Nearly a year on since the UK Telecommunications (Security) Act (TSA) was passed into law, the underpinning security framework finally went into effect on October 1, 2022, ushering in a bevy of new security requirements for public telecom providers.
In response to the changing geopolitical environment and increasing cybercriminal activity, and the associated threats, the purpose of the Act is to ensure the reliability and resilience of the UK telecoms network that underpins virtually every aspect of our economy and modern society.
Make no mistake: this isn’t just about safeguarding mobile device services. With so much of our society becoming ever more reliant on dependable connectivity, including critical infrastructure like energy, transport, and healthcare, the Act is essential for ensuring the continuity of vital services amidst a fast-evolving threat landscape.
Considering this big-picture perspective, it makes sense why, along with many other governments around the world, the UK government is keen on closing telecoms security gaps to ensure a more resilient infrastructure for us all.
But many providers, hardware, and service vendors are wondering how all of this affects their business or if it does at all. The rules can seem quite complex or unclear, and many companies are understandably investing significant time and effort into their compliance processes.
Here, we aim to simplify the TSA and explain not only what’s required but how achieving compliance proactively can even be a competitive differentiator, making it something you’ll want to tackle ASAP rather than procrastinate.
The Code of Practice
First, what is it? The Department for Digital, Culture, Media and Sport (DCMS) published the Telecommunications Security Code of Practice (the Code), based on technical content drafted by the National Cyber Security Centre (NCSC): Some 258 line items of technical guidance measures for providers that cover critical areas of their operations, including network management, monitoring and analysis, supply chain, and more. These measures set the guidance for security, putting everyone on the same page.
While the Code also gives some recommended guidance for meeting the measures, the end result is what matters most. Providers don’t have to follow the Code of Practice recommended protocols to the letter; they just have to prove to the sector regulator, Ofcom, (which is tasked with enforcing the mandates), that their approach to the measures delivers the desired outcomes.
The Deadlines
Aside from the scope, the next biggest item for players in this space is the deadlines.
Tier 1 providers (those with annual revenue over £1bn) must implement the first batch of requirements by March 31, 2024.
Tier 2 providers (with annual revenue over £50m) have another year, until March 31, 2025, except if they supply any part of their network or service to a Tier 1 provider, and for that part of their network and service, they need to work to the requirement deadlines of the Tier 1 provider.
The smallest telecoms providers in Tier 3, including small businesses and micro enterprises, are not expected to follow the measures in the Code, except for networks or services they supply to higher tier providers. However, they may choose to adopt the measures included within the Code of Practice where these are appropriate and proportionate to their operation.
It’s essential to recognise that these requirements and deadlines affect not only the providers but their suppliers, too. That means if you supply equipment or services to Tier 1 and Tier 2 providers, the clock is ticking for you, as providers will need to address measures related to their supply chain.
Achieving TSA compliance might seem overwhelming to interpret appropriately. And some providers might even be hard-pressed to devote the necessary expertise and resources to it, especially when they’re already operating on tight margins with lean teams. This creates a perfect recipe for procrastination. But that would be a mistake, as it is important to remember that the regulation is already in effect.
The Business Case for Compliance
Aside from avoiding regulatory penalties, there are potential benefits for providers and suppliers for aligning to the TSA requirements sooner rather than later:
- Impetus for modernisation. Through operational age and M&A activity, a provider’s systems can be complex, with a lack of visibility of all assets contained within them which may well include End of Support equipment. The TSA mandate creates an opportunity to retire services you needed or wanted to retire anyway and provides additional justification for the investment
- Simplifies procurement. Because compliance will result in providers holding suppliers to the same set of measures means providers can buy with increased confidence, and suppliers can have potentially similar requirements from all the providers rather than a raft of different security expectations.
- Competitive differentiator. Providers will begin including TSA requirements in their RFPs and contracts. For suppliers, supporting providers to achieve their compliance might help put you ahead of the competition. This ultimately moves you into a better position to serve your market and builds business resilience.
A Roadmap for Success
Finally, you may be wondering how to even begin the process of achieving TSA compliance by the applicable deadline. Here’s a simple five-step program:
1) Plan. Don’t wait another minute. Begin assembling a roadmap and milestones immediately. A year goes by in a flash, and with so many conflicting priorities every day, time can quickly get away from you.
2) Define your scope. Identify which of your systems and operations are in scope for the regulation. This will help you to prioritise and avoid biting off more than you can chew unnecessarily.
3) Conduct an asset inventory. If you don’t know what you have, you can’t verify or defend it. All of those systems, hardware, and complex integrations you’ve accumulated over the years? It’s time to get a clear understanding of every asset.
4) Examine your supply chain. With 80 Code of Practice measures related to supply chain validation, supplier assurance is a huge part of achieving compliance. You’ll need to identify and develop a system for verifying and managing them appropriately.
5) Seek out a partner who can help. One of the toughest parts of TSA compliance for most companies will be resource allocation. Work with a partner that can help you where you need them, such as interpreting the regulations and understanding your scope and posture versus the measures.
Together you should then develop a roadmap for improvement. The partner organisation you appoint should be able, if needed, to support you through the implementation of the improvements too. This will help you achieve the appropriate level of compliance by the deadlines outlined for your tier.
Telecoms Practice Associate Director, NCC Group UK
With 23 years of experience in the global telecommunications market, Chris supports NCC Group's clients with their security requirements, particularly regarding their regulatory obligations.
He's held previous roles at Nokia and the UK’s Lead Government Department for telecommunications, DCMS. Our clients benefit from Chris's rich insights he gathers from his ongoing engagements with the sector's affiliated organisations such as Ofcom, GSMA, and NCSC.