Telecoms | UK Regulatory Outlook May 2026

Ofcom opens consultation on proposed changes to revised telecoms security incident reporting framework 

On 12 May 2026, Ofcom published a consultation on proposed changes to its general Statement of Policy under section 105Y of the Communications Act 2003, with a closing date for responses of 4 August 2026 at 5pm.  

The statement of policy, first published in 2022, governs how Ofcom exercises its security-related functions under the Communications Act 2003, including compliance monitoring, assessment and enforcement powers, and the processes for reporting security compromises.  

Ofcom's proposed changes include:  

Compliance monitoring approach 

Ofcom proposes to update the expected frequency of section 135 information notices from approximately every nine months to every twelve months. 

It further proposes to integrate assessment notices under sections 105N–105Q into its ordinary supervisory toolkit, moving away from their previous characterisation as primarily an escalatory measure, on the basis that they may be a more appropriate and proportionate means of assessing compliance in certain circumstances. 

Mobile security compromise reporting thresholds 

Ofcom proposes to replace the existing reporting processes based on individual mobile network operator (MNO) definitions of Major Service Failures with universal criteria based on the number of end customers and/or cell sites affected and the duration of service loss or major disruption.  

The proposed thresholds would maintain the 100,000 customers affected for any duration threshold and align the 10,000 or 25% of customers affected for eight hours threshold between mobile and fixed networks.  

Ofcom also proposes introducing cell site-based thresholds, including a requirement to report outages affecting 25 or more cell sites in semi-urban and urban areas, and a specific rural threshold whereby an outage at one or more cell sites would be reportable via monthly bulk reports, unless there are concurrent quantitative or qualitative factors that make the incident reportable earlier. 

Severity categorisation and critical threshold 

Ofcom proposes to rename its incident categories from "urgent", "non-urgent" and "non-major" to "critical", "major" and "moderate" respectively, and to lower the critical reporting threshold from 3 million to 1.5 million user-hours lost, to better reflect the range of mobile virtual network operator (MVNO) subscriber bases. 

Reporting template and RAN data 

Ofcom proposes to add explanatory guidance to the reporting template, introduce three new columns to the bulk reporting template (third party details, global cell IDs, and other notes), and require MNOs to share a list of all their RAN cells on a monthly basis to enable correlation of incident reports with accurate location data. 

Further clarifications 

Ofcom proposes to clarify that communications providers cannot rely on third parties to report on their behalf, that combined service interruptions from a common cause (such as severe weather) that collectively reach the reporting thresholds are reportable, and that incidents remain reportable even where emergency roaming has preserved 112/999 access. 

Why it matters 

The proposed changes are designed to provide communications providers with clearer and more consistent criteria for determining when a security compromise must be reported, replacing arrangements that Ofcom found resulted in inconsistent levels of reporting across the industry. 

Communications providers should anticipate implementation costs associated with the proposed changes, including potential capital expenditure to differentiate between urban and rural cell sites, adjustments to internal reporting systems and processes, and operational expenditure for the completion of additional incident reports. However, Ofcom's impact assessment indicates that it does not consider these changes will result in material additional costs overall. 

Ofcom's clarification that the legal responsibility of reporting rests with the communications providers means they should review their contractual arrangements and information-sharing protocols with third parties to ensure they can meet this obligation in practice. 

Communications providers should be prepared for a shift in Ofcom's supervisory posture, including the integration of assessment notices as a standard compliance tool rather than an exceptional measure. Providers should ensure they are operationally ready to facilitate such assessments at shorter notice. 

Key dates 

Consultation closes: 4 August 2026 at 5pm 

Decision expected: Autumn 2026.