News & Insights

The UK Online Safety Act vs. The EU Cyber Resilience Act: Where Do Telcos Fit In?

Paul Jenkins

Read Time Mins

From Monday 24th March, social media platforms in the UK could face fines of up to £18 million or 10% of global revenue if they fail to remove illegal content such as fraud, child exploitation, and terrorism-related material. The UK Online Safety Act marks a significant shift in digital governance, holding platforms accountable for online harm.

It’s a bold step forward. But is it enough?

While the legislation focuses on moderating content on social media and search platforms, it leaves a crucial gap: the role of telecom operators in online safety. Cyber threats, scams, and harmful content don’t just exist on social media, they travel through the networks that telcos provide.

Yet, telcos are largely absent from the conversation.

This is where the EU Cyber Resilience Act (CRA) presents a different approach: one that could fill the gaps left by the UK’s legislation.

The missing piece: Why telcos can’t be left out

Online harm doesn’t begin and end with social media. Many cyber threats never even reach platforms because they originate elsewhere:

Despite this, the burden of online safety currently falls almost entirely on tech companies, while telecom operators (who control the networks where these threats originate) are treated as passive carriers rather than active defenders.

If telcos played a more proactive role in blocking scams, phishing attempts, and malicious traffic, we wouldn’t just be reacting to threats after they’ve harmed users – we’d be preventing them at their source.

This is where the EU Cyber Resilience Act takes a different stance.

How the EU Cyber Resilience Act fills the gap

The EU Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for hardware and software providers, including telecom operators. While the UK’s Online Safety Act focuses on content moderation, the CRA targets digital infrastructure and product security, pushing telcos to take a more active role in online safety.

Key differences between the two regulations:

RegulationFocusWho is impacted?How it affects telcos
UK Online Safety ActContent moderation and platform accountabilitySocial media, search engines, and content platformsMinimal direct impact , telcos are not required to block harmful content or cyber threats
EU Cyber Resilience ActCybersecurity of digital infrastructure and productsSoftware developers, hardware manufacturers, telecom operatorsTelcos must embed security in networks, reduce vulnerabilities, and actively block cyber threats

What the EU CRA means for telcos

Under the EU Cyber Resilience Act, telcos face new security expectations:

A wake-up call for UK regulation?

The EU Cyber Resilience Act highlights a gap in the UK’s approach. While the Online Safety Act holds platforms accountable, it does little to address how cyber threats spread across networks before they reach users.

If the UK wants to take online safety seriously, it needs to:

Final thoughts: “Telcos must step up

Regulation is evolving, and expectations on digital safety are rising. The UK’s Online Safety Act puts the responsibility on platforms, but the EU Cyber Resilience Act recognises a deeper truth: online safety starts with infrastructure.

– Paul Jenkins, CISO, BlackDice Cyber

Telcos have the technology, the network control, and the opportunity to take an active role in blocking scams, preventing fraud, and securing digital experiences. The question is: will they step up before they’re forced to?

Don`t copy text!