The UK Online Safety Act vs. The EU Cyber Resilience Act: Where Do Telcos Fit In?

From Monday 24th March, social media platforms in the UK could face fines of up to £18 million or 10% of global revenue if they fail to remove illegal content such as fraud, child exploitation, and terrorism-related material. The UK Online Safety Act marks a significant shift in digital governance, holding platforms accountable for online harm.

It’s a bold step forward. But is it enough?

While the legislation focuses on moderating content on social media and search platforms, it leaves a crucial gap: the role of telecom operators in online safety. Cyber threats, scams, and harmful content don’t just exist on social media, they travel through the networks that telcos provide.

Yet, telcos are largely absent from the conversation.

This is where the EU Cyber Resilience Act (CRA) presents a different approach: one that could fill the gaps left by the UK’s legislation.

The missing piece: Why telcos can’t be left out

Online harm doesn’t begin and end with social media. Many cyber threats never even reach platforms because they originate elsewhere:

• Phishing scams often sent via SMS or email, bypass content moderation entirely
• Malware and ransomware infiltrate networks through unsecured connections and compromised devices
• Online fraud occurs across multiple channels, not just social media

Despite this, the burden of online safety currently falls almost entirely on tech companies, while telecom operators (who control the networks where these threats originate) are treated as passive carriers rather than active defenders.

If telcos played a more proactive role in blocking scams, phishing attempts, and malicious traffic, we wouldn’t just be reacting to threats after they’ve harmed users – we’d be preventing them at their source.

This is where the EU Cyber Resilience Act takes a different stance.

How the EU Cyber Resilience Act fills the gap

The EU Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for hardware and software providers, including telecom operators. While the UK’s Online Safety Act focuses on content moderation, the CRA targets digital infrastructure and product security, pushing telcos to take a more active role in online safety.

Key differences between the two regulations:

What the EU CRA means for telcos

Under the EU Cyber Resilience Act, telcos face new security expectations:

• Proactive threat prevention: Telcos will be required to secure networks against cyber threats like malware, phishing, and fraud, moving from passive carriers to active cybersecurity providers

• Security by design: Telcos must embed cybersecurity into their networks and customer devices to reduce vulnerabilities at every level

• Infrastructure-level protection: The act ensures that security isn’t just an app-level concern, but is tackled at the network layer, where many threats originate.

A wake-up call for UK regulation?

The EU Cyber Resilience Act highlights a gap in the UK’s approach. While the Online Safety Act holds platforms accountable, it does little to address how cyber threats spread across networks before they reach users.

If the UK wants to take online safety seriously, it needs to:

• Expand regulation to include network-level security – Holding telcos responsible for blocking threats before they reach users would create a more proactive online safety framework
• Encourage collaboration between telcos and platforms – Cybersecurity isn’t just a platform issue. Telcos and content platforms need to work together to prevent fraud, scams, and harmful content
• Align with global security standards – The EU Cyber Resilience Act is setting a new benchmark for cybersecurity. The UK must ensure its regulations don’t lag behind.

Final thoughts: “Telcos must step up“

Telcos have the technology, the network control, and the opportunity to take an active role in blocking scams, preventing fraud, and securing digital experiences. The question is: will they step up before they’re forced to?