New security legislation in the UK is being implemented in response to an ever-changing cybersecurity threat landscape within the telecoms sector. It is expected to have a positive ripple effect beyond the UK’s shores as it shifts the sector toward stronger networks, more resilient to cyber-attacks.

About the UK’s Telecommunications (Security) Act

  • The Telecommunications (Security) Act (TSA) came into force in the UK on October 1st 2022.
  • The TSA grants powers to the Secretary of State to introduce a  Code of Practice (TSA CoP).
  • The TSA CoP details the majority of the technical requirements that operators need to comply with else they could face fines of up to 10% of company turnover.

The new TSA CoP indicates that the Gateway is a Network oversight function and is also usually a Security Critical Function. The following points apply,

  • (is) essential for the network provider to understand the network, secure the network, or to recover the network
  • are more likely to be targeted for a security attack and the impact of their compromise is greater.
  • best security practices should be implemented for network oversight functions.
  • providers should prioritise the analysis of the behaviour of network oversight functions
  • providers should normally assume network oversight functions to be subject to high-end attacks, which may not have been detected by the provider,
  • implement business practices which, by their nature, make it difficult for an attacker to maintain covert access to these functions.
  • establish secure platforms which implement trusted boot.
  • should be subject to an enhanced level of monitoring, including real-time monitoring.

Satisfying the TSA CoP with GCERT

In August 2022, IoTSF published the GCERT (certified gateway) router requirements for Internet Service Providers (ISPs), router manufacturers, and end users. The GCERT provides a collation of the top internationally recognised requirements, 88 in all. As such, we can see that the GCERT can help an organisation to meet its obligations in regard of the TSA and are therefore mapping it to the TSA CoP (an activity within the ManySecured® working group).

Our ongoing work on technical requirements has identified and developed a range of specifications which cover the TSA CoP requirements and can be viewed on the public webpage at

These specifications include a suite of inter-related functions which work together:

  1. Distributed Device Descriptors (D3)
  2. Device Events (monitoring)
  3. DCon (network control)
  4. Secure Usable Internet browser (SUIB) and
  5. The GCERT.

So what?

If this work is of interest to you please contact us as we’d be very keen to talk to you.

James Willison

By James Willison

Project and Engagement Manager

e: James.Willison(a)

t: +44(0) 7311 888295