Summary
- Ofcom has updated its network and service resilience guidance for UK communications providers.
- The guidance covers architecture, service operation, monitoring, incident management, skills, automation, and managed service arrangements.
- It gives Ofcom a practical reference point for information gathering, monitoring, and compliance assessment after resilience failures.
Ofcom has updated its network and service resilience guidance for UK communications providers, giving operators a more detailed benchmark for how telecoms networks should be designed, monitored, operated, and recovered when services degrade or fail.
The guidance applies to public electronic communications networks and services, and sits alongside the UK’s telecoms security duties under the Communications Act 2003 and the Electronic Communications (Security Measures) Regulations 2022. It replaces Ofcom’s 2022 resilience guidance and is intended to be read with the Telecommunications Security Code of Practice.
Although Ofcom’s resilience statement highlights backup power for mobile radio access networks, the full document reaches well beyond power supply. It sets expectations for network architecture, infrastructure domains, control-plane resilience, management-plane resilience, service transition, service operation, event handling, incident management, skills, competency, and network automation.
Communications providers remain responsible for the resilience of the networks and services they provide, including operational network elements run by third parties on their behalf. That responsibility is harder to discharge in a market where managed services, outsourced operations, cloud components, software-defined functions, and specialist suppliers are embedded throughout the telecoms stack.
Resilience is framed as the ability to resist internal and external threats, withstand partial loss or degradation, and recover service with minimum disruption. That definition brings engineering reliability, cyber risk, supplier management, operational dependency, and crisis response into the same operational frame.
The updated document gives Ofcom a practical reference for monitoring and information gathering, and a basis for considering compliance where resilience issues arise. It does not prescribe a single technical model, but providers using different approaches are expected to explain why those choices are appropriate and proportionate.
The service operation section is especially relevant to cyber and operational resilience. Ofcom expects processes for control-plane monitoring, user-plane monitoring, event management, incident management, and problem management. Control-plane signalling and interfaces need to be monitored to understand overload, faults, and service impact. The evidence used for service assurance can also support compromise detection and recovery.
Telecoms networks now support emergency calls, financial services, healthcare access, remote work, industrial operations, authentication services, cloud connectivity, and public-sector continuity. Network failures can cascade across sectors, while cyber incidents in telecoms infrastructure can become national resilience events without needing to begin as dramatic attacks.
The guidance also reflects the complexity of modern network change. Cloud computing, 5G, connected devices, industrial IoT, virtualised network functions, automation, encryption, and complex peering arrangements can improve resilience while introducing new dependencies and failure modes. A service can fail because of physical infrastructure, software configuration, supplier operations, capacity management, control-plane overload, or weak incident processes.
Providers now need to map the guidance against live operating practice. Asset inventory, run books, service provisioning, configuration management, monitoring, supplier oversight, and staff competency all become part of the resilience evidence base. Critical customers also gain a clearer reference point when questioning telecoms providers on continuity, recovery, and managed service exposure.
Ofcom has not reduced resilience to a cyber-control checklist. It has placed telecoms availability, service integrity, monitoring, and operational accountability under a more structured regulatory lens. After future outages, operators will need to show how their architecture, monitoring, suppliers, and recovery processes matched the expectations now on record.





