Heimdell Tech Ai - TPV Verification for Telecom Resellers HEIMDELL TECH AI ← Back to Compliance Hub

Telecoms Security Act 2021: Tier 1, 2 & 3 Requirements

Complete compliance guide for UK communication providers. Understand your tier classification, mandatory security duties, and implementation deadlines.

What You Learn

  • ✓ TSA security requirements
  • ✓ Network protection obligations
  • ✓ Vendor restrictions
  • ✓ Compliance deadlines

Who It's For

  • • Security teams
  • • Network managers
  • • Compliance officers
  • • CTOs and CISOs
BOTTOM LINE UP FRONT
The Telecommunications (Security) Act 2021 requires all UK public telecoms providers to implement security measures proportionate to their tier. Tier 1 (>£1bn revenue): All 65 Code of Practice measures mandatory. Tier 2 (£50m-£1bn): 52 measures mandatory, 13 recommended. Tier 3 (<£50m): 38 measures mandatory, 27 recommended. Penalties: up to 10% of relevant turnover + £100,000/day for continuing breaches.
65
Code of Practice Measures
10%
Max Fine (of turnover)
£100K
Daily Penalty
3
Provider Tiers

Understanding the TSA Framework

The Telecommunications (Security) Act 2021 came into force on 1 October 2022, creating a new security framework for UK public electronic communications networks and services. It works alongside the Electronic Communications (Security Measures) Regulations 2022 and an Ofcom-issued Code of Practice.

The framework establishes three key obligations:

  1. General security duty — Take appropriate and proportionate measures to identify security risks and reduce their occurrence and impact
  2. Specific security duties — Comply with detailed requirements set out in regulations
  3. Breach notification — Report significant security incidents to Ofcom

Tier Classification

Providers are classified into three tiers based on their annual relevant turnover and the criticality of their services:

Tier Revenue Threshold Mandatory Measures Recommended Measures Example Providers
Tier 1 >£1 billion 65 (all) 0 BT, Virgin Media O2, Vodafone, Three
Tier 2 £50m – £1bn 52 13 Sky, TalkTalk, Hyperoptic, Cityfibre
Tier 3 <£50 million 38 27 Regional ISPs, Channel Partners, Resellers

Security Measures by Category

The Code of Practice groups measures into these categories. Here's what applies to each tier:

A. Governance & Risk Management

A1. Security Responsibility

Designate a person responsible for security at board level. Mandatory: All Tiers

A2. Risk Assessment

Conduct regular security risk assessments covering network, services, and supply chain. Mandatory: All Tiers

A3. Security Strategy

Maintain documented security strategy reviewed annually. Mandatory: All Tiers

A4. Independent Audit

Commission external security audits. Mandatory: Tier 1 & 2 | Recommended: Tier 3

B. Network Security

B1. Network Segmentation

Implement logical separation between network functions. Mandatory: All Tiers

B2. Access Control

Role-based access with multi-factor authentication for admin functions. Mandatory: All Tiers

B3. Zero Trust Architecture

Implement zero trust principles for network access. Mandatory: Tier 1 | Recommended: Tier 2 & 3

B4. Patch Management

Critical patches within 14 days, others within 30 days. Mandatory: All Tiers

C. Supply Chain Security

C1. Vendor Assessment

Assess security of suppliers before and during contracts. Mandatory: All Tiers

C2. High-risk Vendors

Exclude designated high-risk vendors from core network by 2027. Mandatory: All Tiers

C3. Supply Chain Audit

Regular audits of critical supplier security. Mandatory: Tier 1 | Recommended: Tier 2 & 3

D. Monitoring & Incident Response

D1. Security Monitoring

24/7 monitoring capability for security events. Mandatory: All Tiers

D2. Incident Response

Documented incident response procedures tested annually. Mandatory: All Tiers

D3. Breach Notification

Notify Ofcom within 72 hours of significant incidents. Mandatory: All Tiers

D4. SOC Capability

Dedicated Security Operations Centre. Mandatory: Tier 1 | Recommended: Tier 2 & 3

Implementation Timeline

1 October 2022
TSA and Regulations came into force. Code of Practice published. All providers must begin implementation.
31 March 2024
Tier 1 providers: Full compliance with all 65 measures required.
31 March 2025
Tier 2 providers: Full compliance with 52 mandatory measures.
31 March 2026
NOW: Tier 3 providers must be fully compliant with 38 mandatory measures.
31 December 2027
All tiers: Complete removal of designated high-risk vendor equipment from core networks.

Tier 3 Quick Compliance Checklist

For smaller providers (most resellers and channel partners), focus on these 38 mandatory measures:

  1. Board-level security owner — Designate responsibility (can be combined with other duties)
  2. Annual risk assessment — Document network risks and mitigations
  3. Security policy — Written policy covering all 38 areas
  4. Access control — MFA for admin access, role-based permissions
  5. Patch management — Documented process, critical patches <14 days
  6. Network segmentation — Separate management from customer traffic
  7. Monitoring — Log security events, retain 12 months minimum
  8. Incident response — Documented procedures, annual testing
  9. Vendor security — Assess suppliers, contractual security clauses
  10. Breach notification — Process to notify Ofcom within 72 hours

Ofcom Enforcement Powers

Ofcom has significant enforcement powers under TSA:

📚

Part of the UK Telecom Compliance Hub

Return to the main compliance guide for the complete framework covering Ofcom GC, PECR, UK GDPR, and more.

Need TSA Compliance Support?

TELECOM COMPLIANCE provides automated compliance monitoring and documentation for Tier 2 and Tier 3 providers. Reduce your compliance burden by 80%.

Request Assessment

Related Pages

AI Network Audit

Security assessment guide

UK Telecom Compliance

Complete regulatory framework

Ofcom Compliance Checklist

Step-by-step compliance