AdobeStock_318563781 (1)

The UK Telecommunication Security Act (TSA): When Life Gives You Lemons, Make Lemonade

April 8, 2024
Written by
Ed Bailey's Image

Ed Bailey is a passionate engineering advocate with more than 20 years of experience in i... Read Morenstrumenting a wide variety of applications, operating systems and hardware for operations and security observability. He has spent his career working to empower users with the ability to understand their technical environment and make the right data backed decisions quickly. Read Less

Categories: Learn

On October 1, 2022, the UK Telecommunications Security Act (TSA) went into effect, imposing new security requirements for public telecom companies.

The purpose of the act is noble, as it wants to ensure the reliability and resilience of the UK telecommunications network that underpins virtually every aspect of the economy and modern society.

But for many telecommmunications providers, hardware, and software vendors are wondering how this act will affect their business in the long and short term. The rules can seem complex or unclear, and many companies are worried about investing significant time and effort into this new compliance requirement. The TSA can seem like yet one more regulation that consumes time and resources and does not benefit your business. But I’d like to give you a different perspective where the investment required by the TSA can be more than just make work and a path towards business transformation. It is important to make the required investment a benefit to your business instead of just one more compliance requirement your business needs to meet to stay out of trouble.

The Code of Practice

The Department for Digital, Culture, Media and Sport published the Telecommunications Security Code of Practice (The Code), based on technical content drafted by the National Cyber Security Centre. This document includes some 258 line items of technical guidance measures for providers that cover critical areas of their operations, including network management, monitoring and analysis, supply chain, and more. These measures set the guidance for security, putting everyone on the same page.

While the Code also provides some recommended guidance for meeting the measures, the end result is what matters most. Providers don’t have to follow the Code of Practice recommended protocols to the letter; they just have to prove to the sector regulator, Ofcom that their approach to the measures delivers the desired outcomes.

The Deadlines

Aside from the scope, the next biggest item for players in this space is the deadlines.

  • Tier 1 providers (annual revenue over £1bn) – must implement the first batch of requirements by March 31, 2024.
  • Tier 2 providers (annual revenue over £50m) – have another year, until March 31, 2025
  • Tier 3 providers, including small businesses and micro enterprises, are not expected to follow the measures in the Code, except for networks or services they supply to higher-tier providers.

You might find TSA compliance overwhelming to understand and then implement in your environment. Many providers will struggle to devote the necessary expertise and resources to it, especially when they’re already operating on tight margins with lean teams. This invites delay, but non-compliance has very high penalties, so you should to build compliance into your overall business strategy. Use this moment to move your business forward toward a more modern technical platform with sustainable security practices.

The Business Case for Compliance

Along with avoiding regulatory fines and penalties, aligning with TSA requirements sooner rather than later has these benefits:

  • Modernize your technical platforms – Invest in your platforms and replace old, out of data platforms to bring your systems into TSA compliance. Make a material investment in cloud computing to give your systems the flexibility to scale as required to meet your needs.
  • Modernize your data strategy – Everything begins and in ends with your data. Put in the effort and resources to treat data as an asset to improve observability and security visibility enterprise wide.
  • Build a culture of cyber resilience – it is a matter of when not if your enterprise will experience a cyber incident. Build your systems so that ongoing business will not be impacted by an incident. Plan for failure to sustain your business regardless of external events.

There’s a good business case for making your network the one that prevents the most incidents, survives the worst, and still serves your customers. As a world gets more disrupted by weather and security incidents, a culture of resiliency and security becomes your selling point.

A Roadmap for Success

Finally, you are probably wondering how even to start achieving TSA compliance by the applicable deadline. Here’s a five-step program to get your enterprise headed on the right track :

1) Plan – Don’t wait another minute. Begin assembling a roadmap and milestones immediately. A year goes by quickly, and with so many conflicting priorities, time can quickly get away from you.

2) Define your scope, small bites drive success – Identify which of your systems and operations are subject to the regulation. This will help you prioritize and avoid unnecessarily biting off more than you can chew. Start small and

3) Review your cybersecurity program and cover gaps – If you don’t know what you have, you can’t verify or defend it. All of those systems, hardware, and complex integrations you’ve accumulated over the years? Start with understanding your attack surface and asset programs so you can make you sure you know what you have and its context.

4) Examine your supply chain and procurement practice – With 80 Code of Practice measures related to supply chain validation, supplier assurance is fundamental to achieving compliance. You’ll need to identify and develop a system for verifying and managing them appropriately.

5) Work with your partners – Resource allocation will be one of the toughest parts of TSA compliance for most companies. Work with a partner who can help you where you need them, such as interpreting the regulations and understanding your scope and posture versus the measures.

Together you should then develop a roadmap for improvement and innovation. This will help you achieve the appropriate level of compliance by the deadlines outlined for your tier.

Next Steps

The TSA requires telecommunications providers to enhance their cybersecurity practices. If you have questions about the details, know that you’re not alone. At Cribl, we specialize in addressing the toughest aspects of cybersecurity, security operations, and security data. We are here to support you throughout the process.

To take Cribl’s software for a spin with zero friction, try our free, hosted Stream Sandboxes. I’d love to hear your feedback; after you run through the sandbox, connect with me on LinkedIn, or join our community Slack, and let’s talk about your experience!


Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.

We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.

Feature Image

Cribl Packs a Punch: Unpacking the Integration with Microsoft Azure Sentinel with Cribl Source and Destination Packs

Read More
Feature Image

Tackling the Unsustainable Skills Challenge in Cybersecurity and Observability

Read More
Feature Image

Finding a Better Way to Work in the Cloud!

Read More

Try Your Own Cribl Sandbox

Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.


So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?