Telecommunications Security Act UK 2021: What It Requires and How Ofcom Enforces It

What the Telecommunications Security Act 2021 requires

The Telecommunications (Security) Act 2021 received Royal Assent in November 2021. It fundamentally reformed the UK's approach to telecoms security, replacing the previous lighter-touch framework with a statutory regime that gives Ofcom clear powers to set, monitor and enforce security requirements.

The Act requires all providers of public electronic communications networks or services in the UK to take appropriate and proportionate measures to identify and reduce the risks of security compromises occurring. This is a broad obligation that encompasses technical security measures (network architecture, access controls, encryption), organisational measures (security policies, staff training, supply chain management) and incident response capabilities.

The Code of Practice and Ofcom's Statement of Policy

The DCMS Telecommunications Security Code of Practice, published in 2022, translates the Act's broad obligations into specific technical and organisational measures. The Code covers: network architecture and design, physical security of infrastructure, software security, access control, supply chain security, monitoring and incident response, and security governance.

Ofcom published its Statement of Policy setting out how it monitors and enforces compliance with providers' security duties. This document explains the evidence Ofcom will collect, how it assesses compliance, and the circumstances in which it will take enforcement action. In 2026, Ofcom opened a consultation on updating the Statement of Policy to reflect new threats, technology changes (particularly the shift to cloud-native and virtualised network functions), and lessons learned from the framework's implementation.

Mobile network power resilience

One of the significant security vulnerabilities identified in Ofcom's monitoring is mobile network power resilience -- the ability of mobile base stations and core network equipment to continue operating during power outages. As the UK's dependence on mobile connectivity grows and the energy and telecoms sectors become more interdependent, the risk of power-related network failures increases.

In February 2025, Ofcom published analysis of radio access network (RAN) power backup across the UK, alongside an international comparison of approaches. The analysis found areas where further action is needed and highlighted the need for coordinated cross-sector effort between telecoms operators, Ofcom, DSIT and the energy sector. An update to this work was expected shortly after the June 2026 consultation publication.

The High Risk Vendor regime

The Act's security framework operates alongside the High Risk Vendor (HRV) designation regime managed by the UK Government. Under the National Security and Investment Act 2021 and related security guidance, certain vendors of telecoms equipment have been designated as high-risk vendors whose equipment poses national security risks. Huawei is the most prominent example.

UK mobile network operators are required to remove Huawei equipment from the core of their 5G networks by January 2023 (already completed) and from the radio access network by January 2027. VodafoneThree, EE and Virgin Media O2 are all in the process of or have completed core network Huawei removal. The 5G RAN removal timeline by 2027 involves significant infrastructure work.

Critical national infrastructure

UK telecoms networks are designated as critical national infrastructure (CNI). This designation reflects the extent to which modern economic activity, emergency services, government functions and personal communications depend on telecoms networks. A serious attack on UK telecoms infrastructure could have cascading effects across the entire economy.

The CNI designation means telecoms security is a cross-government priority, not just an Ofcom regulatory matter. The National Cyber Security Centre (NCSC), GCHQ and the Home Office all have roles in telecoms security. Ofcom's regulatory framework operates within this broader national security context.

Frequently asked questions

What is the Telecommunications Security Act 2021?

The Telecommunications (Security) Act 2021 is the primary UK legislation governing the security of public telecoms networks and services. It received Royal Assent in November 2021 and established a statutory framework requiring all UK telecoms providers to take appropriate and proportionate security measures. Ofcom enforces the Act through its Statement of Policy and can fine providers for security failures.

What does the Telecoms Security Code of Practice require?

The DCMS Telecommunications Security Code of Practice (2022) sets out detailed technical and organisational measures covering: network architecture and design, physical security, software security, access controls, supply chain security, monitoring and incident response, and security governance. Providers must implement measures proportionate to their size and significance.

Does the Telecoms Security Act affect consumers?

Indirectly. The Act requires providers to maintain secure networks, which protects consumers from the disruption and data risks that would result from security compromises. Consumers do not have direct obligations under the Act. If your mobile or broadband network experiences a security incident affecting your service, your provider's General Conditions obligations (complaints, compensation) apply separately.

What is the High Risk Vendor regime?

The High Risk Vendor (HRV) regime designates certain telecoms equipment vendors as posing national security risks. Huawei is the most prominent HRV designation. UK operators are required to remove Huawei equipment from 5G core networks (deadline: January 2023, completed) and from 5G radio access networks (deadline: January 2027). The regime is managed by the UK Government, with Ofcom's security framework operating alongside it.

Why is mobile network power resilience an issue?

Mobile base stations and core network equipment rely on electricity to operate. A power outage -- from storms, infrastructure failure or deliberate attack -- can disable mobile networks in affected areas. Ofcom's February 2025 analysis found that mobile RAN power backup arrangements across the UK vary significantly, with some sites having limited backup capacity. Stronger resilience requires investment by operators and cross-sector coordination with the energy sector.

What are Tier 1 and Tier 2 providers under the security framework?

The Telecoms Security Act creates a tiered framework. Ofcom designates providers into tiers based on their scale and significance to UK connectivity. Tier 1 providers -- the largest, most systemically important operators -- face the most extensive security obligations. Tier 2 providers face enhanced requirements above the baseline but below Tier 1. All providers must meet minimum baseline security duties.

What is Ofcom's 2026 security consultation about?

In 2026, Ofcom opened a consultation on updating its Statement of Policy on ensuring compliance with security duties. The update reflects new threats including cloud-native network functions, evolving supply chain risks, power resilience requirements and lessons from the framework's implementation. The updated Statement of Policy will set out how Ofcom will monitor and enforce security duties going forward.

Are UK telecoms networks critical national infrastructure?

Yes. UK telecoms networks are formally designated as critical national infrastructure (CNI). This reflects their importance to the economy, emergency services, government and personal communications. The CNI designation means telecoms security is a whole-of-government priority involving NCSC, GCHQ, Home Office and DSIT alongside Ofcom's regulatory role.