On 12 May 2026, Ofcom published a consultation to update its procedural telecoms security guidance governing how it supervises telecoms providers and enforces compliance with their telecoms security duties. The aim of the updated guidance is to build on Ofcom’s enforcement experience following the implementation of the UK’s updated telecoms security regime three years ago. Ofcom’s proposals are designed to improve the consistency of security compromise incident reporting, especially for mobile services, and reflect the evolution of Ofcom’s enforcement approach which is designed to increase the resilience and security of UK telecoms networks, while ensuring that the framework remains practical and effective for industry and focuses attention on the areas of greatest risk.
The Telecommunications Security Act 2021 (TSA) amended the Communications Act 2003 and established a robust framework to safeguard public electronic communications networks and services across the UK. The TSA regime comprises a set of overarching security duties applicable to communications providers with the underlying security requirements further specified in a set of telecoms security regulations and a detailed telecoms security code of practice (which is also expected to be updated shortly). For further background, see our analysis on the UK Government’s consultation on updates to the Telecommunications Security Framework and our Telecoms and connectivity homepage.
Ofcom’s update is representative of a wider national focus on cybersecurity in recognition of the threats posed by geopolitical instability, and the rapid ascension of Frontier AI software, which has seen a shift towards a more interventionist and systemic approach to protecting critical infrastructure and services. In this regard we also note that Ofcom has published an industry alert on frontier AI. This has crystallised into tighter regulation, and industry is also anticipating the adoption of the Cyber Security and Resilience Bill later this year (currently in the House of Commons).
The King’s Speech (13 May 2026) also emphasised how the UK is operating in an “increasingly dangerous and volatile world” which necessitates “legislation to improve the country’s defences against cyber security threats”. This will be addressed in the anticipated Cyber Security and Resilience Bill.
What are some of the key proposals?
There are a number of proposed changes to Ofcom’s guidance but the key changes, include:
1. Major overhaul of incident reporting (especially for mobile networks)
Communication providers must report security compromises (incidents) to Ofcom which meet required qualitative and numerical thresholds. Urgent incidents need to be notified to Ofcom within 3 hours with a follow up report within 72 hours. Other non-urgent incidents need to be reported within 72 hours and there is also a monthly batched reporting requirement. Key proposals include:
- Introduction of standardised numerical thresholds for reporting mobile incidents, replacing operator‑specific definitions, based on the number of end customers and/or cell sites affected and the duration of outage.
- A lower threshold for “critical” incidents, reducing the trigger from 3 million to 1.5 million user‑hours lost, meaning more incidents will qualify as high‑severity.
- A clearer scale of incident severity (e.g. critical, major, moderate) to ensure more consistent classification across the sector, moving away from “urgent” and non-urgent” incidents.
It should be noted that Ofcom intends to add a clarification that incidents which have a significant effect on the operation of the network or service remain reportable even if they do not meet Ofcom’s criteria or thresholds as this is subject to the provider’s own assessment of whether the incident is significant.
2. New approach to rural incident reporting
- Treating a single failed cell site in rural or “most rural” areas as a reportable incident, even if the impact is geographically limited.
- Incorporating rural incidents into regular reporting (unless they meet higher‑severity thresholds requiring immediate notification)
3. More structured and proactive supervisory framework
- Formalising the frequency of information requests (e.g. moving to a 12‑month cycle for certain formal notices).
- Using assessment powers (e.g. inspections and audits) more routinely, rather than only in cases of suspected non‑compliance.
- Positioning on‑site assessments as an alternative to extensive written information requests
4. Greater clarity on reporting expectations and processes
- More detailed expectations on which security compromises must be reported and when.
- Clarification of communication processes between providers and Ofcom during and after incidents
- Personalised contacts – providers will need to have a dedicated direct contact person with Ofcom (tailored to a user’s name and location)
- Reporting templates – updates to the reporting template forms and bulk reporting forms.
Conclusion
Taken together the proposals demonstrate Ofcom’s drive to make security incident reporting obligations more transparent and provide greater clarity to industry to ensure that relevant incidents are reported. The framework is also designed to take a proportionate and risk-based approach whilst seeking to ensure that providers have relevant procedures in place to drive compliance.
The consultation is open until 4 August 2026.
For further information, please contact:
Anthony Rosen, Partner, Bird & Bird
anthony.rosen@twobirds.com
