Case Study

The Challenge

A leading UK full-fibre network operator, one of the country’s largest broadband infrastructure providers, was working towards a mandatory regulatory deadline. Under the UK’s Telecommunications Security Act (TSA), enforced by Ofcom, telecoms providers must safeguard their networks, supply chains and services against security threats, with compliance requirements phased through to 2028. The regulations are extensive and not one-size-fits-all. Each provider has to work through the full list, determine which measures apply to their organisation and evidence compliance across governance, cybersecurity, legal contracts, procurement, architecture and third-party risk.

Our client had the framework on its roadmap, but lacked two critical ingredients to hit Phase 1:

• Dedicated resource to analyse the regulations in depth and map them to the client’s specific operating model.
• Coordination capability to pull together a wide set of internal stakeholders — PMO, governance, architecture & engineering, InfoSec, procurement, and legal, alongside external security partners, into a single, structured delivery.

Without that coordinating layer, Phase 1 milestones and the accompanying Section 135 submission to Ofcom (the formal response to the regulator’s compliance questions) were at real risk of slipping.

Having already demonstrated regulatory delivery capability on the client’s previous piece of work, BDUK (Building Digital UK) programme, Perform Partners were the natural choice to support the operator.

The Perform Way

We combined Business Analysis and Project Management in a single flexible resource model:

• Regulation-by-regulation analysis: We worked through the TSA measures line by line, identifying which applied and what evidence was required to demonstrate compliance.
• Cross-functional workshop design: We scheduled and facilitated the right stakeholders at the right time; legal for contractual obligations, InfoSec and Architecture & Engineering for technical controls, procurement for third-party management, and governance for oversight, including external security consultants where specialist input was needed.
• Evidence consolidation and gap mitigation: Evidence was spread across the organisation. We pulled it together into a single compliance picture, identified gaps and defined mitigations and timescales for each.
• Programme and project planning: The client held the high-level programme plan; we owned the detailed project layer, including phased delivery plans, RAID logs, slide decks, and milestone tracking, filling the project management gap.
• Third-party risk integration: We extended the lens beyond the client’s boundary, supporting the reverse-engineering of existing contracts to embed TSA clauses at renewal and feeding into their wider third-party risk approach.

Supporting People Through Change

The TSA touches almost every corner of a telecoms business, so helping people adapt to the change was just as important as the technical analysis. Here’s how we supported the teams:

• One coordinating point of contact: Teams already running at full capacity didn’t have to chase each other; we convened the right groups, chaired the workshops and kept momentum.
• Flexible, continuous cover: As the engagement evolved from analysis-heavy to delivery-heavy, we flexed our resource accordingly, our lead consultant driving the early BA and PM coordination, with a second consultant stepping in to continue the project management work seamlessly as the programme matured.
• Embedding new ways of working: The TSA became a catalyst for wider improvement. We helped the client identify process gaps and stand up new procedures and updated policies (for example, around offshore working and third-party risk grading) that will continue to serve the business well beyond Phase 1.
• Building confidence with leadership: By the time Phase 1 landed, the programme sponsor was able to point to an Ofcom-accepted submission delivered with confidence and control.