The UK Telecommunications Security Act and the Certified Gateway Requirements

James Willison

By James Willison

Project and Engagement Manager

e: James.Willison(a)

t: +44(0) 7311 888295

New security legislation in the UK is being implemented in response to an ever-changing cybersecurity threat landscape within the telecoms sector. It is expected to have a positive ripple effect beyond the UK’s shores as it shifts the sector toward stronger networks, more resilient to cyber-attacks.

About the UK’s Telecommunications (Security) Act

  • The Telecommunications (Security) Act (TSA) came into force in the UK on October 1st 2022.
  • The TSA grants powers to the Secretary of State to introduce a Code of Practice (TSA CoP).
  • The TSA CoP details the majority of the technical requirements that operators need to comply with else they could face fines of up to 10% of company turnover.

The new TSA CoP indicates that the Gateway is a Network oversight function and is also usually a Security Critical Function. The following points apply,

  • (is) essential for the network provider to understand the network, secure the network, or to recover the network
  • are more likely to be targeted for a security attack and the impact of their compromise is greater.
  • best security practices should be implemented for network oversight functions.
  • providers should prioritise the analysis of the behaviour of network oversight functions
  • providers should normally assume network oversight functions to be subject to high-end attacks, which may not have been detected by the provider,
  • implement business practices which, by their nature, make it difficult for an attacker to maintain covert access to these functions.
  • establish secure platforms which implement trusted boot.
  • should be subject to an enhanced level of monitoring, including real-time monitoring.

Satisfying the TSA CoP with GCERT

In August 2022, IoTSF published the GCERT (certified gateway) router requirements for Internet Service Providers (ISPs), router manufacturers, and end users. The GCERT provides a collation of the top internationally recognised requirements, 88 in all.

As such, we can see that the GCERT can help an organisation to meet its obligations in regard of the TSA and are therefore mapping it to the TSA CoP (an activity within the ManySecured® working group). 

Our ongoing work on technical requirements has identified and developed a range of specifications which cover the TSA CoP requirements and can be viewed on the public webpage at

These specifications include a suite of inter-related functions which work together:

    1. Distributed Device Descriptors (D3)
    2. Device Events (monitoring)
    3. DCon (network control)
    4. Secure Usable Internet browser (SUIB) and
    5. The GCERT. 

    So what?

    If this work is of interest to you please contact us as we’d be very keen to talk to you.

    Subscribe To Our Newsletter

    Get updates and learn from the best

    More To Explore

    ManySecured Needs You


    Enhancing Network Security with Device Descriptors.

    The proliferation of IoT devices and legacy systems in today’s enterprise IT infrastructure has opened up new avenues for security threats. How should these devices behave and what do we


    CyberUK 2023: Part 2

    Digital Security by Design: Transforming Digital Technology for a Safer Future. The second day of CyberUK 2023 focused on the newly launched joint guide for Security by Design and Default

    If you would like to learn more, or are interested in joining us,
    please contact us

    Would love your thoughts, please comment.x


    Let's have a chat

    Cookie Consent

    This website uses cookies to ensure you get the best experience on our website.
    By using our website you agree to our Terms and Conditions and our Privacy Policy.