Proposals to update the Telecommunications Security Code of Practice 2022

The UK government is seeking views on proposals to update the Telecommunications Security Code of Practice 2022. This consultation is open to anyone, though we are particularly seeking views from providers of public electronic communications networks and services.

This consultation closes at 11:59pm on 22 October 2025

The consultation sets out proposals to update the Telecommunications Security Code of Practice 2022. These proposed updates are intended to help public telecoms providers protect UK telecoms networks and services in light of evolving threats and emerging technologies.

The proposed updates include:

• some drafting changes for greater clarity in Sections 1, 2 and 3 of the Code
• some additional measures in Section 3 of the Code
• associated guidance in Section 2 of the Code

The proposed updates are:

• explained in ‘Proposals to update the Telecommunications Security Code of Practice 2022: what we are consulting on’
• shown as tracked changes in ‘Proposed updates to the Telecommunications Security Code of Practice 2022’ (PDF)

Overview

The UK’s future prosperity rests on the security and resilience of the public electronic communications networks and services that connect us. Yet as technologies evolve, new threats to those networks and services are emerging.

Cyber hackers are capable of threatening communications worldwide, as the cost barriers to mass-scale disruption continue to fall. Countering state threats is a high priority, with greater competition and aggression in cyberspace by countries such as Russia, China, Iran and North Korea.

We are becoming ever more dependent on telecoms infrastructure as the speed and scale of networks and services develop. The increased reliance of our economy, society and critical national infrastructure (CNI) on telecoms infrastructure means we need to have confidence in its security. Without that confidence, the disruptive impact of successful cyber-attacks by threat actors will continue to grow and the consequences of connectivity compromises or outages could be catastrophic.

The Telecommunications Security Framework

The UK Telecoms Supply Chain Review 2019 identified the need to establish an enhanced legislative framework for telecoms security, which was introduced through the Telecommunications (Security) Act 2021.

The Telecommunications (Security) Act 2021 amended the Communications Act 2003 (the ‘2003 Act’) to establish a new telecoms security framework to improve the security and resilience of public telecoms networks and services.

The 2003 Act, as amended, includes:

• Overarching security duties on public telecoms providers to identify and reduce the risk of security compromises occurring, prepare for the occurrence of security compromises, prevent adverse effects arising from a security compromise that has occurred, and to remedy or mitigate such adverse effects.
• Powers for the Secretary of State to make regulations setting out specific security measures to be taken by public telecoms providers.
• Powers for the Secretary of State to issue codes of practice giving guidance on the measures to be taken by public telecoms providers to meet their legal obligations.
• Provisions to ensure the telecoms regulator, Ofcom, can effectively monitor and enforce public telecoms providers’ compliance with their legal obligations under the Act.

The Electronic Communications (Security Measures) Regulations 2022 (the ‘Regulations’) and the Telecommunications Security Code of Practice were made using these powers. They are intended to address risks to the security of the UK’s public telecoms networks and services. They have been developed in conjunction with the National Cyber Security Centre (NCSC), the UK’s national technical authority for cyber security, and Ofcom, the telecoms regulator.

The Regulations came into force on 1 October 2022. They set out specific security measures that public telecoms providers must take in addition to the overarching legal duties in sections 105A and 105C of the 2003 Act (as amended by the Telecommunications (Security) Act 2021).

The Code of Practice was issued in December 2022. It provides detailed guidelines to large and medium-sized public telecoms providers (i.e. those with a relevant turnover in the relevant period of more than or equal to £50 million) on the governments preferred approach to demonstrating compliance with the duties in the 2003 Act and the requirements within the Regulations.

Proposals to update the Telecommunications Security Code of Practice

The government is committed to continuously evaluating the effectiveness of the Telecommunications Security Framework.

In the current Code of Practice (paragraph 0.30), the government outlined the intention to ‘review and update the Code of Practice periodically as new threats emerge and technologies evolve’, and specified that ‘in doing so, it will be supported by Ofcom through its regular reporting on security to the Secretary of State under Section 105Z of the Act’.

The first reporting period for Ofcom was 2 years following commencement of section 11 of the Act (i.e. 1 October 2022 - 1 October 2024). The security report prepared by Ofcom for that period included information about the extent to which providers have acted in accordance with the Code of Practice. Access to this information has helped the government to determine how well the new framework is working and help identify where changes to the Code of Practice need to be made.

The government has also considered:

• security advice provided to the government by the NCSC that sets out where these new threats and vulnerabilities lie, based on its analysis and intelligence.
• evidence from public telecoms providers of new vulnerabilities uncovered by continued and expanded security testing, as well as new incident reporting on security compromises.

In light of these factors, and regular feedback received from industry, the government believes now is an appropriate time to update the Code of Practice.

The updates being proposed are intended to:

• Reflect evolving technology. Since the Code of Practice was published, use of certain technologies has increased, including eSIMs, automation tools, and Application Programming Interfaces (APIs). To ensure safe and secure adoption of such technologies, we need to ensure we are providing effective and up-to-date guidance to public telecoms providers.

• Reflect emerging security threats. Recent hostile-state-linked attacks on US telecoms networks have demonstrated the dramatic impact a cyber-attack can have. We need to ensure the Code of Practice reflects the need for public telecoms providers to take appropriate and proportionate measures to protect their networks against such threats.

• Provide further clarity. Public telecoms providers have suggested the Code of Practice is ambiguous in places and lacks specific guidance on certain measures, such as those relating to security testing and use of privileged access workstations. The proposed updates look to give further guidance on these matters.

• Reemphasise the need to take a holistic approach to the Code of Practice.

In summary, the proposed updates include:

(i) some drafting changes for greater clarity in Sections 1, 2 and 3 of the Code
(ii) some additional measures in Section 3 of the Code, and
(iii) associated guidance in Section 2 of the Code.

As set out above, these proposed updates are intended to help public telecoms providers protect UK telecoms networks and services in light of evolving threats and emerging technologies.

The proposed updates also include some changes to:

• The glossary in Annex A, for the purpose of clarifying the meaning of certain terms used in the proposed new guidance;
• The Vendor Security Assessment in Annex B, for the purpose of adding a new section taken from the Vendor Security Assessment (‘V.K – Business Continuity and Disaster Recovery (BCDR) planning’);
• Extracts from the Cyber Assessment Framework in Annex C, for the purpose of reflecting updates that have been made to the Cyber Assessment Framework since publication of the Code of Practice; and
• The mapping of measures to the Regulations in Section 3 of the Code of Practice. As specified in the Code of Practice, that mapping is only indicative and non-exhaustive.

The PDF document (found via the link below) - ‘Proposed updates to the Telecommunications Security Code of Practice 2022’ includes our proposed updates, reflected in tracked changes.

All substantive changes to the Code of Practice are reflected in the document. In some instances, we have made more minor changes which have not been reflected in tracked changes. These are:  

• the terms ‘telecoms providers’ and ‘providers’ have been replaced with ‘public telecoms providers’ throughout to ensure consistency across the document. 
• corrections to minor formatting and grammatical errors, including capitalising the term ‘Code of Practice’ throughout the document.

Our proposed approach

This consultation seeks views on proposed updates to the Telecommunications Security Code of Practice.

The consultation questions set out each of the substantive proposed updates in the order they appear within the 3 core sections of the Code of Practice:

• Section 1 – introduction and background
• Section 2 – key concepts
• Section 3 - technical guidance measures

Each of these updates are described alongside justification for their inclusion. Consultation questions are provided to encourage targeted feedback related to these proposed changes.

Where relevant there is a more open question at the end of each section in response to which stakeholders can provide broader feedback on the proposed updates that does not align to the more specific consultation questions.

Please note that this consultation is:

• only seeking feedback on the specific updates being proposed.
• not seeking feedback on the full Code of Practice. Any feedback provided on the wider content of the Code of Practice will not be considered as part of this consultation.

Read the full set of proposals and respond to the consultation below.

Source: UK Government: https://www.gov.uk/government/consultations/proposals-to-update-the-telecommunications-security-code-of-practice-2022 

The Critical Supply Group consists of companies and professionals committed to secure and resilient critical supply chains. CSG is managed by MAP UK & International. For more details, including how to get involved, or to make contact with any of the entities involved, please email info@mapukinternational.com.