Revised Telecommunications Security Code of Practice 2026: now issued

Revised Telecommunications Security Code of Practice 2026: DSIT version 1.1 issued 14 July 2026

In short: The revised Telecommunications Security Code of Practice was issued on 14 July 2026 as version 1.1, replacing the December 2022 Code as the guidance Ofcom measures Tier 1 and Tier 2 public telecoms providers against. The underlying law is unchanged, and the genuinely new measures carry compliance timeframes running to March 2028, December 2028 and December 2029.

By Rob Bratby, Managing Partner, Bratby Law. Chambers UK Band 2 (Telecommunications). Legal 500 Leading UK Telecoms Partner. 30+ years in telecoms regulation, including Oftel and senior operator roles.

On 14 July 2026 the Department for Science, Innovation and Technology issued version 1.1 of the Telecommunications Security Code of Practice, having laid it in draft before Parliament on 3 June 2026 under the negative procedure. It is now the live guidance, in place of the December 2022 version. The practical point is timing: almost none of the new measures apply yet. The government has deferred them to 2028 and 2029, so the immediate task for providers is familiarisation and gap analysis, not implementation.

What DSIT changed in version 1.1

The Code is guidance and the law has not changed. The binding obligations are still set out in the Telecommunications (Security) Act 2021, which amended the Communications Act 2003 to impose security duties on public telecoms providers under sections 105A and 105C, and in the Electronic Communications (Security Measures) Regulations 2022. DSIT issues the Code under section 105E and revised it under section 105F; it tells Tier 1 and Tier 2 providers how the government prefers them to demonstrate compliance, and Ofcom can require a provider to explain any departure from it under section 105I.

DSIT kept the original technical guidance and added new material to track evolving technology and hostile-state cyber threats. In the accompanying explanatory memorandum, DSIT set out new guidance on network automation aligned to the National Cyber Security Centre’s machine learning principles, on signalling, on privileged access workstations aligned to European Telecommunications Standards Institute standards, on Application Programming Interfaces linked to significant data losses, and on patching and updates to address non-persistent malware. DSIT also realigned the Code to version 4.0 of the NCSC Cyber Assessment Framework. On cost, DSIT put the indicative one-off implementation figure at £1.9 million to £3.2 million per provider and the ongoing annual cost at £285,000 to £445,000 per provider, and characterised the overall impact as low. I set out the substance of what changed, what the government dropped on proportionality grounds and the three implementation tranches in my earlier analysis of the government response.

Viewpoint

The substance has not changed since the June government response; what is new is that this is now the live Code. The government held the line on the measures that track the threat picture most directly, privileged access workstations aligned to ETSI standards, API and signalling security and anti-prepositioning controls, and Ofcom will now measure providers against them, alongside its annual security report to the Secretary of State under section 105Z. The live question for a provider today is whether its current security programme maps to the new measures before the March 2028, December 2028 and December 2029 dates, and whether it can explain any departure from the Code if Ofcom asks. Where a provider is already managing an Ofcom information request or compliance review, our investigations and enforcement support page sets out the scope of that work, and our telecoms security page covers the framework more broadly.

For advice on what the revised Telecommunications Security Code of Practice means for your security obligations, or on responding to Ofcom monitoring under the Act, contact Rob Bratby at Bratby Law.

Select topics of interest

Similar Posts