Guidance for communications providers and operators of essential services

Published: 15 September 2023
Last updated: 13 June 2024

Guidance and contact information for communications providers and operators of essential services.

Under section 105Y of the Communications Act 2003, as amended by the Telecommunications (Security) Act 2021, Ofcom has a duty to publish a statement of their general policy with respect to the exercise of their functions under sections 105I and 105M to 105V of the 2003 Act.

Our procedural guidance, which was made further to that duty and in the exercise of Ofcom’s powers under sections 1(3) and 105Y, provides general guidance on Ofcom’s approach to exercising their functions to seek to ensure compliance with the security duties. In particular, it explains the procedures that we are generally expecting to follow in carrying out our monitoring and enforcement activity. It also provides general guidance about which security compromises we would normally expect providers to report to Ofcom and the process for reporting them.

We also provide general guidance about Ofcom’s approach to sharing information with other public bodies, including Government, the National Cyber Security Centre (NCSC) and the Information Commissioner (ICO).

General statement of policy under section 105Y of the Communications Act 2003 (PDF, 572.5 KB)

We have also updated our 2017 guidance on security requirements to reflect changes made by the Telecommunications (Security) Act 2021. In particular, we have decided to revise this guidance so that it applies to the sub-category of security compromises relating to the resilience of networks and services, in terms of availability, performance or functionality.

Ofcom guidance on resilience requirements in sections 105A to D of the Communications Act 2003 (PDF, 254.9 KB)

Contact the Ofcom Network Security team

For general enquiries:

For incident reports:

This document provides Ofcom’s statutory guidance in relation to the digital infrastructure subsector. Under the NIS Regulations, Operator of an Essential Service (OES) falling within that subsector must have regard to our guidance when carrying out their security duties, and their duties to notify incidents to us.

In brief summary, this guidance:

  • gives a high-level introduction to the NIS regulations;
  • sets our views on the steps we expect the OES in the digital infrastructure subsector to take, as a minimum, to meet their obligations under the NIS regulations;
  • provides information about the types of OES in the subsector, and the duties which have been imposed on them; and
  • sets out the process and thresholds for reporting relevant security incidents that operators must follow.

We are today updating this guidance with lowered incident reporting thresholds, following our consultation on this change, and are also publishing our final statement alongside.

Guidance for the digital infrastructure (PDF, 831.3 KB)

NIS incident report form (ODT, 44.7 KB)

Contact the Ofcom NIS team

For general enquiries:

For incident reports:

We are publishing a redacted version of the Monitoring Direction that the Secretary of State gave Ofcom under section 105Z12 of the Communications Act 2003. This follows on from the Designation Notice and Designated Vendor Directions issued by the Secretary of State on 13 October 2022 following targeted consultations.

The Direction requires Ofcom to:

  • obtain specified information from specified public communications providers, relating to their compliance with the Designated Vendor Directions;
  • prepare and send reports to the Secretary of State based on such information; and
  • provide to the Secretary of State on request the information on which any such report is based.

The Direction has been redacted to remove the names of the providers which Ofcom has been directed to collect information from, in relation to their compliance with specific requirements set out in the Designated Vendor Directions. Annex 1 contains a list of the public communications providers to whom a Designated Vendor Direction has been issued. Providers covered by this Monitoring Direction will be contacted directly by Ofcom.

Monitoring direction under s.105Z12 of the communications act 2003 (PDF, 202.4 KB)

Back to top