Government consults on updates to Telecommunications Security Code of Practice

The UK Government has launched a consultation on proposed updates to its 2022 Telecommunications Security Code of Practice, with a deadline for responses of 22 October 2025. The proposed updates are intended to address advice received by the Government from the National Cyber Security Centre, industry and Ofcom.

An enhanced legislative framework to improve the security and resilience of the UK’s communications infrastructure was introduced in the Telecommunications (Security) Act 2021. Under this framework, the Government introduced the Electronic Communications (Security Measures) Regulations 2022 and the Telecommunications Security Code of Practice, which were intended to address security risks in the UK’s telecommunications networks and services. Together these implemented detailed security requirements for communications providers to follow.

Issued in December 2022, the Code of Practice provides detailed guidelines for large and medium-sized communications providers as to how to comply with the obligations imposed by the new legislation described above.

The Government has committed to ongoing assessment of the effectiveness of this framework and to update the Code of Practice where appropriate. It has now concluded, following input from Ofcom, industry, and the National Cyber Security Centre, that updates are required. These are necessary to reflect both evolving technologies and emerging security threats, to provide further clarity to communications providers and to emphasise that providers should take a holistic approach to the Code of Practice.

The proposed updates include a number of new or enhanced measures, including:

• Guidance on eSIM provisioning and SIM-swap protection.
• Net controls for network APIs to reduce exposure and enhance authentication protections.
• A structure for approaching Privileged Access Workstations.
• Details of best practice for securing automation pipelines, including validation of inputs and outputs.
• Expanded measures for testing, with a view to continuous, automated, and risk-based approaches.
• Updates to Annex C of the Code of Practice to align with the National Cyber Security Centre’s latest Cyber Assessment Framework.

In addition to this consultation, the Government consulted on proposals for a ransomware payment prevention regime and incident reporting framework earlier this year. It is expected to publish a Cyber Security and Resilience Bill before the end of 2025. Cyber security is clearly an area of focus and, given recent high profile incidents in the UK, will continue to be in the coming years.

Communications providers that may be affected by the updates should review the consultation and consider (i) whether any updates to their business would be required once the changes are implemented, and (ii) whether they wish to respond to the consultation.

 The full consultation and details of how to respond can be found here.