Published March 18, 2025
Read Time Mins
From Monday 24th March, social media platforms in the UK could face fines of up to £18 million or 10% of global revenue if they fail to remove illegal content such as fraud, child exploitation, and terrorism-related material. The UK Online Safety Act marks a significant shift in digital governance, holding platforms accountable for online harm.
It’s a bold step forward. But is it enough?
While the legislation focuses on moderating content on social media and search platforms, it leaves a crucial gap: the role of telecom operators in online safety. Cyber threats, scams, and harmful content don’t just exist on social media, they travel through the networks that telcos provide.
Yet, telcos are largely absent from the conversation.
This is where the EU Cyber Resilience Act (CRA) presents a different approach: one that could fill the gaps left by the UK’s legislation.
Online harm doesn’t begin and end with social media. Many cyber threats never even reach platforms because they originate elsewhere:
Despite this, the burden of online safety currently falls almost entirely on tech companies, while telecom operators (who control the networks where these threats originate) are treated as passive carriers rather than active defenders.
If telcos played a more proactive role in blocking scams, phishing attempts, and malicious traffic, we wouldn’t just be reacting to threats after they’ve harmed users – we’d be preventing them at their source.
This is where the EU Cyber Resilience Act takes a different stance.
The EU Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for hardware and software providers, including telecom operators. While the UK’s Online Safety Act focuses on content moderation, the CRA targets digital infrastructure and product security, pushing telcos to take a more active role in online safety.
Regulation | Focus | Who is impacted? | How it affects telcos |
---|---|---|---|
UK Online Safety Act | Content moderation and platform accountability | Social media, search engines, and content platforms | Minimal direct impact , telcos are not required to block harmful content or cyber threats |
EU Cyber Resilience Act | Cybersecurity of digital infrastructure and products | Software developers, hardware manufacturers, telecom operators | Telcos must embed security in networks, reduce vulnerabilities, and actively block cyber threats |
Under the EU Cyber Resilience Act, telcos face new security expectations:
The EU Cyber Resilience Act highlights a gap in the UK’s approach. While the Online Safety Act holds platforms accountable, it does little to address how cyber threats spread across networks before they reach users.
If the UK wants to take online safety seriously, it needs to:
Regulation is evolving, and expectations on digital safety are rising. The UK’s Online Safety Act puts the responsibility on platforms, but the EU Cyber Resilience Act recognises a deeper truth: online safety starts with infrastructure.
– Paul Jenkins, CISO, BlackDice Cyber
Telcos have the technology, the network control, and the opportunity to take an active role in blocking scams, preventing fraud, and securing digital experiences. The question is: will they step up before they’re forced to?