With the UK telco providers classified as Critical National Infrastructure (CNI) shifting more towards becoming all-encompassing Digital Service Providers (DSPs), the adoption and rollout of 5G and IoT services is accelerating. 

But with greater speed comes greater risk. The rising prevalence of cyber attacks is leading to both diminishing returns on DSP investments and severe disruption to services, consumers and brand reputation. Therefore, the National Cyber Security Centre (NCSC) in the UK has assessed the landscape and associated risks and realized the imminent need for the Telecoms Security Act.

The Telecommunications Security Act (TSA) is a legally binding framework requiring UK telecom providers to implement measures for greater cyber security. These changes would enable and equip them to repel cyber-attacks and detect, respond and recover from them promptly, in accordance with TSA compliance mandates. 

Most, if not all, of tier 1 and tier 2 telco providers are currently progressing towards full TSA compliance. Going forward, they must stay on top of the regulations to protect their security posture and avoid penalties.

They must act now to minimize the risk of non-compliance at a later stage. Learn about the key challenges for providers in 2024 and how your organization can stay ahead of the curve.

What does the TSA mean for providers? 

TSA Legislation means that by a certain time, providers must implement a total of ~258 control measures referenced in the TSA Code of Practice (CoP) to satisfy the NCSC TSA requirements. 

Not all controls must be applied by the Tier-1 or Tier-2 service providers as this could vary based on what needs to be protected within their public electronic communications networks and services (PECN and PECS). Plus, having pre-existing capabilities such as but not limited to: Information Security Management System (ISMS) and governance programs around (BCP, DR, IT/SOC SOPs), integrations with the service operations centre (SOC) in place can help accelerate the compliance journey. 

The TSA compliance journey is a multi-year program encompassing a variety of requirements with varying complexity. Legacy equipment, such as workloads and systems for example, must be audited and replaced with solutions able to withstand sophisticated advanced persistent threat (APT) groups or nation-state-sponsored attack methods. These offer operational resilience and improved digital risk management, leading to a better, more secure, and safer digitally connected future for the UK.

Now that we've passed the first implementation milestone, Ofcom will inspect tier 1 providers (those with a relevant turnover of £1bn+) and ensure that the initial round of measures outlined in the Code of Practice are met.

What are the main challenges for providers in 2024?

TSA legislation is wide reaching and nuanced. While every provider, vendor and supplier will have their own responsibilities to action, progress towards full compliance will look different for each organization. This is due to the native characteristics of their technology stack, geographical presence and business strategies.

To ensure the proportionate mitigation of security risks, a tiering system is being used to set out the different expectations on public telecoms providers based on their commercial scale. For example, tier 1 is for public telecoms providers with turnover during a relevant period of £1bn or more. Tier 2 includes providers with a relevant turnover of more than, or equal to, £50m (but less than £1bn), while tier 3 is less than £50m but not micro-entities

Currently, providers under tier 1 (>1bn annual revenue) are making progress towards TSA-mandated deadlines. However, while larger organizations typically have more resources to allocate towards compliance efforts, those in tier 2 (£50m – £1bn annual revenue) and tier 3 (< £50m annual revenue) could struggle with limited budgets and expertise.

This is part of why Ofcom has mandated different timelines for each provider category. Tier 2 providers will be regulated from April 2025 onwards, while tier 3 providers will not be regulated but are still strongly advised to implement changes to protect their security posture.

However, without the pressure of an immediate audit, providers may believe they have made further progress towards full TSA compliance than they actually have.

This is a problem: falling behind in the early stages of the TSA cycle could lead to a larger cost impact down the line. Providers must act now to lower the cost impact of a delay and prevent a bloated investment closer to the final deadline in 2028.

These are the key challenges they face:

Business obstacles could slow down progress

The TSA includes a complex set of regulations, making it difficult for providers to fully understand and interpret the boundaries and detailed requirements of the Code of Practice. As a result, some may struggle to identify the areas where they are not compliant and determine which actions to take without external consultancy.

Currently, providers are focusing on initial risk assessments, upgrading infrastructure and implementing required security measures. However, this is a large undertaking – and many smaller providers lack the in-house capabilities to achieve full implementation on the TSA-mandated timeline.

Ensuring compliance requires substantial investment in upgrading infrastructure and implementing advanced security measures, which can strain financial resources already impacted by global and domestic economic challenges.  Additionally, the complexity of integrating new security systems into existing systems can lead to operational disruptions and increased downtime. Telcos must also navigate the evolving regulatory landscape, which demands continuous monitoring and adaptation, potentially diverting focus from core business activities. 

Moreover, maintaining robust security to protect against sophisticated cyber threats necessitates ongoing workforce training and development, further escalating costs. These challenges collectively impact telcos' ability to maintain competitive pricing, deliver consistent service quality and innovate in a rapidly changing market.

Adding to this pressure is the indirect impact of the technology sector's continually shifting landscape. The market traditionally yields a high frequency of mergers and acquisitions, introducing an extra layer of complexity for operators to ensure they implement a steady, well-planned flow of measures that satisfy TSA requirements.

Unfortunately, this mixture of direct and indirect business challenges forces many telcos to fall behind in their TSA programs.

Providers may also struggle to ensure supply chain security, particularly if they depend heavily – or are solely reliable – on external, overseas-hosted technologies and services.

Here, there is a responsibility to design highly resilient operational models in terms of people, processes and technology. One which complies with the TSA "national resiliency" requirements that allows service providers to deliver digital services even if they suffer from an operational or cyber threats (incidents or breaches) within overseas entities. 

These requirements extend across a variety of areas – including, infrastructure resiliency, network critical functions to remain within the UK, data recovery, cyber recovery, cyber resilience, Telco cloud converged IT/SOC standard operating procedures, real-time threat management – in order to accelerate the refresh of technology across multiple dispersed locations, involving comprehensive vendor risk assessments and supply chain security monitoring at scale.

Essentially, TSA compliance is not a simple fix. Or a one-time effort. After the next round of deadlines passes in March 2025 for tier 2 providers, all must ensure ongoing compliance by continuously monitoring and making updates per TSA regulations.

Technical challenges may create compliance gaps

For many providers, it will be technically complex and time-consuming to introduce new security measures. Teams must understand how to integrate new technologies into existing infrastructure, workloads and systems, including provisions for planning, deployment and testing. 

For example, organizations may need to introduce new security requirements around real-time continuous threat management capabilities such as:

  • Security Information and Event Management to offer event and log management, log retention (13-months)
  • Events enrichment, contextualization and event correlation
  • Ability to detect known and un-known threats such as but not limited to policy violations, un-authorised access, anomaly detection proactive threat-hunting
  • Highly skilled digital forensics and rapid response to contain, eradicate and recover from incidents or breach
  • Well-tested standard operating procedures, clear communication-matrix across all stakeholders within telco network, IT and SOC teams and at the core of this elevating the level of security awareness, skills and competency within the technical team looking after the telco digital assets.
  • Governance layer on top to enforce security compliance managed by a designated person or a committee with board level responsibility (who must also be granted authority to effectively manage those responsible for the organization's measures)

Legacy assets are another significant roadblock. For decades, telcos have powered their digital services on top of legacy infrastructure, building inherited risk in the process. This makes it challenging to replace these systems, with a large-scale tech refresh demanding significant effort, time and resources.

Ultimately, teams need to be upgrading and securing their cloud workloads now, and moving at speed to complete before 2028. The providers that fall behind the strict TSA deadlines risk both threat exposure and hefty penalties for breaking compliance.

How can WWT support TSA progress?

The Telecommunications Security Act will change the mindset of the operators and owners of the 5G telco cloud. It will introduce a transformative compliance program pushing service providers to focus on the best cybersecurity practices and principles. These include security by design, zero trust, cyber resilience, and defense in depth, across the management, signaling, and data planes of their telco cloud – hosting 5G workloads, services and related physical and virtual endpoints/assets. 

WWT offers TSA accelerator services to assist each service provider in progressing towards TSA compliance, no matter where they are in their journey.

Our consultation services can identify the boundaries of TSA compliance and help providers understand the priorities, dependencies and relevant actions they need to take to remove barriers between business strategies and telco cloud asset owners.

Through an actionable roadmap strategy, WWT empowers providers to meet and maintain compliance requirements across telco infrastructure and supply chain. 

WWT consultants have vast experience supporting Tier-1 telco providers in the US and UK to accelerate their digital transformation journey. Over the past 20 years, we have designed, architected, supplied and deployed a large number of complex mobile and fixed networks, private telco cloud workloads at a global scale and built one of the best cybersecurity practices in the world – providing strategic consultancy to many members of the Fortune Global 500.

Progress is backed by the power of our Advanced Technology Centre (ATC), offering unparalleled capacity for our customers to rapidly test multiple solutions. In collaboration with our team, they can interrogate the interoperability, technical efficacy and use cases of a given solution, with 500+ OEMs to choose from.

Our global Supply Chain and Integration Centers are leveraged by telco providers to expedite their large-scale tech refresh or modernization of network endpoints in their (PoPs) programs, which in most cases, would involve geographically dispersed assets. WWT's global Supply Chain and Integration Centers can cost-effectively revolutionize large-scale global transformation plans.

What about WWT's partner ecosystem is comprised of cutting-edge technology companies that deliver best-of-breed solutions. Intel is a key partner for us in the service provider space, where we have great deal of expertise in leveraging their products to enable our telco provider customers to modernize their private cloud and underlying hardware infrastructure with security completely baked into it through a multitude of Intel solutions in that space such as: Intel Confidential Compute protects sensitive data during processing, leveraging features for 5G workloads including Intel SGX, TXT, TME and PFR.

Our AI-powered data management partner, Cribl, provides support by delivering a more pervasive level of operational and threat visibility for telco organizations. The tools allow operators to proactively apply required analytics to detect and respond to threats, pre-empting breaches and preventing serious network disruptions before they happen.

Through partner collaborations, we ensure our telco customers have access to best-in-class highly tailored end-to-end secure, scalable and robust  solutions.

WWT is uniquely positioned to provide rapid time-to-value through the fusion of our GSP telco sector and security consultants' expertise to develop best-fitting security strategies. Ultimately, this combination delivers highly tailored roadmaps, technical support, and assurances to our service providers that they are on the right track to TSA compliance. 

Explore our global service provider services to learn more about how WWT can assist your organization on its journey.