BT, TalkTalk, Virgin Media and Vodafone on UK Router Security and Upgrades

Last week we covered how Sky Broadband was responding to the UK government’s new internet and network security laws, which among other things prompted them to launch a new router upgrade scheme and be more transparent with customers about the state of security updates for their existing network kit. Since then, we’ve asked the other major ISPs how they plan to respond.

Just to recap, there are actually two sets of laws playing a role here. The first reflects the new Secure by Design rules under the Product Security and Telecommunications Infrastructure Act (PSTI), which came into effect on 29th April 2024 (here). This requires, among other things, that manufacturers and retailers must be “open with consumers on the minimum time they can expect to receive important security updates” for their smart / connected devices (e.g. broadband routers, phones, TVs, game consoles, smart doorbells etc.).

The second one is the new Telecoms Security Act, which sets out expectations for how telecoms providers should monitor and reduce the risks of security compromises relating to older devices (such as routers), which no longer receive security updates. This comes into force at the end of March 2025, although Sky Broadband’s approach seems to already be taking account of both laws.

Naturally this made us curious about the approaches being taken to this by BT (inc. EE and Plusnet), Virgin Media (VMO2), TalkTalk and Vodafone, which have all now provided a response.

Big ISPs and Router Security Changes

➤ TalkTalk

The provider said that they’re currently in the process of putting procedures in place to comply with the Telecoms Security Act requirements and will communicate this to customers in due course. As for the PSTI, TalkTalk claims to have been compliant since 29th April 2024, although they didn’t elaborate on how they were achieving that.

A Spokesperson for TalkTalk said: “The requirements included in the Telecoms Security Act come into force at the end of March 2025 and we will communicate with customers in due course.”

➤ BT (inc. EE and Plusnet)

BT said they are already “fully compliant” with the new PSTI regulations, although they don’t currently plan on introducing a router upgrade scheme. But the provider does say that they continually review the products and services they offer to ensure they get the best possible experience and to maintain their responsibility to be sustainable.

Crucially, the operator notes that the majority of the broadband router/hubs that EE, BT and Plusnet customers have, are still supported by security updates and would not need to be upgraded at this time. But majority is not the same word as “all“, which leaves a little question mark over what active kit might have fallen by the wayside.

➤ Virgin Media

Virgin have introduced a page that provides useful information about the security of their consumer equipment (here), which includes sub-links to manufacturers pages showing the security updates and planned support lifetime. For example, the latest Hub 5x will be supported until the 31st December 2029. But sadly this same information isn’t yet available across most of their router models (it should be soon).

The provider also notes that a separate deadline, which takes effect next year for Tier 1 providers (like VMO2), exists to ensure all customer premises equipment (CPE) is still supported and / or customers are contacted and offered a replacement as required (we believe this to be the March 2025 obligation). But Virgin doesn’t say precisely what approach they’ll take to implementing that.

➤ Vodafone

Vodafone has setup a PSTI Page that provides details on device support and compliance. For example, if you type “Vox 3 (Intelligent WiFi Hub)” into the search box (this is one of their older broadband routers), then it gives you a statement of complaince and reveals that this device will continue to receive security updates until 31st December 2026.

A Spokesperson for Vodafone told ISPreview: “As per the PTSI requirements, customers can find support information throughout our sales journeys and on our PSTI information page for relevant devices.”

In short, there are still quite a few unknowns as to how certain broadband ISPs will approach these changes, but it’s positive to see that they’re all aware of the new measures. Nevertheless, some providers seem to be taking a more proactive approach than others, and it’s worth noting that the new rules also apply to smaller players.

Recent Posts