Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Ofcom consults on updated telecoms security incident reporting guidance

20 May 2026 United Kingdom 7 min read

On 12 May 2026, Ofcom published a consultation on proposed updates to its general Statement of Policy under section 105Y of the Communications Act 2003. The proposals focus on security incident reporting expectations for providers of public electronic communications networks and services, alongside changes to Ofcom’s approach to compliance monitoring. The consultation closes at 5pm on 4 August 2026 and Ofcom expects to publish a final statement in autumn 2026.

At a glance, the proposed changes include:

  • Standardised mobile reporting criteria: Ofcom proposes to replace operator-specific mobile ‘major service failure’ reporting processes with common, quantitative criteria to improve consistency across providers.
  • New infrastructure-based thresholds: proposed cell-site based triggers would require reporting where specified numbers of sites are affected, including tailored triggers for rural sites.
  • Lower ‘critical’ threshold: Ofcom proposes reducing the threshold for ‘critical’ incidents from 3 million to 1.5 million user-hours lost and renaming severity categories to ‘critical’, ‘major’ and ‘moderate’.
  • Expanded reporting templates and data: changes to the reporting forms and bulk templates, plus a proposed monthly RAN cell dataset submission for MNOs to support incident mapping.
  • More proactive supervision: greater routine use of assessment notices and an updated approach to information notices.

Context

The Telecommunications (Security) Act 2021 introduced a strengthened framework to protect the security and resilience of UK public electronic communications networks and services. Providers are subject to security duties, including duties to report certain security compromises to Ofcom. Ofcom has a duty to seek to ensure compliance (s.105M) and must publish a statement of its general policy on the exercise of its relevant functions (s.105Y). Ofcom’s current Statement of Policy was published in 2022.

Ofcom states that it has now had several years of operational experience under the framework, including security information returns from around 40 providers covering more than 130 security measures, and incident reports from a wider set of providers. Drawing on that evidence and its reporting to Government, Ofcom considers that an update to reporting guidance and its monitoring approach is appropriate.

Key proposals

The proposed changes fall into three principal categories:

1. Reporting thresholds and criteria

Mobile – standardisation and new cell-site triggers

Ofcom proposes removing current mobile reporting processes based on each MNO’s internal definition of ‘major service failures’, which Ofcom considers has resulted in inconsistent reporting. In their place, Ofcom proposes a standardised set of criteria based on: (i) the number of end customers affected; (ii) the number of cell sites affected; and (iii) the duration of service loss or major disruption. Meeting any one of these thresholds would trigger a reporting obligation.

Ofcom proposes new infrastructure-based thresholds, including, for example, reporting where 25 or more cell sites in an urban or semi-urban area are affected for a specific duration, or where a higher number of sites are affected irrespective of duration.

Rural single-site trigger

Ofcom also proposes a rural threshold: a failure affecting one or more rural cell sites for eight hours or more would be reportable, reflecting the risk that a single site failure can isolate a community from mobile coverage (including access to emergency calls). This represents a significant departure from existing reporting approaches, which have not typically captured single-site failures in isolation. Ofcom proposes that rural cell site incidents may be reported via monthly bulk reports unless other quantitative or qualitative factors make earlier reporting appropriate.

Severity taxonomy and ‘critical’ threshold

Ofcom proposes reducing the threshold for ‘critical’ reporting from 3 million to 1.5 million user-hours lost, reflecting differences in subscriber base sizes (including across some Tier 2 MVNOs). Ofcom also proposes renaming severity categories from ‘urgent’, ‘non-urgent’ and ‘non-major’ to ‘critical’, ‘major’ and ‘moderate’ to align with common industry terminology.

Clarifications on specific scenarios

Ofcom proposes further clarifications on (among other matters) pre-positioning attacks, severe weather events, third-party dependencies, and incidents affecting emergency call access while roaming. Ofcom emphasises that providers remain legally responsible for compliance with reporting obligations and are expected to collect and report relevant information even where a third party (for example a host MNO) operates the network on which they rely. This is likely to have a significant impact for MVNOs which had been reliant on MNOs to report underlying network incidents. 

This signals a shift towards more proactive and continuous regulatory supervision.

2. Reporting templates and data

Ofcom proposes changes to the ‘How to report’ form, including explanations of the categories used in the security compromise reporting template and clearer expectations for what a completed form should contain. For bulk reporting, Ofcom proposes adding new fields including third-party details, global cell IDs and a free-text ‘other notes’ field.

Ofcom also proposes that MNOs provide a monthly list of their Radio Access Network (RAN) cells, using a specified cell data reporting standard, to support accurate mapping and analysis of incidents.

3. Compliance monitoring

Ofcom proposes to evolve its supervisory approach by making greater routine use of assessment notices under section 105O as part of day-to-day supervision, rather than reserving them primarily as an escalation tool. Ofcom considers that, in some cases, an assessment notice may be less burdensome for providers than an information notice. Providers may take a different view on this assessment, and the consultation provides an opportunity to raise these concerns.

Ofcom also proposes adjusting the expected cadence of information notices under section 135 from around every nine months to around every twelve months, reflecting the time needed for providers to comment on draft questions and to compile responses (and more closely aligning with timings observed in practice).

Practical implications and next steps

If implemented, the proposals are likely to increase the number of reportable incidents for mobile providers and require changes to internal monitoring, escalation and reporting workflows. In particular:

  • Providers will need to ensure they can apply the proposed thresholds consistently, including tracking customer impact, cell-site impact and duration. 
  • Providers may need to invest in systems capable of capturing and aggregating data at cell-site level, including distinguishing between rural and urban sites.
  • MNOs should assess the operational impact of the proposed monthly RAN cell data submissions and ensure appropriate data governance arrangements are in place.
  • MVNOs and providers reliant on third parties should review information flows and contractual arrangements to ensure they can obtain data needed for timely reporting, noting that Ofcom’s proposals may significantly increase the compliance burden on providers that do not directly operate network infrastructure.
  • Providers should anticipate more proactive supervisory engagement, including a potentially greater use of assessment notices.

More standardised and granular data may enable Ofcom to benchmark providers more directly, potentially increasing the likelihood of follow-up engagement or enforcement where a provider appears to be an outlier.

While Ofcom’s impact assessment suggests limited additional cost overall, providers may consider that the operational and systems changes required—particularly for mobile providers— are more significant in practice.

Communications providers and other stakeholders should consider engaging with Ofcom during the consultation period, including on the practicability of the proposed thresholds and reporting data requirements. Responses must be submitted by 5pm on 4 August 2026.

More insights
Cyber TMT - Technology, Media & Telecommunications Communications Technology

Explore more

Event United Kingdom

IP Insights webinar series 2026

03 Jun 2026
Publication United Kingdom

Cyber risk management for senior leadership teams

02 Oct 2025 1 min read
Expert Guide International

Data protection and cybersecurity laws in the United Kingdom

40 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.