The UK Telecoms Supply Chain Review 2019 identified the need to establish an enhanced legislative framework for telecoms security. In response, the Government established a stronger Telecoms Security Framework, which consists of:
The Telecommunications (Security) Act 2021 - primary legislation which established new duties on public telecoms providers to prevent security compromises within their networks and services.The Electronic Communications (Security Measures) Regulations 2022 – secondary legislation setting out specific cyber security requirements with which the public telecoms providers must comply.The Telecommunications Security Code of Practice 2022 (the Code of Practice) - technical guidance on how providers can comply with the requirements set out in the regulations.The UK’s future prosperity rests on the public electronic communications networks and services (PECN and PECS) that provide our telecoms and internet connectivity. It is important therefore that the Telecoms Security Framework keeps pace with the scale of the threat to UK telecoms networks and services, adapting to evolving threats to network security and new innovations in telecoms technology.
The UK National Cyber Security Centre’s (NCSC) Annual Review 2025 highlights how State actors continue to pose a persistent and escalating cyber threat to UK Critical National Infrastructure, including telecoms, leveraging sophisticated cyber capabilities and working closely with a growing commercial intrusion market. This threat is becoming increasingly diffuse and dangerous, with cyber-attacks a key tool in geopolitical competition. The volume of nationally significant incidents managed by the NCSC continues to grow, and we are seeing high-profile campaigns like Salt Typhoon targeting over eighty countries worldwide.
At the same time, innovations in technology are redefining both the cyber security threat and the tools available for cyber security and resilience. The growing use of AI, for example, delivers significant operational benefits for telecoms, but it also introduces new risks. Adversaries can exploit AI to automate the discovery of network vulnerabilities, and more rapidly identify high-value targets within networks. Maintaining a proactive, adaptive security posture is essential to safeguard the UK’s telecoms networks and services against these evolving and increasingly sophisticated threats.
Within the Code of Practice, to account for this changing threat landscape, the Government stated its intent to ‘review and update the Code of Practice periodically as new threats emerge and technologies evolve’.
Following discussions with the NCSC and Ofcom, and regular feedback from industry, last year the Government consulted on proposals to update some areas of the technical guidance within Code of Practice in order to:
Provide some further clarity on specific security measures in the Code of Practice – Some providers suggested the Code lacked specific guidance in some areas. The proposed updates intend to give clearer direction to support compliance with legal duties in the legislation. This includes clearer guidance on the use of Privileged Access Workstations, approaches to security testing, and the encryption and protection of data.Reflect evolving technology – Since the Code of Practice was published, increased use of certain technologies warrants updated technical guidance to support safe adoption. The proposed updates include new security guidance on the secure use of public cloud, automation, and Application Programming Interfaces.Reflect emerging security threats – Recent hostile state linked attacks underline growing risks. The Code of Practice must evolve to help ensure providers respond appropriately. The proposed updates ensure the Code of Practice reflects the need for providers to take appropriate and proportionate steps to protect their networks against such threats.The Department for Science, Innovation and Technology has considered in detail the feedback received in response to the consultation and has made amendments based on this feedback to the draft revised Code of Practice where appropriate.
Following the conclusion of this work, the Department is today laying the Draft Revised Telecommunications Security Code of Practice (the Revised Code of Practice) in Parliament for scrutiny under negative procedure. A copy of the Government Response to the consultation on Proposals to Update the Telecommunications Security Code of Practice 2022, which details the changes made in response to feedback, is published on GOV.UK.
The Revised Code of Practice represents an important step in ensuring the UK’s telecoms security framework remains robust and effective in the face of rapidly evolving cyber threats and technological change. By providing clearer and more up-to-date technical guidance, the Revised Code of Practice will help telecoms providers to comply with their statutory duties, strengthen the security and resilience of the UK’s public electronic communications networks and services, and protect citizens, businesses, and critical services that rely on them.
https://www.theyworkforyou.com/wms/?id=2026-06-03.hlws85.0
seen at 10:30, 4 June in Written Ministerial Statements.