UK Telecommunications providers are now less than a couple of months away from the next major regulatory deadline for requirements under the Telecommunications (Security) Act 2021 (TSA). From the 31st March 2025, a sizable chunk of the ‘recommended’ 258 Telecommunications Security Code of Practice (CoP) measures will be ‘expected’ to be met. However, like all things regulatory, it’s not that simple and not helped by the somewhat woolly wording, in CoP Section 0.25;
‘… specific recommended compliance timeframes for individual measures are contained within this code of practice. These are the timeframes by which providers would be expected to have taken relevant measures set out in the code of practice, whilst recognising that due to the existing threat environment, the quicker providers are able to implement measures the better.’
This is partly down to not all of the measures necessarily applying to a specific providers operation. So, in the first instance one of the most useful tasks is to work out which measures actually apply.
The TSA and its associated Electronic Communications (Security Measures) Regulations 2022 (ECR) are already in force, and all UK Telecoms providers of PECN/PECS (except for companies designated as micro-entities) are legally required to comply with them.
The TSA indirectly requires that providers comply with the ‘appropriate’ CoP measures, and the ‘expected’ timelines for these vary depending on which tier of telecoms provider you fall into, these being:
Tier 1 providers (those with a relevant turnover >£1 billion)
Tier 2 providers (those with a relevant turnover of >£50 million and <£1 billion)
Tier 3 providers (those with a relevant turnover of < £50 million)
Under the CoP, tier 3 providers are not legally required to comply with the measures, but as the wording itself says ‘they may choose to adopt the measures included within the code of practice where these are appropriate and proportionate to their networks and services’. This is further complicated if the tier 3 provider, acts as a third-party provider of ‘relevant activity’ to a higher tier provider, which usually, but not always relates to the wholesale supply of ECN or PECN. In which case, as CoP Section 6.37 states:
‘Where a network provider supplies its services to a different provider in a higher tier, it is expected that only the part of the network or service that is being supplied needs to meet the security standards of the provider in the higher tier.’
On top of that, the dates can vary for different third-party supplier contracts that are material to the provision of PECN and PECS, depending on its status.
The 258 individual Code of Practice measures are grouped into 21 sub-sections M1 to M21, which get progressively more prescriptive and challenging to implement. The ones that are relevant for the 31st March 2025 are measures M1 to M10.
Group | Title | No. of measures |
M1 | Overarching Security Measures | 6 |
M2 | Management Plane 1 | 6 |
M3 | Signalling Plane 1 | 19 |
M4 | Third Party Supplier Measures 1 | 8 |
M5 | Supporting Business Processes | 7 |
M6 | Management Plane 2 | 5 |
M7 | Signalling Plane 2 | 4 |
M8 | Third Party Supplier Measures 2 | 16 |
M9 | Customer Premises Equipment | 6 |
M10 | Third Party Supplier Measures 3 | 54 |
Tier 1 providers have been required to comply with measures M1 to M5 since the 31st March 2024. Now from the 31st March 2025 Tier 2 providers will also be required to comply with those measures and on top of that both tier 1 and tier 2 providers will be required to comply with measures M6 to M9.
The odd one out is measure group M10, which is 54 requirements relating to third-party suppliers and the timeline for these depends on the status of the third-party contract.
For a tier 1 provider, where a third-party supplier contract was signed and in effect before 31st March 2024, the provider and by implication the third-party have until 31st March 2027 to comply with the appropriate measures, however for any contract signed and coming into effect from 31st March 2024, the measures are effective from 1st April 2024.
For a tier 2 provider, where a third-party supplier contract was signed and in effect before 31st March 2025, the provider and by implication the third-party have until 31st March 2027 to comply with the appropriate measures, however for any contract signed and coming into effect from 31st March 2025, the measures are effective from 1st April 2025.
Just an important note on this, the CoP helpfully states that;
a renewal of a contract to continue completing the same work would not be defined as new;
software upgrades or service agreements that do not change the scope or scale of the work would not be defined as new (for example, a patch or general version of existing functionality would not be new);
which means when a provider adds a clause (usually in the form of an annex) to an existing contract or tries to renew the contract (where there is no material change to the provided service) just to state that the third party needs to comply with various CoP measures, this is not a new contract and falls under the 2027 requirement.
I’ve seen some providers take a somewhat lazy ‘kitchen sink’ approach to their supply chain, requiring that the third-party supplier complies with an arbitrary list of M10 measures across all their products and service operations (everything including the kitchen sink), many of which may not be relevant. However, from a regulatory perspective, the required measures are only those that relate to the relevant in-scope products and services provided by the third-party.
This however is a slightly moot point, because it is the telecoms provider that is subject to the regulations, not the third-party supplier unless they are a telecoms provider themselves. So, while telecoms providers (tier 1 and 2) are legally required to meet the requirements of the measures in M10, they can only enforce those requirements onto their supply chain through contractual agreements, the timelines and extent of which is up to the provider.
Unfortunately the way this has all been put together is a bit of a can of worms, which is not particularly easy to unravel. The measures themselves are those which need to be taken in order to comply with various relevant regulations within the ECR, which you will see against each individual measure. For example Measure M10.43 relates to relevant regulations 3(3)(a),(b), 3(4), 7(1), 7(3)(a),(b), 7(4)(a)(i),(iv), 7(4)(c), 12(a) & 13(2)(d)(i),(ii). So its a sort of many to many relationship between the CoP Measures and the ECR requirements, which themselves have a complex set of interdependencies. It must also be remembered that the 14 sub-sections of CoP Section 2, the guidance bit itself, is very relevant to how the measures are interpreted and applied.
In reality, and from a security perspective, measures M1 to M9 are reasonably straight forward in what they want to achieve, most of which would normally be expected as security good practice for something as critical as a telecoms provider. Keeping accurate records, privileged access management, appropriate network segregation, role-based access, no default passwords, the use of MFA, etc, etc. It's legacy infrastructure, tech debt and out of date governance that is catching most Telco's out, as they scrap to bring their security posture up to a standard required by the TSA. Assuming they already have some sort of respectable security posture, the real headache for many providers will be the 54 measures in M10, nearly half of which relate to contractual requirements. Many providers contract to third party MSP’s or MSSP’s, have vendor support contracts etc, some of which requires third party access to ‘security critical’ or ‘network oversight’ functions and may even be from abroad, and where sensitive data is being held. Its these scenarios which are going to need careful consideration and a lot of time to unravel, and likely material changes not only to contracts but the relationship with third party suppliers. Traditionally and from a governance perspective, third party supplier management, has tended to be the problem of the procurement department, many of whom are now having a WTF ! moment, as they try to understand and unravel a copy of the CoP that someone from the GRC department just threw on their desk, with coloured tabs conveniently stuck on pages 48, 75, 80, 83, 98 & 112 and a note - 'sort this out'.
While the measures are reasonably self explanatory and prescriptive, because of the complex interdependencies, they can't easily be looked at and actioned individually in isolation, but need to be considered in a much broader and comprehensive approach to the requirements of the TSA, ECR and CoP as a whole.