Ofcom Prep New UK Telecoms Security Reporting Rules for Mobile Networks

The UK telecoms regulator, Ofcom, has today proposed changes to “improve the consistency of security compromise incident reporting” (i.e. when broadband or mobile networks are disrupted by cyberattacks). The changes will, for example, change how outages are reported for mobile networks in rural areas, which recognises that outages in urban and rural areas affect users differently.

The new consultation reflects Ofcom’s learnings from the first few years of the previous government’s wider Telecommunications (Security) Act 2021 (summary), which was originally introduced to restrict the use of Huawei’s kit in UK mobile and broadband networks, while also imposing a variety of changes to make UK telecoms / communications networks safer from cyberattacks.

The law and Ofcom’s supporting Code of Practice (CoP) effectively handed significant new powers to the Government and Ofcom, enabling them to intervene in how telecommunications companies run their business, manage supply chains, design and even operate networks. This included a requirement for telecoms and network operators to report cyberattacks when they occur.

The new consultation proposes to update those reporting requirements, such as by recalibrating the thresholds and criteria Ofcom use for reporting security compromises – adding new cell site-based and rural area thresholds for mobile reporting, and improving the structure, clarity and ease-of-use of their reporting form

Ofcom Statement

Ofcom has today launched a consultation on proposed changes to its guidance for communications operators on reporting security incidents.

Under the Telecoms Security Act, these companies have certain responsibilities for helping to protect their infrastructure and what to do if a security compromise occurs, some of which can lead to service disruption.

Incidents can have a wide range of causes, including cyber attacks, major weather events and issues with technology.

As malicious actors are becoming more sophisticated, geopolitical tensions are on the rise and environmental challenges are routine, we are therefore proposing to update our guidance for industry.

This will ensure there is more clarity about what incidents need to be reported to Ofcom and that reports contain detailed and useful information.

In turn, it will help us ensure that networks remain resilient and that we have a precise and consistent sector-level view of the security of critical national telecoms infrastructure.

In particular, we are setting new, clearer reporting thresholds for mobile operators based on the number of customers and mobile masts that could be affected by an incident.

In addition, as significant mobile service outages in the countryside tend to affect wider geographic areas with limited alternative coverage, we are also introducing new criteria for reporting incidents affecting mobile sites in rural areas.

Alongside these changes, we will also be evolving how we ensure telecoms operators are complying with their other responsibilities under the Telecoms Security Act. This will include, for example, using a broader range of our powers and focusing on specific security themes of concern.

Ofcom are seeking feedback on this by 4th August 2026 and then plans to publish a statement in autumn 2026 that will set out their final approach.