Ofcom has released new guidance for communications providers on their resilience-related security duties under the Communications Act 2003, replacing the regulator's previous guidance document from 2022. The update sets out Ofcom's expectations for how telecoms networks and services should be architected, designed and operated to maintain availability and performance for UK consumers, businesses and organisations.
Cybersecurity obligations for telecoms providers are dealt with separately under the Telecommunications Security Code of Practice, published in 2022. This new document focuses on the broader resilience picture, covering network availability, performance and functionality, and is intended to be read alongside the Code of Practice rather than replacing it.
The guidance applies to all providers of Public Electronic Communications Networks and Services. Ofcom sets out specific expectations by network tier. For active fixed access cabinets, it considers around four hours of power backup good practice at the point of installation.
Larger aggregation sites are expected to sustain extended outages with permanent, refuellable generators, and core sites are expected to withstand power loss for a minimum of five days, aligning with the Electricity System Operator's five-day restoration standard. Providers are expected to design for automatic failover between core sites, minimise single points of failure, and consider the "user-hours lost" metric (customers affected × duration) when prioritising resilience investment.
The guidance also covers capacity management, business continuity, change management, supplier management, staff competency, and network automation/AI risks — with an expectation of clear accountability from Board level down. Ofcom will use the guidance as a reference point both for monitoring compliance and as a starting point in any enforcement action relating to resilience incidents.