No matter how frustrating they are, regulations are there for a reason
For the UK telecommunications sector, the Telecommunications Security Act (TSA) is one of those pieces of legislation providers need to abide by. Introduced in 2022, the Act granted the government powers to create regulations around specific security measures. It’s down to Ofcom to oversee proceedings and make sure providers stay compliant with the established framework.
This, for Gamma’s Managing Director for Service Providers Mike Mills, is a “really big deal.” It’s why Dave Williams, Gamma’s Group Commercial Director, and Gamma Chief Information Security Officer Amy Lemberger were asked for their insights on the TSA. Their expertise around compliance is integral for any service provider who needs to take stock of their own regulatory obligations.
The finer details
First things first – what exactly is the TSA?
The TSA was initially brought in following the publication of the Telecoms Supply Chain Review Report in 2019. From this report, it was concluded that there was a need to “pursue a new, robust security framework for telecoms.” The threats faced by this critical infrastructure network meant necessary steps had to be taken to bolster its security.
Amy mentions how the TSA grants Ofcom the powers to “effectively penalise us or fine us” if appropriate security controls aren’t in place. It’s a welcome addition to the sector, especially as security and the impact of poor security itself is a huge problem.
For Dave, the increasing complexity of supply chains makes the challenge of managing security even more pressing. The TSA aims to grant the government, particularly the Secretary of State, more power to mark out vendors that aren’t “allowed to be in your network.” These Designated Vendor Directions means service providers have to think carefully about “what kit [they] run in their core network.”
If you needed an example, think Huawei and their removal from the UK’s 5G network. When the US government banned Huawei, providers were effectively given a fund to “rip it out” and replace it. In the UK, there’s no fund – all providers are given is that notice around removing Huawei’s kit from those networks.
Never break the chain
These notices and directions give service providers plenty to think about when it comes to building their networks. Kit sourced from a company that appears in a notice now, or in the future, will impact the value of a business. Dave notes how buyers will see that “there’s a piece of work now to rip that kit out”, which impact both business and security valuations.
This, from Amy’s own experience, has brought multiple stakeholders together to “actually put this in place.” The likes of technologists, legal teams, and commercial specialists have all put their heads together to make sense of everything. That sort of scenario has been “interesting… and complicated.”
What the TSA has also done has placed more focus on vendor security. There’s now a conscious effort to see which parts of the network can “be accessed from the outside world.” Dave advocates for a clear separation between a network’s core components, the Operations Support Systems (OSS) and the Business Support Systems (BSS).
That corporate estate “[needs] to be separate again”, according to Amy. While it could create “air gaps” that vertical threat actors could access, there needs to be confidence in that wider supply chain. Suppliers need to be compliant with the conditions.
As Dave says, “you’re only as good as your weakest link in the chain.” There needs to be a “level of rigour and security and governance” in that supply chain. Procurement teams must work hard to confirm that compliance.
Tiers and spend
This framework also sets out the different tiers that providers fall under. Based on their “commercial scale”, the tiering system sets out the various expectations placed on providers. The system consists of three levels:
- Tier 1: Providers with a turnover of £1 billion or more.
- Tier 2: Providers with a turnover of, or equal to, £50 million but below £1 billion.
- Tier 3: Providers with a turnover of below £50 million, but not a ‘micro-entity’.
Regardless of the tier, “the law applies to everyone.” Dave mentions how Ofcom, with their unrivalled enforcement powers, “clearly prioritise the big networks first.” Considering Tier 1 providers had to complete the first set of TSA measures by 31st March 2024, that’s certainly the case.
The main difference, in terms of requirements and complexity, is that “level of scrutiny.” Tier 1s have had those controls in place for over a year, while Tier 2s have only had them since 31st March 2025. Those measures extend to those suppliers that make up a provider’s own supply chain.
But there is a “catch 22” – any non-Tier 1 provider that supplied services to a Tier 1 would have to “level up their own supply chain.” It would be interesting to see how that has worked out, especially when taking that “flow down effect” into account.
Notice the notice
Mike’s role, unsurprisingly, means he converses a lot with various service providers. In his conversations, he’s found it “staggering” how some are “blissfully unaware” of the TSA.
Section 135 of the Communications Act, as Dave points out, grants Ofcom powers to request specific information from a provider. These legal audit notices have now been issued to all Tier 2 providers, or at least as far as Amy is aware. Either way, “the review and scrutiny is definitely on Tier 1.”
What this does mean is that, regardless of whether receiving a notice or not, providers are “in scope.” The risk is getting noticed and revealed to be “in a mess.” Ignorance isn’t a great defence, and service providers risk devaluing their business.
Anyone interested in due diligence is bound to ask about TSA compliance. “Not having an answer would be a problem”, as Dave says.
“A variety of journeys”
Every service provider is unique. Classic managed service providers (MSPs), resellers that transition to small network operators – there’s quite a mix. For any public electronic communications service (PECS) and network (PECN) providers, these data regulations need to be studied in full detail.
Gamma works with lots of different PECS and PECN providers that may not know that they’re “in scope.” If they have desires to expand their services and build their own network, Ofcom must be in the know. Mike’s advice is simple; “you need to look at this… you need to get on top of [this].”
While “expensive… time consuming and complicated”, compliance should never be an afterthought.
Gamma and the TSA
As a Tier 2 provider, Gamma is fully aware of the ins and outs behind the TSA. Amy outlines the audits conducted under Section 135 and the work being done on the scope of Gamma’s products. Portfolio-wide control allows Amy to “do the control… understand if it’s there” and then risk assess around putting it in place if necessary.
Having a broad portfolio introduces some complexity. There are different ways to do the controls and the work, which is “one gap” to overcome. Interpretation over what to do and not how to do it creates that complexity over what’s expected of a provider.
Amy rightly says that the TSA isn’t just a tick box exercise. Providers need to interpret the document and understand what needs to be done per product.
Staying aware
In the large enterprise space, Dave highlights a “general sort of misconception” over TSA compliance. Everyone is on that compliance journey, and nobody is above the law. What matters is that everyone remembers that they’re on that journey.
From Gamma’s perspective, being on that journey means engineering, product and risk teams “end up talking the same language.” It’s been positive from a cultural standpoint, and regular cadence meetings means all the “basic stuff” is covered. Fixing problems, roadmaps, new releases and features – nothing is missed.
This “gating process”, for Dave, is now fully integrated into that normal product process.
Any questions?
It’s government regulation, so of course there are questions.
For any Gamma partners in the service provider space, the door is always open. The TSA and that compliance journey is one shared by everyone in the industry. While Gamma can’t provide that concrete regulatory advice, we can share experiences as part of that wider, deeper partnership.
Keep an eye on those supply chains, and make sure compliance is always top of mind. There’ll always be gaps and unknowns, but it’s integral to know where those gaps are. It’s the best way to stay compliant.