Independent report

Ofcom security report for the period October 2024 to October 2025

Published 6 March 2026

Ofcom’s 2nd security report to DSIT Secretary of State in accordance with section 105Z of the Communications Act 2003.

Ofcom sent the report to the Secretary of State on 18 December 2025.

Overview

This is Ofcom’s second telecommunications security report, covering the period 1 October 2024 to 30 September 2025. It sets out communications providers’ levels of compliance, the actions Ofcom has taken, and our intended regulatory approach for the year ahead.

The security and resilience of the UK’s communications networks are critical to national security, economic stability, and public confidence. As digital connectivity underpins essential services, commerce, and emergency communications, robust protections against cyber threats and operational failures are vital to safeguarding the country’s infrastructure and ensuring people can rely on uninterrupted, secure services.

The cyber threat landscape is constantly evolving, driven by geopolitical tensions, technological advancement, and society’s increasing reliance on digital infrastructure. These threats cross national boundaries and affect a wide range of companies – providers and suppliers, large and small. Everyone has an important role to play in fortifying networks and services, and repelling attacks.

Over the past year, the government has published strategic plans to bolster the nation’s cyber resilience. The Modern Industrial Strategy highlighted cyber security as an enabler of growth, and the Strategic Defence Review called for a ‘whole-of-society’ approach to security, as the threats faced are increasingly affecting people’s day to day lives.

Working alongside the government and telecoms providers, Ofcom aims to improve the levels of resilience to cyber attacks and other risks across the telecoms sector. As an independent regulator, we achieve this through engaging directly with providers, monitoring their compliance with the security duties^{[footnote 1]} and the implementation of appropriate risk management practices.

In our report last year, we found that telecoms providers were in the initial stages of their security improvement programmes. This is because the measures in the Government’s Telecommunications Code of Practice (the ‘Code’) are due for implementation between 31 March 2024 and 31 March 2028. We found early evidence of significant investment among providers. However, we also raised a number of questions, given the early stages of implementation, and heard concerns from smaller providers who found financial difficulties in complying.

The telecoms providers are now approaching the halfway point of the implementation timeline for the Code measures, with last due date being 31 March 2028. This year, our report sets out areas where we have seen good progress as well as issues emerging from our monitoring that we will explore further over the year ahead.

Developments in 2024-2025

Over this reporting period, Ofcom continued its programme of supervision over 38 large and medium providers. We have assessed implementation of the first 67 measures in the Telecommunications Code of Practice^{[footnote 2]} (of a total 258) and have sent out a third information notice due in early 2026 on about a further 64 measures.

We use our information gathering powers to develop a baseline understanding of providers’ levels of compliance with their security duties. This year, we have seen continued improvement, including around better management of legacy and end-of-life assets, regular restoration testing of backup systems, and growing maturity of incident management practices.

However, we also identified 3 areas where providers appear to be struggling or failing, which we will prioritise in our supervision over the coming year. We do not consider these findings serious enough to warrant opening compliance investigations, but we will monitor them closely:

• Where regulated providers supply other regulated providers, we have seen some evidence that providers are failing to apply relevant supply chain security measures. This seems to be occurring for several reasons, such as the supplying provider being unwilling to enter into the necessary oversight arrangements, or the purchasing provider having too much trust in the security of their supplier.
• Several large and medium-sized providers are finding meaningful security testing of new equipment or services uneconomic or impractical prior to agreeing a contract. The Code stipulates that some of this testing should occur before contracts are signed to ensure that providers understand if deployment of the equipment adds unacceptable risks to the network or service.
• Some providers seem likely to miss the expected implementation dates for early Code measures around identity and system access management. In some cases, this may be because providers are implementing longer term, ‘strategic’ security solutions that they anticipate will address these measures, but these will only be fully delivered later in providers’ improvement programmes.

Providers must report significant security compromises to Ofcom. This year, reports of incidents relating to resilience fell significantly (616, down from 1518 last year). On initial review, a significant proportion of this reduction is explained by progress in the transition from the copper Public Switched Telephone Network (PSTN) to the newer, fibre-enabled Voice over Internet Protocol (VoIP).

Cyber incident reports remain low (9, compared to 8 last year). We are undertaking further work to understand if this reflects reality, given the current state of cyber security. We plan to consult on reporting thresholds in 2026.

This year, the key threat targeting UK telecoms infrastructure was Salt Typhoon, a China-based hacking group. The group executed an 80-country espionage sweep, exploiting supply chains and in-service legacy systems. Ofcom worked closely with DSIT, the National Cyber Security Centre (NCSC) and providers on the response. In 2026, we will continue to work together and ensure appropriate lessons are learned and deployed in our regulatory work.

While we did not use our enforcement powers under the Telecommunications (Security) Act this year, we issued 2 penalties for resilience breaches, under the General Conditions: Vonage (£700,000 for failure to ensure uninterrupted emergency access) and Gigaclear (£122,500 for breach of resilience obligations). In addition, we engaged directly with one provider that fell short of Ofcom’s expectation in the quality of its responses to our information notices.

Over the next year, we will:

• Explore key issues we have identified in our Code monitoring programme, such as supply chain issues, security testing practices and implementation of identity and system access management measures.

• Enhance our approach to supervision, by exercising our broader powers of inspection and targeted testing to verify compliance and act swiftly on breaches.

• Consult on incident reporting thresholds, to ensure they remain fit for purpose and reflect technical developments in the sector.

• [REDACTED].

Across our portfolio, we will work to support growth and innovation in the sector, by carefully balancing our requests to ensure we help to provide conditions that enable the sector to grow, innovate and provide the best possible service to consumers.

Ofcom’s implementation of the Telecoms Security Act

Following the publication of the 2019 Telecoms Supply Chain Review, the government developed a new security regime for telecommunications providers. On 1 October 2022 the Telecommunications (Security) Act 2021 (the ‘Security Act’), which amended the Communications Act 2003 (‘the Act’), and the associated Electronic Communications (Security Measures) Regulations 2022 (the ‘Regulations’) came into force. These placed new security duties on providers of public electronic communications networks and services (PECN/S). Ofcom is the regulator responsible for monitoring and enforcing compliance with these duties.

Procedural guidance

We published procedural guidance in December 2022 following consultation. This serves as a statement of our general policy on how we will exercise our powers to ensure compliance with the security duties,^{[footnote 3]} and also provides guidance for companies.

In particular, it explains the procedures that we expect to follow in carrying out our monitoring and enforcement activity. It also provides guidance about which security compromises we generally expect providers to report to Ofcom and the process for doing so.

As we reported last year, our monitoring work has continued to progress broadly in accordance with this approach.

We are currently in the process of updating our procedural guidance, to reflect proposed changes to incident report thresholds, and will consult on this in 2026.

Network and service resilience guidance

Last year, we published revised network and service resilience guidance relating to ‘resilience incidents’ – security compromises where the availability, performance or functionality of networks or services are affected. This guidance should be read in conjunction with the Code. We use this guidance as a point of reference for our activities in relation to incidents reported under section 105K of the Act.

Our resilience guidance sets expectations on measures including the provision of power backup for communications networks. We identified a potential gap in our guidance relating to the power resilience of Radio Access Networks (RAN) and have been examining this subject further. The following section outlines this initiative to date.

Power resilience in mobile radio access networks

In February 2025, we published a report on Mobile RAN power resilience, with a confidential version shared with DSIT. It reviewed the responses to our Call for Input, summarised comparisons of approaches adopted in other countries and presented the findings from our own analysis based on information provided by mobile network operators (MNOs).

Our report noted the cross-sectoral nature of the challenge and the need for further work. We are now seeking to better understand where mobile masts with power backup are located, and what mobile coverage they provide. This will inform the review of our resilience guidance to ensure it remains fit for purpose.

Other activities

Update on Tiering

To ensure security risks are mitigated proportionately, the Code of Practice includes a tiering system which sets out the different expectations on public telecoms providers. This splits the providers into 3 tiers, based on their commercial scale.

As of 30 September 2025, the number of providers in each Tier is as follows:

Tier	Turnover	Number of providers
1	Relevant turnover in the relevant period of more than £1 billion	7 providers
2	Relevant turnover in the relevant period of more than £50 million but less than £1 billion	31 providers
3	Relevant turnover in the relevant period of less than £50 million	Providers in Tier 3 are not expected to follow the Code.[footnote 4]

In accordance with the approach set out in the Code,^{[footnote 5]} we reassess which providers are in Tier 1 and Tier 2 annually. Providers move to a new Tier when their relevant turnover has met the relevant turnover threshold for the new Tier for 2 consecutive years.

During the current reporting period, due to such changes in relevant turnover, 3 providers entered Tier 2 from Tier 3, and one provider has moved from Tier 2 to Tier 3 and hence fallen out of our Code monitoring programme.

The Code gives dates by which providers should implement different measures. However, these do not make provision for new entrants to Tier 1 and 2 (for example, by allowing them extra time to implement measures for which the due dates have already passed). In the interests of practicality and proportionality, we are requesting information from these companies about adoption of Code measures over multiple years. We are working to ensure this process is as smooth as possible and enables us to understand Code adoption for these new Tier entrants as quickly as possible.

Code monitoring findings

A key part of Ofcom’s responsibilities under the Act is fulfilled by our programme to monitor the adherence of Tier 1 and Tier 2 providers to the Code.

We continue to use our Code monitoring programme to build a baseline understanding of the approach providers are taking to meet their security obligations.

As expected and broadly set out in our Procedural Guidance,^{[footnote 6]} we have now completed 2 rounds of information requests, covering the first 67 Code measures, out of a total of 258 measures. These include technical measures to secure the management plane, the signalling plane, and third-party supplier relationships. They also cover business processes, for example around risk management.

During the reporting period, we also sent out the information request for our third round. The responses to this request are due back early in 2026, and will cover an additional 64 Code measures, associated with third party security and customer premise equipment.

Providers’ progress over the last year

Overall, we have found that providers are making progress in implementing the Code measures and we have noted particular improvement in a number of areas:

Better management of legacy and end-of-life assets

Asset management is a prerequisite of the effective management of any network or service. Without a full understanding of their assets, providers cannot secure them. In general, the providers appear to be managing and keeping track of ‘end of life’ equipment, including recording any risks associated with in-use equipment. The Security Act has, in many cases, led providers to operationalise this more effectively than they may have otherwise done.

Regular restoration testing of backup systems

Backups are an essential component of a resilient and highly available network or service. On top of the technical measures set out in the Code, around half of the Tier 1 providers perform regular restoration testing of their backups to ensure they are functional and the data is valid when required.

We note the ongoing work by several providers to uplift existing backup solutions to ensure they are immutable, meaning that backup copies cannot be changed. Non-immutable backup solutions could be vulnerable to ransomware attacks and become encrypted or deleted.

Growing maturity of incident management practices

Incident management refers to the structured approach telecom providers take to detect, contain, respond to, and recover from security compromises affecting their networks and services. It encompasses the processes and protocols that ensure swift identification of incidents, clear assignment of roles and responsibilities, and effective mitigation to minimise impact. Robust incident management is critical to maintaining service continuity and resilience, especially in the face of cyber threats or operational disruptions.

In general, providers have established frameworks that include priority matrices and escalation procedures. The majority of Tier 1 providers collaborate with intelligence-sharing groups such as Global System for Mobile Communications Association’s (GSMA) Telecommunication Information Sharing and Analysis Center (T-ISAC) or the NCSC’s Share and Defend platform to share lessons learned from incidents.

Concerns emerging from Code monitoring

In our Code monitoring work this year, we have identified issues in 3 key areas which we will closely monitor. Currently, we do not consider these findings serious enough to warrant opening compliance investigations, however we will keep this under review as we continue to engage with providers.

Providers acting as suppliers to other providers

Almost a quarter of Code measures relate to the issue of providers reducing security risks that can arise from their supply chain. We see evidence that just under 50% of Tier 1 and 10% of Tier 2 providers may not be properly applying these measures in cases when a supplier is itself a regulated telecoms provider.

This seems to occur for several reasons, such as the supplying provider being unwilling to enter into the necessary oversight arrangements, or the purchasing provider having too much trust in the security of their supplier. We have particularly observed this in 2 scenarios. First, where the supplying provider is unwilling to enter into the necessary oversight arrangements [REDACTED]. Second, where the purchasing provider appears to have too much trust in the security of their supplier, most notably with evidence of MVNOs not fully applying third party security measures to the MNO on which they rely.

The Telecoms Security framework imposes obligations on providers of PECN/S, and does not place any obligations on their suppliers. Instead, PECN/S providers are required to properly manage their suppliers, regardless of whether those suppliers are themselves a PECN/S provider or not.

We published guidance in October this year to clarify our expectations of providers purchasing services from other providers, and have highlighted this to all Tier 1 and 2 providers. We aim to further understand the application of contractual clauses across industry over the coming year. In addition, we will undertake further work in 2026 to understand the degree of oversight between providers where one is a supplier of the other.

[REDACTED].

Pre-contract equipment testing

Over 50% of Tier 1 and 25% of Tier 2 providers appear to find meaningful security testing of new equipment prior to contract award, uneconomic or impractical. They do appear to be doing some types of testing, but in most cases only after awarding the contract to a supplier.

Providers should complete due diligence to ensure equipment being purchased does not have any major vulnerabilities or wider security issues at that time. By not noticing supply chain vulnerabilities, providers are widening their attack surface which could lead to a security compromise. To address this, and in response to the relevant Code measures, some of these providers are developing in-house testing capabilities.

[REDACTED].

Over the next year, we will work to better understand the extent to which testing is occurring, and whether alternative measures are being taken, such as ensuring security testing always occurs before deployment into the live environment and identified issues fixed. This will allow us to determine whether there are any compliance issues which need enforcement action.

Identity and Access Management

Identity and Access Management ensures that only those with proper authority can access and make changes to systems. This protects these systems from being attacked via the same mechanisms used to manage and maintain them. As set out in the Regulations^{[footnote 7]} and in the Code^{[footnote 8]} providers are required to change default passwords. Where this is possible, we are seeing an uptake in the use of automation.

We are also aware that more than 50% of Tier 1 and Tier 2 providers appear to have strong multi-factor authentication (MFA) implementations across their critical functions through a combination of hardware and software-based tokens such as Microsoft Authenticator. Although there are areas where MFA has not been implemented, suitable mitigations are in place such as segregation and bastion hosts.^{[footnote 9]}

However, more broadly, around 50% of Tier 1 and 10% of Tier 2 providers are likely to miss the expected implementation dates for Identity and Access Management Code measures. In some cases, dates may be missed because providers are implementing longer term ‘strategic’ security solutions which will be fully delivered later in their improvement programmes.

We will be closely monitoring the implementation progress for their ‘strategic’ security solutions, including the reasoning behind any delays in implementation and will take enforcement action if necessary.

[REDACTED].^{[footnote 10]}

Security compromise reporting

Providers must report significant security compromises to Ofcom. This includes incidents where a security compromise impacts the availability, performance or functionality of the network or service (what we define as ‘resilience incidents’) or there is an impact on the confidentiality and/or integrity of the network or service (what we define as ‘cyber security incidents’).

Our procedural guidance sets out our interpretation of a “significant” security compromise and accordingly reporting thresholds for both resilience and cyber security incidents. Next year, we will consult on updates to our guidance which will focus on incident reporting expectations including updating thresholds for mobile providers.

During the reporting period (1 October 2024-30 September 2025), we received a total of 625 incident reports of which there were 9 cyber security incidents and 616 resilience incidents. This is lower than the total of 1526 incidents reported between 1 October 2023 and 30 September 2024. We discuss the reasons for this reduction further below.

Table 1: Year on Year comparison of reported incidents

Reported incidents	2023-2024	2024-2025
Resilience	1518	616
Cyber	8	9
Total	1526	625

_{Source: Ofcom analysis of provider data (1 Oct 2023-30 Sep 2024 vs 1 Oct 2024-30 Sep 2025)}

In our annual Connected Nations report, we also publish additional information about reported incidents, including volume and root cause annual trends. The 2025 edition covers resilience notifications between September 2024 and August 2025 – the first 11 months of the Reporting Period.

Resilience incidents

We define resilience incidents as those where the availability, performance or functionality of the network or service is compromised by non-malicious causes. These may be the result of external factors (for example, floods, cable cuts or power cuts) or internal factors (for example, hardware failures, operational process errors, or network design flaws).^{[footnote 11]}

In line with last year, resilience incidents continue to account for the vast majority of reports, rather than cyber security incidents.

We received a total of 616 resilience incident reports in this reporting period compared to 1518 reports received between 1 October 2023 and 30 September 2024.

In line with previous years, the majority of incidents were attributed to 1 of 2 root causes:

• System failures, for example hardware failures, design errors, and faulty network changes.
• Third-party failures, for example street works causing cable damage, or failed backhaul circuits from wholesale providers.

The root causes used to categorise incidents are broad. Figure 1 below shows the number of incidents by the primary cause reported to us.

Figure 1: Primary causes of resilience incidents during the Reporting Period

_{Source: providers’ reports of incidents on their regulated networks/services (1 Oct 2024-30 Sep 2025).}

See table view of Figure 1.

Many smaller incidents reported to us this year were resolved either automatically or via remote resets. While we still expect providers to submit a report, the quick resolution means that they are not required to include more detailed analysis in their report to us. We have shown these as ‘no cause provided’.

This year, the number of reported resilience incidents dropped significantly, driven by multiple factors, including a change to some providers’ incident prioritisation categories.^{[footnote 12]} We also understand from discussions with providers that a significant proportion of this reduction is explained by progress in the transition from the copper Public Switched Telephone Network (PSTN) to the newer, fibre-enabled Voice over Internet Protocol (VoIP). This is because, when there are incidents on the PSTN network, the number of customers affected is lower, and these incidents more often fall below our reporting thresholds. Providers also point to ongoing improvements across the industry that have further reduced report volumes.

Cyber security incidents

As per the reporting obligations in the Telecoms Security Act, a reportable cyber security incident can take one of 2 forms:

1. An attack which significantly affects the operation of the network or service
   
2. An attack which establishes a foothold for the attacker to commit a further cyber security incident that would have a significant effect (known as ‘pre-positioning’).

Since our last report, we have completed some further analysis of cyber security incidents reported to us in the first reporting period (1 October 2022-30 September 2024). In most cases, providers appear to quickly respond to anomalous activity once detected.^{[footnote 13]} However, we did see evidence that some providers are not promptly applying patches, which allowed attackers to exploit vulnerabilities. While at least one provider has inadvertently blocked legitimate traffic when responding to a cyber security incident and activating their defences. If we see a repeat of any of these issues, we will engage further with these providers and consider next steps.

Beyond their incident reporting duties, some providers are sharing findings from their cyber threat intelligence work with us, which suggests increasing cyber maturity in the sector.

Summary of cyber incident notifications received during the Reporting Period

Between 1 October 2024 and 30 September 2025, we received 9 cyber security incidents of which 6 were reported by Tier 1s and 3 by Tier 2s. 4 of the 9 reported were likely to have fallen below the thresholds that we consider trigger the mandatory reporting requirement. The causes of the reported incidents included Distributed Denial of Service (DDoS), ransomware, zero-day vulnerabilities, and compromised accounts.

Overall, providers appear to have good mechanisms in place from their third parties to ensure they receive the required support to resolve cyber security incidents in a timely manner.

Pre-positioning attacks

Pre-positioning attacks are those where an attacker successfully compromises the security of a system and gains a foothold within it, such that they could use it to have a significant effect on the operation of a network or service in the future.

These attacks are likely to indicate an unaddressed security risk, and so it is important that providers report them so that we can assess whether they are meeting their security duties. In our report last year, we stated providers were generally less aware of the need to report these incidents.

We expect to consult on updates to our procedural guidance next year. As part of this, we will clarify our expectations around reporting cyber security incidents, including pre-positioning attacks.

State-linked actors – Salt Typhoon

This year, the global Salt Typhoon hacking campaign illustrated the danger of pre-positioning attacks, and the importance of providers having measures in place to detect them.

Salt Typhoon is the name assigned by Microsoft to Chinese state-linked hackers who have conducted high-profile cyber campaigns against critical national infrastructure around the world, particularly affecting United States telecommunications infrastructure. Salt Typhoon is one of a number of actors targeting telecoms; there may be others that present even greater risk.

Salt Typhoon’s campaign exploited a number of known vulnerabilities and in-service legacy equipment. This demonstrated how important it is for providers to implement basic cyber principles and configuration management to avoid potential serious negative outcomes. In collaboration with the NCSC, we contributed to the UK input to a technical advisory note^{[footnote 14]} published by the US Cybersecurity & Infrastructure Security Agency in August, representing 13 partner countries.

In addition to working with DSIT and the NCSC we have engaged with the major providers, which highlighted that some providers’ threat hunting capabilities require further development. In partnership with the NCSC, we are working with providers to ensure they fully understand the risk and take appropriate action.

[REDACTED].

Duty for providers to inform users

Providers are required under section 105J to inform users whose networks and services may be adversely affected by a significant risk of a security compromise occurring. We are not aware of any instances during the Reporting Period where a provider has informed users, nor are we aware of any situations in which a provider should have but failed to do so.

In our procedural guidance, we explain that we do not consider providers need to notify users of vulnerabilities which are either unlikely to result in an actual security compromise, or even if they did, they would be unlikely to have an adverse effect on users. We also set out several other factors that providers should consider when they determine whether and how to inform users. As part of our procedural guidance consultation, we are considering adding further advice on this area.

Many providers do offer service status information to their users, often via their websites. These typically report on currently occurring service impacts and planned maintenance events, so are not likely to be directly relevant to this obligation.

Enforcement activities

The Telecoms Security Act extended Ofcom’s existing enforcement powers to apply to breaches of the new security duties. We explain our approach to using these powers in our published Regulatory Enforcement Guidelines for investigations. We also explain our approach to setting penalties in our published Penalty guidelines.

Enforcement activity

Resilience of 999 services

In our 2024 report, we set out how we had exercised our enforcement powers and found BT to have contravened section 105A(1)(c) of the Act and Regulation 9 of the Regulations by failing to take appropriate and proportionate measures for the purposes of preparing for the occurrence of ‘security compromises’ in its provision of Emergency Call Handling Services.

Last year, we also noted the opening of a compliance investigation into Vonage – also relating to emergency calling – after a security compromise was reported to us under the notification duty under section 105K. The case was opened to investigate Vonage’s compliance with sections 105A, 105C and 105K of the Security Act as well as General Condition A3.2(b). As a matter of administrative priority, our investigation prioritised the most serious concerns relating to emergency calling under General Condition A3.2(b). We concluded the case during this reporting period, finding that Vonage failed to take all necessary measures to ensure uninterrupted access to emergency organisations and that this was a serious breach of its obligations under General Condition A3.2(b). We issued a penalty of £700,000.

Within this reporting period, we also opened and concluded a case against Gigaclear relating to emergency calling, specifically the provision of accurate and reliable caller location information to emergency services. We found Gigaclear to be in breach of its obligations under the General Conditions and issued a penalty of £122,500. While this investigation was not conducted under our Security Act powers, it is aligned with our wider security work to ensure the resilience of services, especially emergency calling.

Building on these enforcement outcomes, we are conducting a compliance programme across the industry to ensure other providers are meeting their obligations relating to the availability of emergency calls.

Information gathering

After working through some concerns about the quality of responses to information notices from a small number of providers, we considered that one provider had fallen demonstrably short of Ofcom expectations.

We engaged directly with the provider, holding a focused compliance discussion with relevant management representatives and issued a written warning letter which set out our concerns and clear expectations for improved quality of information provision going forward.

Exercise of relevant powers

During this Reporting Period, in undertaking the enforcement activities detailed above, we have exercised our functions under the following sections of the Act:

• 96A, 96B, 96C & 97 – issuing enforcement notices and penalties

General observations on policy matters

This section examines a number of ongoing and emerging risks, and outlines Ofcom’s work with the government, the NCSC and National Protective Security Authority (NPSA)

Particular risks of which Ofcom has become aware

Section 105Z(4)(f) requires us to include: “information about any particular risks to the security of public electronic networks and public electronic communications services of which Ofcom have become aware during the reporting period”.

In this section we provide an update on the risk around Global Titles (GTs) highlighted last year, alongside new risks we have become aware of during this reporting period. We also discuss the risk posed by Salt Typhoon in section 3 above.

Risk to telecoms signalling from misuse of Global Titles

Ofcom is responsible for the allocation of UK telephone numbers to mobile operators, who create GTs from some of these numbers. These GTs are used to send and receive signals that help locate and connect mobile phone users to networks and to one another and they support the provision of mobile services.

However, in the wrong hands, the access to the global mobile signalling system enabled by GTs can, and have been, misused. For example, bad actors could intercept messages and calls, disrupt the operation of networks and track the location of users of other networks.

Following our consultation in July 2024 and further collaboration with the NCSC and our industry stakeholders to understand the threat posed and the options to mitigate, we published our statement in April 2025 which:

• bans leasing of GTs to third parties by operators that hold UK mobile numbers;
• bans third parties from creating or using GTs from sub-allocated numbers;
• contained new guidance for number range holders on their responsibilities to prevent misuse of their GTs and to strengthen our rules to prohibit the misuse of GTs by any operator that holds UK mobile numbers; and
• strengthens our rules to prohibit the creation and use of GTs from numbers not allocated for use.

These decisions make the UK a world leader in both defending our networks and people, and preventing others from misusing GTs to negative effect in the UK or abroad by enhancing the transparency and accountability of their actions. We note that the Crown Dependencies are considering aligning with our position.

Linked to this work, in our latest information notice for our Code monitoring programme we asked how providers are monitoring the usage of leased GTs. We are monitoring the migration that some providers are undertaking to new platforms to improve their ability to manage and monitor their leased GTs.

[REDACTED].

Vendor concentration in the UK telecom sector

There is a risk that vendor concentration (where the same vendors are being integrated into the providers’ PECN/PECS) could lead to increased exposure across providers. For example, Ericsson and Nokia are the 2 dominant vendors for mobile core infrastructure in the UK, with Ericsson replacing Huawei as the predominant vendor. This vendor concentration is occurring at varying points of the supply chain, including managed services and other telecom support services. This vendor concentration could lead to some of the following events, which would have a cross-sector impact:

• A design or implementation fault in any key products
• An exploited security vulnerability
• Financial issues
• Shortages in supplies of new equipment, spares or labour from the vendor
• Issues with third line support or maintenance
• Market exit by the vendor, or withdrawal of particular products
• Any future security concerns, for example that might lead to High-Risk Vendor designation and restrictions

We note the government’s response to the Telecoms Supply Chain Diversification Advisory Council report and will continue to support their work to diversify and secure the telecoms supply chain.

Ofcom’s work with government

Physical and personnel security

Technical security controls such as firewalls are essential to a strong security posture, but they are only one component. Physical and personnel security are also an intrinsic part of cybersecurity. Over the last year, there have been several examples of threats and damage to exchanges and fibre ducts.

Currently the Code does not explicitly recommend physical and personnel security controls that providers should implement. Instead, these are covered at a high level by the provisions under the Act and the Regulations.

We are seeking to understand from the Tier 1 providers how they identify and reduce the risk of operational (physical and personnel) security compromises and will reflect our findings in our third report in 2026.

[REDACTED].

Telecommunications Security Code of Practice

The Code notes that “the government intends to review and update the code of practice periodically as new threats emerge and technologies evolve.”^{[footnote 15]} Ofcom’s Security Reports are one of the sources that will inform such updates.

We note that the government has consulted on revising the Code. We continue to work with the NCSC, the NPSA, and DSIT, drawing on our regulatory experience to help inform government’s approach to updating this guidance. We also note that the proposed changes to the Code include updating existing and introducing new measures. We are ready to adjust our monitoring programme as necessary to respond to any changes to the Code.

A1 matters to be included in security reports

Required contents of this report

Section 105Z(2) and (3) of the Act specifies that:

A security report must contain such information and advice as OFCOM consider may best serve the purpose … to assist the Secretary of State in the formulation of policy in relation to the security of public electronic communications networks and public electronic communications services.

Section 105Z(4) sets out particular matters to be addressed in the report. This annex summarises these matters, and in which section(s) and sub-sections of this report they can be found.

Table 1: Matters to be included in security reports

105Z	Matters to be addressed	Location in this report
(4)(a)	Extent of compliance with various provisions: s.105A-D - duties to take measures	Code monitoring findings
(4)(a)	Extent of compliance with various provisions: s.105I - explain failure to act in accordance with code of practice	Code monitoring findings
(4)(a)	Extent of compliance with various provisions: s.105J - informing users of risk of security compromise	Security compromise reporting Duty for providers to inform users
(4)(a)	Extent of compliance with various provisions: s.105K - reporting security compromises to Ofcom	Security compromise reporting
(4)(a)	Extent of compliance with various provisions: s.105N(2)(a) and s.105O - compliance assessment notices	Code monitoring findings
(4)(b)	Extent of acting in accordance with Code	Code monitoring findings
(4)(c)	Security compromises reported under s105K	Security compromise reporting
(4)(d)	Ofcom actions in response to s105K reports	Security compromise reporting Enforcement activities
(4)(e)	Extent and manner of Ofcom exercising various functions: s.105I - power to notify provider of failure to act in accordance with Code	Code monitoring findings
(4)(e)	Extent and manner of Ofcom exercising various functions: s.105L - powers to inform others of security compromise	Security compromise reporting
(4)(e)	Extent and manner of Ofcom exercising various functions: s.105M - general duty to ensure compliance	Ofcom’s implementation of the Telecoms Security Act Code monitoring findings
(4)(e)	Extent and manner of Ofcom exercising various functions: s.105N-Q - compliance assessment notices	Code monitoring findings
(4)(e)	Extent and manner of Ofcom exercising various functions: s.105S-V - enforcement of security duties	Enforcement activities Exercise of relevant powers
(4)(f)	Particular risks to security Ofcom has become aware of	General observations on policy matters
(4)(g)	Other information specified in a direction by the Secretary of State	General observations on policy matters

Annex

Table: Primary causes of resilience incidents during the Reporting Period

Primary causes of resilience incidents	Number reported (%)
Hardware failure	275 (45%)
No-cause provided	154 (25%)
Cable problem/fault	65 (10%)
Power cut	54 (9%)
Other	27 (4%)
Software error	12 (2%)
Design error	10 (2%)
Policy or procedure flaw	7 (1%)
Faulty software change or update	6 (1%)
Power surge	6 (1%)

Return to Figure 1: Primary causes of resilience incidents during the Reporting Period.

1. The duties imposed on providers by or under sections 105A to 105D, 105I to 105K, 105N(2)(a) and 105O of the Communications Act 2003, including under the Electronic Communications (Security Measures) Regulations 2022. ↩

2. The Code of Practice sets detailed technical guidance on the measures providers should take to comply with their security duties. These are not binding on providers, but Ofcom is required to take them into account when exercising our relevant functions, as are the courts in any legal proceedings. ↩

3. Under section 105Y of the Communications Act 2003, as amended by the Telecommunications (Security) Act 2021, Ofcom has a duty to publish a statement of their general policy with respect to the exercise of our functions under sections 105I and 105M to 105V of the 2003 Act. ↩

4. Paragraph 0.13 of the Code. ↩

5. Paragraph 0.15 of the Code. ↩

6. Paragraph 3.27 onwards of: General statement of policy under section 105Y of the Communications Act 2003 ↩

7. Regulation 8 – Prevention of unauthorised access or interference ↩

8. Measures 2.05 and 8.06 in the Code. ↩

9. A special purpose machine on a network specifically designed and configured to withstand attacks. ↩

10. [REDACTED] ↩

11. Network and Service Resilience Guidance for Communications Providers ↩

12. Priority categories are used by providers primarily for their own internal incident management purposes, but they also often use them as the basis for filtering incidents which need to be considered for reporting to Ofcom. These categories define the severity of an incident including the level of impact. ↩

13. This relates to measure 16.21 in the Code. ↩

14. CISA, Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System, 27 August 2025. ↩

15. Paragraph 0.30. ↩