Technology & Digital

Meet your telecommunications regulatory duties

If you provide a public electronic communications network or service, you must notify Ofcom, comply with the General Conditions, hold the right spectrum licences, meet tiered security duties, maintain lawful-intercept capability and comply with PECR. This guide covers each regime and what you need to do.

UK-wide
On this page
UK-wide

Related guides in Compliance & Legal

Telecommunications is a reserved matter regulated by Ofcom UK-wide. On top of the universal workplace duties, your business must comply with sector-specific notification, licensing, security, lawful-intercept and privacy regimes. Five pieces of legislation create the framework.

A. Ofcom notification and General Conditions

A provider of a public electronic communications network or service must notify Ofcom before (or on) starting to provide it. No upfront licence is required — entitlement to provide is general under the Communications Act 2003 — but you must comply with the General Conditions of Entitlement. These cover number portability, emergency-call access (999/112), billing transparency, complaints handling, switching, services for disabled end-users and a fair-treatment customer-protection regime. Ofcom can impose financial penalties for non-compliance, and larger providers pay annual administrative and network charges.

B. Spectrum licensing

Establishing or using radio transmitting apparatus requires a Wireless Telegraphy Act 2006 licence from Ofcom, unless the equipment operates in a licence-exempt band. This covers mobile network base stations, fixed wireless access, satellite earth stations and gateways, and point-to-point microwave links. Mobile spectrum is allocated by auction and carries continuing Annual Licence Fees. Transmitting without a required licence is a criminal offence under the Wireless Telegraphy Act 2006.

C. Telecoms security duties

Providers of public electronic communications networks and services must identify and reduce security-compromise risks, take the specified security measures and have regard to the Telecommunications Security Code of Practice. Duties are set by the Telecommunications (Security) Act 2021 and the Electronic Communications (Security Measures) Regulations 2022, and are tiered by provider size and turnover (Tier 1, 2 and 3). Requirements include supply-chain risk management and compliance with high-risk vendor directions. Ofcom monitors and enforces, with penalties of up to 10% of relevant turnover.

D. Lawful intercept and data retention

Telecommunications operators must be able to give effect to interception warrants, communications-data acquisition requests and (where served with a retention notice) data-retention requirements under the Investigatory Powers Act 2016. You must maintain a permanent intercept capability and assist law enforcement under warrant. Oversight is by the Investigatory Powers Commissioner. The ICO audits the security and destruction of retained communications data. These duties apply to operators providing services to the public in, or controlling apparatus in, the United Kingdom.

E. Privacy and electronic communications (PECR)

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) impose additional privacy duties on providers of public electronic communications services. You must keep the contents and traffic data of communications confidential, notify the ICO and affected subscribers of personal data breaches, and comply with rules on cookies and similar technologies, direct marketing by electronic means (email, text, automated calls) and calling-line identification. PECR works alongside the UK GDPR; the ICO enforces both. Non-compliance can result in monetary penalty notices of up to £500,000.

  1. 1

    What to do next

    Complete the telecommunications compliance checklist to confirm you have met every obligation that applies to your business.

Official sources

Authoritative guidance for telecommunications regulatory duties.