Ofcom security report for the period October 2024 to October 2025
Ofcom has provided DSIT’s Secretary of State with its second security report in accordance with section 105Z of the Communications Act 2003.
Documents
Details
The Telecommunications (Security) Act 2021 amended the Communications Act 2003 (the Act) to strengthen the security and resilience of public telecommunications networks and services.
The Act places duties on public telecoms providers to identify and mitigate security risks, and to prepare for and address any adverse effects. The Act also contains powers that enable HM Government to make regulations setting out specific security measures to be taken by providers, and to make codes of practice containing technical guidance on the Government’s preferred approach to demonstrating compliance with the duties in the Act and the requirements within the regulations. The Electronic Communications (Security) Measures Regulations 2022 and the associated Telecommunications Security Code of Practice were made using these powers.
Ofcom is responsible for monitoring and enforcing public telecoms providers’ compliance with the telecoms security framework under the Act and Regulations. Under the Act, Ofcom is required to provide the Secretary of State with security reports. Section 105Z provides that:
A security report must contain such information and advice as Ofcom consider may best serve the purpose” which “is to assist the Secretary of State in their formulation of policy in relation to the security of public electronic communications networks and public electronic communications services.
Ofcom security report findings
The security report for the period October 2024 to October 2025 suggests that:
- there has been continued improvement in security practices across industry
- Ofcom has found public telecoms providers are making good progress in implementing the measures in the Code of Practice, notably in better management of legacy and end-of-life assets, and improved incident management practices
- Ofcom has identified some areas where providers appear to be struggling with implementation, including where providers act as suppliers to other providers, and pre-contract equipment testing. Ofcom does not consider these findings serious enough to warrant opening compliance investigations, but will monitor them closely
- the legislation and security framework is proving effective. Ofcom has no specific policy recommendations
Next steps
The government is committed to continuously evaluating the effectiveness of the Telecommunications Security Framework.
The government has set out proposals to update the Telecommunications Security Code of Practice 2022. These updates are intended to help public telecoms providers protect UK telecoms networks and services in light of evolving threats and emerging technologies.
These proposed updates have been informed through reports provided by Ofcom, security advice from the National Cyber Security Centre (NCSC) and evidence from industry.
The government is currently analysing feedback from the public consultation on the proposed updates to the Code of Practice.
Previous Ofcom security reports
This is the second of these security reports provided by Ofcom. The first report Ofcom security report for the period October 2022 to October 2024 was published in January 2025.