Situation
For organisations supporting critical telecommunications infrastructure, security is not a theoretical exercise. It’s often a regulatory expectation, a matter of national resilience, and a test of operational readiness.
For a UK mobile telecommunications operator, this reality came into sharp focus when Ofcom issued a formal request for information under the Telecommunications Security Act (TSA).
Classed as a Tier 2 provider of public electronic communications networks and services, the operator delivers mobile connectivity to consumers and businesses across the UK.
Like all providers in scope of the TSA, it’s required to demonstrate how it meets the Act’s security duties and aligns to the Telecommunications Security Code of Practice (CoP) — often under relatively tight regulatory timescales.
Recognising the importance of getting this right first time, the provider engaged with NCC Group for support.
At a glance
Organisation: UK mobile network operator
Sector: Telecommunications
Situation: A mobile operator faced urgent Ofcom TSA information request, needing to demonstrate compliant security.
Challenges: Limited TSA expertise, a tight deadline and inadequate prior advice risked falling short of Ofcom expectations.
Solution: NCC Group led collaborative workshops and our deep telecoms expertise helped our client to prepare a robust, outcome-focused response to the request.
Results: All regulatory expectations were met, penalties and other risks were avoided, and long-term cyber resilience is being strengthened.
Challenge
Historically, the provider had responded to TSA-related regulatory enquiries through Section 135 notices issued by Ofcom. While this process was familiar, the scale and depth of the information request presented a new challenge.
Internally, the organisation faced two pressing concerns. First, it did not have sufficient in-house capacity or specialist TSA expertise to confidently interpret the CoP measures and map them to its technical and operational controls. Second, there was a clear risk that without expert guidance, the response could fall short of Ofcom’s expectations — both in quality and in timing.
The provider had previously engaged another consultancy for TSA compliance support but came away unconvinced. The advice lacked depth in telecoms specific technologies and did not inspire confidence that the regulator’s expectations had been fully met.
By the time NCC Group experts were engaged, time was tight and the stakes were higher for the latest Section 135 they were needing to respond to.
The client had confidence our specialist telecommunication security team would help as we were recommended by another provider already operating under the TSA.
Solution
NCC Group worked closely with the provider to compile a robust, evidence-based response to Ofcom’s request.
This was delivered through a series of focused workshops with the client’s subject matter experts, carefully scheduled and coordinated with the support of a dedicated client-side project manager. These sessions were designed to be efficient, collaborative, and grounded in trust.
NCC Group’s telecommunications security team could extract the right level of detail without placing unnecessary burdens on the clients’ already busy operational teams.
Crucially, we helped our client to interpret the TSA’s CoP correctly, ensuring that responses clearly demonstrated how security outcomes were being met.
By combining regulatory insight with our hands on sector expertise, NCC Group was able to guide the mobile provider through the regulation and translate technical realities into language that aligned with Ofcom’s expectations.
Results
We worked closely with the provider’s security team to deliver a complete and timely Section 135 response that met Ofcom’s requirements and deadlines.
Our client gained confidence at a critical regulatory moment which meant they avoided any penalties, reputational damage and could continue to operate securely.
Beyond the immediate response, we delivered lasting value. Areas for improvement identified during the process were converted into a clear remediation roadmap. We’re pleased to be providing them with ongoing support across highly technical security improvements and supplier assurance activities to further strengthen TSA compliance and boost our client’s overall cyber resilience.
“What really matters under the Telecommunications Security Act is not just having controls in place but being able to clearly demonstrate to the regulator how those controls achieve the outcomes set out in the Code of Practice using a risk-based approach. By bringing deep telecoms expertise and practical TSA experience, our team helped the mobile operator in this case respond with confidence, meet Ofcom’s expectations and build a strong foundation for long term compliance and resilience.”
“What really matters under the Telecommunications Security Act is not just having controls in place but being able to clearly demonstrate to the regulator how those controls achieve the outcomes set out in the Code of Practice using a risk-based approach. By bringing deep telecoms expertise and practical TSA experience, our team helped the mobile operator in this case respond with confidence, meet Ofcom’s expectations and build a strong foundation for long term compliance and resilience.”
Chris Proctor, Head of Global Telecoms Practice at NCC Group
Boost resilience under Telecommunications Security Act
Learn more about how NCC Group supports organisations achieve TSA compliance