BlogGlobal Service ProviderNetwork SecurityCybersecurity Risk & StrategySecurity Transformation
Blog8 minute read

Telecoms Security Act compliance: The challenges for service providers in 2024

Now that we've passed the first milestone for measures to be implemented, many service providers are progressing towards full TSA compliance – but are you on track to meet the 2028 deadline for completion?

With the UK telco providers classified as Critical National Infrastructure (CNI) shifting more towards becoming all-encompassing Digital Service Providers (DSPs), the adoption and rollout of 5G and IoT services is accelerating. 

But with greater speed comes greater risk. The rising prevalence of cyber attacks is leading to both diminishing returns on DSP investments and severe disruption to services, consumers and brand reputation. Therefore, the National Cyber Security Centre (NCSC) in the UK has assessed the landscape and associated risks and realized the imminent need for the Telecoms Security Act.

The Telecommunications Security Act (TSA) is a legally binding framework requiring UK telecom providers to implement measures for greater cyber security. These changes would enable and equip them to repel cyber-attacks and detect, respond and recover from them promptly, in accordance with TSA compliance mandates. 

Most, if not all, of tier 1 and tier 2 telco providers are currently progressing towards full TSA compliance. Going forward, they must stay on top of the regulations to protect their security posture and avoid penalties.

They must act now to minimize the risk of non-compliance at a later stage. Learn about the key challenges for providers in 2024 and how your organization can stay ahead of the curve.

What does the TSA mean for providers? 

TSA regulation means that by a certain time, providers must implement a total of ~258 control measures to satisfy the NCSC TSA requirements. As an example, legacy equipment, workloads and systems must be audited and replaced with solutions able to withstand sophisticated advanced persistent threat (APT) groups or nation-state-sponsored attack methods. These offer operational resilience and improved digital risk management, leading to a better, more secure, and safer digitally connected future for the UK.

Now that we've passed the first implementation milestone, Ofcom will inspect tier 1 providers (those with a relevant turnover of £1bn+) and ensure that the initial round of measures outlined in the Code of Practice are met.

What are the main challenges for providers in 2024?

TSA legislation is wide reaching and nuanced. While every provider, vendor and supplier will have their own responsibilities to action, progress towards full compliance will look different for each organization. This is due to the native characteristics of their technology stack, geographical presence and business strategies.

Currently, tier 1 providers are making progress towards TSA-mandated deadlines. But while larger organizations typically have more resources to allocate towards compliance efforts, those in tiers 2 and 3 might struggle due to limited budgets and expertise.

This is part of why Ofcom has mandated different timelines for each provider category. Tier 2 providers will be regulated from April 2025 onwards, while tier 3 providers will not be regulated but are still strongly advised to implement changes to protect their security posture.

However, without the pressure of an immediate audit, providers may believe they have made further progress towards full TSA compliance than they actually have.

This is a problem: falling behind in the early stages of the TSA cycle could lead to a larger cost impact down the line. Providers must act now to lower the cost impact of a delay and prevent a bloated investment closer to the final deadline in 2028.

These are the key challenges they face:

Business obstacles could slow down progress

The TSA includes a complex set of regulations, making it difficult for providers to fully understand and interpret the boundaries and detailed requirements of the Code of Practice. As a result, some may struggle to identify the areas where they are not compliant and determine which actions to take without external consultancy.

Currently, providers are focusing on initial risk assessments, upgrading infrastructure and implementing required security measures. However, this is a large undertaking – and many smaller providers lack the in-house capabilities to achieve full implementation on the TSA-mandated timeline.

Ensuring compliance requires substantial investment in upgrading infrastructure and implementing advanced security measures, which can strain financial resources already impacted by global and domestic economic challenges.  Additionally, the complexity of integrating new security systems into existing systems can lead to operational disruptions and increased downtime. Telcos must also navigate the evolving regulatory landscape, which demands continuous monitoring and adaptation, potentially diverting focus from core business activities. 

Moreover, maintaining robust security to protect against sophisticated cyber threats necessitates ongoing workforce training and development, further escalating costs. These challenges collectively impact telcos' ability to maintain competitive pricing, deliver consistent service quality and innovate in a rapidly changing market.

Adding to this pressure is the indirect impact of the technology sector's continually shifting landscape. The market traditionally yields a high frequency of mergers and acquisitions, introducing an extra layer of complexity for operators to ensure they implement a steady, well-planned flow of measures that satisfy TSA requirements.

Unfortunately, this mixture of direct and indirect business challenges forces many telcos to fall behind in their TSA programmes.

Providers may also struggle to ensure supply chain security, particularly if they depend heavily on external services and equipment. Here, there is a responsibility to accelerate tech refresh across multiple dispersed locations, involving comprehensive vendor risk assessments and supply chain security monitoring at scale.

Essentially, TSA compliance is not a simple fix. Or a one-time effort. After the next round of deadlines passes in March 2025 for tier 2 providers, all must ensure ongoing compliance by continuously monitoring and making updates per TSA regulations.

Technical challenges may create compliance gaps

For many providers, it will be technically complex and time-consuming to introduce new security measures. Teams must understand how to integrate new technologies into existing infrastructure, workloads and systems, including provisions for planning, deployment and testing. 

For example, organizations may need to introduce new security services focused on real-time threat management, including incident detection and response measures.

Legacy assets are another significant roadblock. For decades, telcos have powered their digital services on top of legacy infrastructure, building inherited risk in the process. This makes it challenging to replace these systems, with a large-scale tech refresh demanding significant effort, time and resources.

Ultimately, teams need to be upgrading and securing their cloud workloads now, and moving at speed to complete before 2028. The providers that fall behind the strict TSA deadlines risk both threat exposure and hefty penalties for breaking compliance.

How can WWT support TSA progress?

The Telecommunications Security Act will change the mindset of the operators and owners of the 5G telco cloud. It will introduce a transformative compliance programme pushing service providers to focus on the main best practices and principles of commonly accepted cybersecurity practices. These include security by design, zero trust, cyber resilience, and defence in depth, across the management, signalling, and data planes of their telco cloud – hosting 5G workloads, endpoints and assets. 

WWT offers TSA accelerator services to assist each service provider in progressing towards TSA compliance, no matter where they are in their journey.

Our consultation services can identify the boundaries of TSA compliance and help providers understand the priorities, dependencies and relevant actions they need to take to remove barriers between business strategies and telco cloud asset owners.

Through an actionable roadmap strategy, WWT empowers providers to meet and maintain compliance requirements across telco infrastructure and supply chain. 

WWT consultants have vast experience supporting tier 1 telco providers in the US and UK to accelerate their digital transformation journey. Over the past 20 years, we have rolled out 5G networks and built one of the best cybersecurity practices in the world – providing strategic consultancy to many members of the Fortune Global 500.

Progress is backed by the power of our Advanced Technology Centre (ATC), offering unparalleled capacity for our customers to rapidly test multiple solutions. In collaboration with our team, they can interrogate the interoperability, technical efficacy and use cases of a given solution, with 500+ OEMs to choose from.

Our global Supply Chain and Integration Centres are leveraged by telco providers to expedite their large-scale tech refresh or modernisation of network endpoints in their (PoPs) programmes, which in most cases, would involve geographically dispersed assets. WWT's global Supply Chain and Integration Centres can cost-effectively revolutionize large-scale global transformation plans.

What about WWT's partner ecosystem is comprised of cutting-edge technology companies that deliver best-of-breed solutions. Intel is a key partner for us in the service provider space, where we have great deal of expertise in leveraging their products to enable our telco provider customers to modernize their private cloud and underlying hardware infrastructure with security completely baked into it through a multitude of Intel solutions in that space such as: Intel Confidential Compute protects sensitive data during processing, leveraging features for 5G workloads including Intel SGX, TXT, TME and PFR.

Our AI-powered data management partner, Cribl, provides support by delivering a more pervasive level of operational and threat visibility for telco organizations. The tools allow operators to proactively apply required analytics to detect and respond to threats, pre-empting breaches and preventing serious network disruptions before they happen.

Through partner collaborations, we ensure our telco customers have access to best-in-class solutions.

WWT is uniquely positioned to provide rapid time-to-value through the fusion of our GSP telco sector and security consultants' expertise to develop best-fitting security strategies. Ultimately, this combination delivers highly tailored roadmaps, technical support, and assurances to our service providers that they are on the right track to TSA compliance. 

Explore our global service provider services to learn more about how WWT can assist your organization on its journey.