.
Despite these challenges, Tier 2 telecom providers remain committed to achieving TSA compliance by March 2025. Many are working tirelessly, dedicating resources, and implementing proportionate technical and operational measures to meet regulatory standards.
By fostering collaboration across business units and embracing innovative security solutions, telecom providers can navigate the compliance journey and strengthen the UK’s digital ecosystem.
Islam Rashad, is Head of Cyber Security Solutions Engineering, at WWT
