Telecommunications Security Code of Practice: the government response and the revised timeline
In short: The Telecommunications Security Code of Practice is being rewritten. On 1 June 2026 DSIT published its consultation response, confirming a revised draft that softens several proposals and pushes most new measures to March 2028, December 2028 and December 2029. The updated Code will be laid before Parliament under section 105F before it takes effect.
If a business runs a public telecoms network or service in the UK, the document that tells it how to meet its legal security duties is being rewritten, and the timetable for the most demanding new requirements has been pushed back to 2028 and 2029. On 1 June 2026 the Department for Science, Innovation and Technology (DSIT) published its response to the consultation on updating the Telecommunications Security Code of Practice 2022. The response confirms the shape of a revised draft Code, drops or softens several measures industry pushed back on, and resets the implementation timeline so that the genuinely new obligations now fall in 2028 and 2029 rather than this year.
Key findings from the government response
DSIT consulted between 28 August and 22 October 2025 and analysed 30 responses, supplemented by a separate cost survey of larger providers that ran from 25 November 2025 to 28 January 2026 and drew 7 responses. The headline points are these.
- The revised draft Code will be laid before Parliament under section 105F of the Communications Act 2003; absent a resolution against it within 40 sitting days, it will be issued in final form. Source: DSIT government response, 1 June 2026.
- The first tranche of new measures, which aligns the Code with the National Cyber Security Centre Cyber Assessment Framework version 4.0, moves to March 2028, not the December 2026 and March 2027 dates floated in the consultation. Source: DSIT government response.
- A second tranche, covering SIM and eSIM certificate checks, automated vulnerability scanning and automation validation, keeps a December 2028 date. Source: DSIT government response.
- Most remaining new measures, including API security, service accounts, threat modelling, anti-prepositioning controls and customer premises equipment monitoring, move to December 2029. Source: DSIT government response.
- Several proposals were dropped or reverted on proportionality grounds, including a monthly equipment restart and a mandatory signalling intrusion detection system. Source: DSIT government response.
| Tranche | Examples of new or shifted measures | Implementation date |
|---|---|---|
| Existing Section 3 timeframes | Privileged access workstation measures aligned to ETSI standards (M11.36 to M11.42) | Unchanged |
| M22 series | Cyber Assessment Framework v4.0 business-process measures; test-network passwords; fixed and mobile signalling | March 2028 |
| M23 series | SIM and eSIM certificate checks; automated vulnerability scanning; automation pipeline validation | December 2028 |
| M24 series | API security; service accounts; threat modelling; trusted boot; customer premises equipment monitoring; logging tests; signalling reference data | December 2029 |
Where the Telecommunications Security Code of Practice sits in the framework
The Code is guidance, not the source of the duty. The binding obligations sit in the Telecommunications (Security) Act 2021, which amended the Communications Act 2003 to impose overarching security duties on public telecoms providers under sections 105A and 105C, and in the Electronic Communications (Security Measures) Regulations 2022, which came into force on 1 October 2022 and set the specific measures providers must take.
The Telecommunications Security Code of Practice was first issued in December 2022 under section 105E of the 2003 Act. It tells large and medium-sized providers how the government prefers them to demonstrate compliance with those duties and Regulations. It does not bind a provider to a single method: a provider may meet its duties a different way, but under section 105I Ofcom can require it to explain why it is not following the Code. Ofcom monitors and enforces compliance and reports annually to the Secretary of State under section 105Z. That distinction between statutory duty and guidance is why the laying timetable matters: until the revised Code is laid and issued, the current 2022 Code is the document Ofcom measures providers against.
What the government response changed
The government pulled back on the proposals that would have widened scope or imposed prescriptive frequencies. DSIT framed the original updates as reflecting evolving technology and the threat picture, citing the Salt Typhoon campaign against telecoms networks across more than 80 countries. Industry agreed with the direction but objected to several measures as disproportionate, particularly where they amended measures whose implementation dates had already passed. DSIT accepted much of that, as the table below shows.
| Proposal during consultation | Confirmed in the government response |
|---|---|
| Restart network equipment at least monthly | Dropped; replaced with periodic restarts as part of routine patching, prioritising high-risk equipment |
| Mandatory intrusion detection system for outgoing signalling | Dropped as a measure; loosened to guidance that an intrusion detection system could be used |
| Add “Business Support Systems” to scope in paragraph 1.2 | Reverted to the original wording; glossary definition narrowed |
| Treat “shared sites” as part of the exposed edge | Reverted; replaced with a recommendation to risk-assess access to shared facilities |
| Review number analysis reference data at least every two weeks | Loosened to “regularly, with an appropriate frequency commensurate to the risk”; “should” not “shall” |
| New third-party service provider and supplier definitions | Removed; unified “third-party administrator” term plus new cloud-provider guidance |
| December 2026 and March 2027 deadlines for the first new measures | Extended to March 2028 |
The pattern is consistent. Where a change amounted to more than a clarification of a measure whose deadline had already passed, DSIT moved it to a future tranche rather than reopening settled obligations. Test-network password rules and the fixed and mobile signalling change became new March 2028 measures instead of amendments to live ones. The proposal to qualify exposed-edge data with the word “unnecessary” was abandoned to avoid introducing ambiguity into a measure already in force.
What the revised Code keeps: the bar still rises
The threat-driven core of the update survives. The revised Code retains the rewritten guidance and seven new measures on privileged access workstations, aligned to European Telecommunications Standards Institute standards and NCSC principles, on the existing Section 3 timeframes. It keeps the realignment to Cyber Assessment Framework version 4.0, published on 6 August 2025, and the new “have regard” measures drawing in its business-process sections. It retains new measures on API security, service accounts, eSIM certificate checks against the GSMA Security Accreditation Scheme, automation validation, automated security scanning, threat modelling to inform risk assessments, and trusted-boot controls aimed at the prepositioning and persistence attacks that have featured in recent network compromises.
This is the same trajectory the firm has tracked across the security framework, from Ofcom’s open letter on frontier AI cyber risk to its draft statement of policy on incident reporting under section 105Y. The destination has not moved. The timetable has.
Implementation timeline and what it means for providers
The clearest practical effect of the response is on timing. The Code applies in detail to Tier 1 providers, with relevant turnover of £1 billion or more, and Tier 2 providers, with turnover of £50 million or more but under £1 billion. Smaller providers stay subject to the duties in the Act but outside the Code’s detailed guidance. For the providers in scope, the cost survey showed that estimated costs varied widely and were driven less by the measures themselves than by each provider’s starting position, with signalling security, privileged access workstations and supply-chain controls cited as the heaviest items.
By spreading the new obligations across March 2028, December 2028 and December 2029, DSIT has given providers a longer planning horizon than the consultation implied, and removed the near-term December 2026 pressure point. The revised Code also has to clear its parliamentary stage before any of this is fixed. None of the new measures is in force, and the current 2022 Code remains the benchmark for Ofcom’s monitoring in the meantime. Where a provider is already managing an Ofcom information request or compliance review on its security duties, our regulatory investigations and enforcement support page sets out how we help. Our telecoms security page covers the framework more broadly, and the Ofcom Plan of Work 2026/27 sets the wider compliance calendar.
Viewpoint
My read of this response is that the destination has not changed but the route has got longer. The government has held the line on the measures that track the threat picture most directly: privileged access workstations aligned to ETSI standards, API and service-account security, signalling protection and anti-prepositioning controls all survive in the revised draft. What it has done is listen to industry on proportionality and timing, removing proposals that widened scope by a side wind, such as Business Support Systems, shared sites and the monthly equipment restart, and moving almost everything genuinely new into 2028 and 2029. The practical point is that the revised Telecommunications Security Code of Practice is still months from being laid, so the live compliance question today remains the current Code and Ofcom’s monitoring of compliance with it, with section 105I allowing Ofcom to require an explanation of any departure from the Code and section 105Z requiring the annual security report to the Secretary of State. The threat picture that prompted these changes continues to develop independently of that timetable.
Frequently asked questions
What is the Telecommunications Security Code of Practice?
It is statutory guidance issued by the Secretary of State under section 105E of the Communications Act 2003. It tells large and medium-sized public telecoms providers how the government expects them to meet the security duties in the Act and the Electronic Communications (Security Measures) Regulations 2022. It is guidance on how to comply, not a separate source of legal obligation.
When will the updated Code take effect?
The revised draft will be laid before Parliament under section 105F of the Communications Act 2003. If neither House resolves against it within 40 sitting days, the government will issue and publish it in final form. As at June 2026 it has not been laid, so no commencement date is fixed.
Which providers does the Code apply to?
The Code addresses Tier 1 providers, with relevant turnover of £1 billion or more, and Tier 2 providers, with turnover of £50 million or more but under £1 billion. Smaller providers remain subject to the security duties in the Act and the 2022 Regulations but sit outside the Code’s detailed technical guidance.
What are the new implementation deadlines?
The revised draft groups the new measures into three tranches: March 2028, December 2028 and December 2029. The December 2026 and March 2027 dates floated in the consultation for the first Cyber Assessment Framework measures have moved to March 2028. The privileged access workstation measures keep the existing Section 3 timeframes.
Does the Code create binding legal obligations?
No. The binding duties are in sections 105A and 105C of the Communications Act 2003 and the 2022 Regulations. The Code is guidance on how to satisfy them. A provider may adopt a different approach, but under section 105I Ofcom can require it to explain why it is not acting in accordance with the Code.
For advice on what the revised Telecommunications Security Code of Practice means for your security obligations, or on responding to Ofcom monitoring under the Act, contact Rob Bratby at Bratby Law.
