Proposals to update the Telecommunications Security Code of Practice 2022: what we are consulting on

Q: How to respond

Submit your responses online: consultation form . This consultation will run until 11:59 pm on 22 October 2025 .

Question 1

Why we are consulting

Accepted Answer

In the Telecommunications Security Code of Practice (2022), the government outlines the intention to ‘review and update the Code of Practice periodically as new threats emerge and technologies evolve’.

Following security advice provided to the government by the National Cyber Security Centre (NCSC), and feedback provided both by Ofcom and industry, the government believes that some sections of the Code of Practice now require updating.

This consultation sets out these proposed updates, and invites feedback on them from providers of public electronic communications networks and services.

All feedback provided as part of this consultation will be carefully analysed by government to further refine proposals for an updated Code of Practice, and ensure it effectively supports organisations in meeting the requirements placed upon them through the UK Telecommunications Security Act (2021) and associated Electronic Communications (Security Measures) Regulations 2022.

Consultation details

Issued: 28 August 2025
Respond by: 11:59 pm on 22 October 2025

Enquiries to:

Network Security Policy Team
Department for Science, Innovation and Technology (DSIT)
2nd Floor
22 Whitehall
London
SW1A 2EG

Email: telecoms.security.consultation@dsit.gov.uk

Consultation reference: Telecommunications Security Code of Practice

Audiences:

Anyone (this is a public consultation)
Companies that provide public electronic communications networks and services

Territorial extent:

the geographic scope of this consultation is the UK

How to respond

Submit your responses online: consultation form.

This consultation will run until 11:59 pm on 22 October 2025.  

When responding, please state whether you are responding as an individual or representing the views of an organisation. 

In exceptional circumstances, if you need to submit a hard copy or require another format (e.g. braille or large font) please contact telecoms.security.consultation@dsit.gov.uk.  

The information you provide will be used to shape future policy development and may be shared between UK government departments, Ofcom and agencies for this purpose. Personal information will be removed in such instances. Copies of responses, in full or in summary, may be published after the consultation closing date on the department’s website.

Confidentiality and data protection

Information you provide in response to this consultation, including personal information, may be disclosed in accordance with UK legislation (the Freedom of Information Act 2000, the Data Protection Act 2018 and the Environmental Information Regulations 2004).

If you want the information that you provide to be treated as confidential please tell us, but be aware that we cannot guarantee confidentiality in all circumstances. An automatic confidentiality disclaimer generated by your IT system will not be regarded by us as a confidentiality request.

We will process your personal data in accordance with all applicable data protection laws. See our privacy policy.

Quality assurance

This consultation has been carried out in accordance with the government’s consultation principles.

The proposals

Overview

The UK’s future prosperity rests on the security and resilience of the public electronic communications networks and services that connect us. Yet as technologies evolve, new threats to those networks and services are emerging.

Cyber hackers are capable of threatening communications worldwide, as the cost barriers to mass-scale disruption continue to fall. Countering state threats is a high priority, with greater competition and aggression in cyberspace by countries such as Russia, China, Iran and North Korea.

We are becoming ever more dependent on telecoms infrastructure as the speed and scale of networks and services develop. The increased reliance of our economy, society and critical national infrastructure (CNI) on telecoms infrastructure means we need to have confidence in its security. Without that confidence, the disruptive impact of successful cyber-attacks by threat actors will continue to grow and the consequences of connectivity compromises or outages could be catastrophic.

The Telecommunications Security Framework

The UK Telecoms Supply Chain Review 2019 identified the need to establish an enhanced legislative framework for telecoms security, which was introduced through the Telecommunications (Security) Act 2021.

The Telecommunications (Security) Act 2021 amended the Communications Act 2003 (the ‘2003 Act’) to establish a new telecoms security framework to improve the security and resilience of public telecoms networks and services.

The 2003 Act, as amended, includes:

Overarching security duties on public telecoms providers to identify and reduce the risk of security compromises occurring, prepare for the occurrence of security compromises, prevent adverse effects arising from a security compromise that has occurred, and to remedy or mitigate such adverse effects.
Powers for the Secretary of State to make regulations setting out specific security measures to be taken by public telecoms providers.
Powers for the Secretary of State to issue codes of practice giving guidance on the measures to be taken by public telecoms providers to meet their legal obligations.
Provisions to ensure the telecoms regulator, Ofcom, can effectively monitor and enforce public telecoms providers’ compliance with their legal obligations under the Act.

The Electronic Communications (Security Measures) Regulations 2022 (the ‘Regulations’) and the Telecommunications Security Code of Practice were made using these powers. They are intended to address risks to the security of the UK’s public telecoms networks and services. They have been developed in conjunction with the National Cyber Security Centre (NCSC), the UK’s national technical authority for cyber security, and Ofcom, the telecoms regulator.

The Regulations came into force on 1 October 2022. They set out specific security measures that public telecoms providers must take in addition to the overarching legal duties in sections 105A and 105C of the 2003 Act (as amended by the Telecommunications (Security) Act 2021).

The Code of Practice was issued in December 2022. It provides detailed guidelines to large and medium-sized public telecoms providers (i.e. those with a relevant turnover in the relevant period of more than or equal to £50 million) on the governments preferred approach to demonstrating compliance with the duties in the 2003 Act and the requirements within the Regulations.

Proposals to update the Telecommunications Security Code of Practice

The government is committed to continuously evaluating the effectiveness of the Telecommunications Security Framework.

In the current Code of Practice (paragraph 0.30), the government outlined the intention to ‘review and update the Code of Practice periodically as new threats emerge and technologies evolve’, and specified that ‘in doing so, it will be supported by Ofcom through its regular reporting on security to the Secretary of State under Section 105Z of the Act’.

The first reporting period for Ofcom was 2 years following commencement of section 11 of the Act (i.e. 1 October 2022 - 1 October 2024). The security report prepared by Ofcom for that period included information about the extent to which providers have acted in accordance with the Code of Practice. Access to this information has helped the government to determine how well the new framework is working and help identify where changes to the Code of Practice need to be made.

The government has also considered:

security advice provided to the government by the NCSC that sets out where these new threats and vulnerabilities lie, based on its analysis and intelligence.
evidence from public telecoms providers of new vulnerabilities uncovered by continued and expanded security testing, as well as new incident reporting on security compromises.

In light of these factors, and regular feedback received from industry, the government believes now is an appropriate time to update the Code of Practice.

The updates being proposed are intended to:

Reflect evolving technology. Since the Code of Practice was published, use of certain technologies has increased, including eSIMs, automation tools, and Application Programming Interfaces (APIs). To ensure safe and secure adoption of such technologies, we need to ensure we are providing effective and up-to-date guidance to public telecoms providers.
Reflect emerging security threats. Recent hostile-state-linked attacks on US telecoms networks have demonstrated the dramatic impact a cyber-attack can have. We need to ensure the Code of Practice reflects the need for public telecoms providers to take appropriate and proportionate measures to protect their networks against such threats.
Provide further clarity. Public telecoms providers have suggested the Code of Practice is ambiguous in places and lacks specific guidance on certain measures, such as those relating to security testing and use of privileged access workstations. The proposed updates look to give further guidance on these matters.
Reemphasise the need to take a holistic approach to the Code of Practice.

In summary, the proposed updates include:

(i) some drafting changes for greater clarity in Sections 1, 2 and 3 of the Code
(ii) some additional measures in Section 3 of the Code, and
(iii) associated guidance in Section 2 of the Code.

As set out above, these proposed updates are intended to help public telecoms providers protect UK telecoms networks and services in light of evolving threats and emerging technologies.

The proposed updates also include some changes to:

The glossary in Annex A, for the purpose of clarifying the meaning of certain terms used in the proposed new guidance;
The Vendor Security Assessment in Annex B, for the purpose of adding a new section taken from the Vendor Security Assessment (‘V.K – Business Continuity and Disaster Recovery (BCDR) planning’);
Extracts from the Cyber Assessment Framework in Annex C, for the purpose of reflecting updates that have been made to the Cyber Assessment Framework since publication of the Code of Practice; and
The mapping of measures to the Regulations in Section 3 of the Code of Practice. As specified in the Code of Practice, that mapping is only indicative and non-exhaustive.

The PDF document - ‘Proposed updates to the Telecommunications Security Code of Practice 2022’ includes our proposed updates, reflected in tracked changes.

All substantive changes to the Code of Practice are reflected in the document. In some instances, we have made more minor changes which have not been reflected in tracked changes. These are:

the terms ‘telecoms providers’ and ‘providers’ have been replaced with ‘public telecoms providers’ throughout to ensure consistency across the document.
corrections to minor formatting and grammatical errors, including capitalising the term ‘Code of Practice’ throughout the document.

Our proposed approach

This consultation seeks views on proposed updates to the Telecommunications Security Code of Practice.

The consultation questions set out each of the substantive proposed updates in the order they appear within the 3 core sections of the Code of Practice:

Section 1 – introduction and background
Section 2 – key concepts
Section 3 - technical guidance measures

Each of these updates are described alongside justification for their inclusion. Consultation questions are provided to encourage targeted feedback related to these proposed changes.

Where relevant there is a more open question at the end of each section in response to which stakeholders can provide broader feedback on the proposed updates that does not align to the more specific consultation questions.

Please note that this consultation is:

only seeking feedback on the specific updates being proposed.
not seeking feedback on the full Code of Practice. Any feedback provided on the wider content of the Code of Practice will not be considered as part of this consultation.

Consultation questions

Answer each consultation question on our online consultation form.

Question 0.1

Please provide your name, organisation, and a contact email. We may contact you if we need further information or clarification on your response.

Section 1 – introduction and background

Section 1 of the Code of Practice provides the key context for the document, including setting out:

The legislative framework, including the Telecommunications (Security) Act 2021, the Electronic (Security Measures) Regulations 2022, and the existing Telecommunications Security Code of Practice.
Roles and responsibilities of public authorities, including government, Ofcom, and the NCSC.
Information to support the practical application of the Code of Practice including the tiering system, explanation of key terms, the legal status of the Code of Practice, and the associated implementation timeframes.

Section 1: substantive proposed changes outlined below

Introduction

Addition of proposed language encouraging a holistic approach to the ‘security work’ outlined in the Code in relation to the taking of appropriate and proportionate security measures (paragraphs 0.1, 0.3, 0.6). References have been added to emphasise the importance of taking a holistic, risk-based approach to the security work, instead of taking individual security measures in isolation.

Implementation timeframes

Addition of proposed language to encourage timely implementation of security measures (paragraphs 0.28 and repeated throughout the Code of Practice). In light of the ever-evolving threat landscape, we have added references to encourage public telecoms providers, where possible, not to delay implementing measures until the dates set out in Section 3 of the Code if they are able to implement them sooner.

Question 1.1

Do you agree with the proposed amendments to Section 1? If no, explain why. Proposed amendments to Section 1 will encourage a holistic approach to security work and encourage providers, where possible, to implement measures in advance of the implementation date.

Question 1.2

Do you have any more feedback on the proposed amendments to Section 1 (Question 1.1)? If yes, provide details.

Section 2 – key concepts

Section 2 of the Code of Practice intends to establish a clear understanding of the terminology and principles which underpin the security measures detailed in the document.

Section 2: substantive proposed changes outlined below

The headings below mirror the relevant sections of the Code of Practice.

Overarching key concepts

Clarification of existing guidance on security critical functions (paragraphs 1.3 – 1.5). The Regulations (reg. 2) specify that a ‘security critical function’, in relation to a public electronic communications network or a public electronic communications service, means ‘any function of the network or service whose operation is likely to have a material impact on the proper operation of the entire network or service or a material part of it’. Providers have requested further clarity on what constitutes a Security Critical Function, the proposed additional guidance provides examples to address this request.

Network architecture

Amendments to the guidance on third party administrators (paragraphs 2.25 – 2.27) – in the context of public cloud providers having requested clarity around who is captured by the terminology in the current Code of Practice. These proposed amendments are intended to explicitly include third party suppliers where they could have a material effect on the confidentiality, integrity or availability of the cloud environment.
Addition of new guidance on network automation (paragraphs 2.67 – 2.72) – this is an area where use of new technology is growing and will continue to grow. The NCSC has issued new guidance, including a set of principles for securing machine learning, and the proposed new text aims to align with that existing guidance.
Addition of new guidance on the signalling plane (paragraphs 2.76 – 2.89) – the proposed amendments expand this section in places based on feedback from public telecoms providers, and continued targeting of the signalling plane by cyber threat actors.
Addition of new guidance on retaining national resilience (paragraphs 2.103 and 2.107) – this proposed text has been added to encourage consideration of appropriate expertise among those involved in securing public telecoms networks and services, and to ensure that public telecoms providers reassess existing risks in response to changes in the threat or geopolitical landscape.

Protection of data and network functions

Re-writing of existing guidance on workstations and privileged access (paragraphs 3.3 – 3.6) – this proposed amendment is in response to feedback from providers, who have suggested the original guidance lacks detail and is difficult to interpret as currently written. This sub-section of the Code has been significantly updated due to advancements in technology and based on feedback from public telecoms providers, providing additional clarity and alignment with new European Telecommunications Standards Institute (ETSI) standards.
Addition of new guidance on eSIMs (paragraphs 3.21 – 3.24) – these proposed updates are intended to reflect the growing uptake of eSIMs, and the associated threats to the technology.
Addition of new guidance around encryption and the protection of data (paragraphs 3.26 – 3.32) – these proposed updates are intended to ensure that as well as the need to protect personal data, public telecoms providers are aware of the need to protect network data and other bulk data.

Monitoring and analysis

Expansion of guidance on monitoring and analysis (paragraphs 5.8, 5.9, 5.14, 5.18, 5.44) – this sub-section of the Code has been expanded with proposed additional guidance to reinforce security best practice with regards to logging and monitoring, in light of evolving threats.

Supply chain

Amendments to guidance on third party administrators (paragraphs 6.12 and 6.19) – public telecoms providers have suggested there is a lack of clarity over who is captured by the terminology in the current Code of Practice. This proposed amendment is intended to explicitly include third party suppliers where they could have a material effect on confidentiality, integrity, or availability of the network.
Addition of new guidance on vendor security assessments (paragraphs 6.36) – this proposed guidance has been added to ensure public telecoms providers are considering the Total Cost of Ownership (TCO) when making procurement decisions.

Prevention of unauthorised access or interference

Addition of new guidance on service accounts (paragraphs 7.4 – 7.10) – this proposed new guidance reflects the fact that service accounts, due to their widespread and highly privileged access, are a prime target for compromise and should be treated accordingly.
Addition of new guidance on Application Programming Interfaces (APIs) (paragraphs 7.11 – 7.26) – Application Programming Interfaces (APIs) have become more routinely used since the Code of Practice was drafted, and we have seen an increase in attacks looking to exploit them. This proposed additional guidance aims to ensure public telecoms providers are taking steps to mitigate this growing threat.

Patching and updates

Addition of new guidance on the appropriate patching period (paragraphs 11.6, 11.7, 11.8) – this proposed guidance is intended to provide additional guidance on patching and updating, including best practice in ensuring that patches are installed, applied and working correctly.

Testing

Addition of new guidance on testing (paragraphs 13.3 – 13.18) – this proposed guidance is added in response to requests from industry. The guidance intends to provide additional clarity around testing and better reflect current business practices within operator and vendor communities.

Question 2.1

Do you agree with the thematic areas targeted through the proposed amendments in Section 2? If no, explain why.

Question 2.2

Do you agree with the specific amendments proposed in Section 2? If no, explain why and propose alternative suggestions (if possible).

Question 2.3

Do you have any more feedback on the proposed amendments to Section 2 (Question 2.1 and Question 2.2)? If yes, provide details.

Section 3 - technical guidance measures

Section 3 of the Code of Practice sets out specific technical measures to be taken by public telecoms providers, grouped by the date by which they are expected to be completed.

Each individual guidance measure in this section is also mapped to the relevant security requirements in the regulations, including regulations which may be indirectly linked to the guidance measure. It should be noted that in some instances, where the proposed amendments would materially change a specific technical measure, the existing mapping to the regulations has also been updated to reflect the proposed amendments.

To reflect evolving threats and technology, we have proposed various updates to Section 3 (set out below), alongside justifications for them.

Overarching security measures

M1.03 – the amendment proposes to insert the word ‘unnecessary’ in this measure, to qualify the sensitive data of Security Critical Functions which shall not be hosted in equipment in the exposed edge.

Question 3.1

Do you agree with the proposed amendment? If no, explain why and propose an alternative solution (if possible).

Management plane 1

M2.01 – the amendment proposes to add ‘as required by the role-based, least privilege model’. This is intended to stress the importance of this principle, which aims to make it harder for an attacker to be able to get system administrator level privileges.
M2.05 – the amendment proposes to add ‘this includes test networks or services’, to clarify that default passwords should not be used in any part of the network.

Question 3.2

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Signalling plane 1

M3.08 – the amendment proposes to add ‘or other identifiers’, ‘or identifier’, and ‘fraud or’, to reflect evidence to suggest that it is not just number ranges that can be exploited and that this might lead to further fraud as well as security implications.
M3.10 – the amendment proposes to add ‘mobile and fixed’, ‘for Mobile Network Operators’, and ‘however public telecoms providers shall also consider for this measure any signalling protocols, including those not explicitly covered by the Global System for Mobile Communications Association (GSMA) guidance.’ This has been added to help ensure public telecoms providers consider relevant guidance beyond that of the GSMA.

Question 3.3

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Third-party supplier 1

M4.02 – the amendment proposes to add ‘and consider the Total Cost of Ownership’, to clarify that public telecoms providers should, as a minimum, be considering the end-to-end product costs when making procurement decisions.
M4.05 – the amendment proposes to add ‘and document actions’ and ‘when managing risk’, to clarify that as well as documenting risks public telecoms providers should also be documenting the necessary actions undertaken to mitigate those risks.

Question 3.4

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Supporting business processes

M5.01 – the amendment proposes updated references to relevant sections of the Cyber Assessment Framework (CAF). These include separating out some sections of the CAF framework from this specific measure, to include in additional new measures with later implementation timeframes.
M5.03 – the amendment proposes to add ‘these backups shall be tested regularly’, to clarify that backups, which act as the main defence against ransomware, should be regularly tested to ensure they are working as intended.

Question 3.5

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Management plane 2

M8.06 – the amendment proposes to add ‘any unused protocols, ports or services including’, in response to a developing threat landscape and to reflect security best practice in this area.
M8.07 – the amendment proposes to add ‘and regular tests should be conducted to ensure that the logging is functioning as expected’, to clarify that public telecoms providers should be ensuring that logging is functioning appropriately as a fundamental element of fault finding and a good indicator of compromise.

Question 3.6

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Customer Premises Equipment (CPE)

M9.01 – the amendment proposes to replace ‘configured’ with ‘installed’, to emphasise that credentials should be secure from the point of installation.
M9.03 – in response to feedback from providers and evolving threats, we propose to redraft this measure to better reflect security best practice for ensuring that no customer premises equipment (CPE) management interfaces are internet reachable.
M9.04 – the amendment proposes to add ‘non-deprecated’, to ensure that protocols that have become obsolete are no longer in use.
M9.06 – the amendment proposes to add ‘detected and’, to clarify that the two-step process for protecting the network from unsolicited incoming connections towards the customer’s network (and to support logging and monitoring), shall include detecting such connections in addition to blocking them.

Question 3.7

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Third party supplier measures 3

M10.08 – the amendment proposes to add ‘and carried out securely’, to ensure that any necessary data transfers are being undertaken following security best practice.
M10.22 – the amendment proposes to add ‘and have an associated trouble ticket’, which reflects security best practice in tracking and monitoring access to network equipment.
M10.53 – the amendment proposes to add references to ‘M8.07, M10.41’ and the addition of ‘and retains any security related configuration’ to ensure consistent protection against threats.

Question 3.8

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Management plane 3

M11.21 – we propose to replace ‘these’ with ‘all the management plane’ to help ensure testing procedures are applied to all the rules, policies, and security measures for managing network devices and systems.
M11.24 – M11.26, M11.29, M11.30 and M11.31 – in response to industry feedback, we propose to update and rewrite these measures to provide additional guidance to support the development of an appropriate privileged access workstations (PAWs) solution. The updates are also intended to bring the guidance in the Code of Practice in line with ETSI standards on PAWs.
M11.36 – M11.42 – we propose to add 7 new measures on PAWs. As set out above, we are also proposing to supplement these new measures with additional related guidance in Section 2 of the Code of Practice. The addition of these measures is in response to feedback from public telecoms providers. They are intended to ensure the Code of Practice aligns with ETSI standards on PAWs.

Question 3.9

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Third party supplier measures 4

M14.01 – the amendment proposes to add 2 further conditions (‘d’) and (‘e’) to be met for public telecoms providers to continue to use equipment that has reached the vendor’s end-of-life date. These additional conditions relate to having a funded plan to remove equipment and a risk assessment which is updated at least annually and when there is a significant change affecting the equipment in question. These conditions are intended to ensure that decommissioning is completed, and that there is no end-of-life equipment staying in the network that creates unnecessary risks.

Question 3.10

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Additional new measures

As well the 7 new PAWs measures mentioned above (M11.36 – M11.42) which would be subject to the existing implementation timeframes, we are proposing the introduction of additional new measures to the Code of Practice. This includes:

The following new measure with a proposed implementation timeframe of 31 December 2026.

Supporting business processes – ‘Public telecoms providers shall have regard to implementing the following parts of the CAF (contained within Annex C) that define the public telecoms provider’s business processes: A2b-Understanding Threat; B2d-Identity and Access Management; B3 a-c Understanding Data, Data in Transit, Stored Data; D2-Lessons Learned.’

This proposed measure looks to give providers sufficient time to have regard to updated sections from the Cyber Assessment Framework contained in Annex C.

Question 3.11

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

The following new measure with a proposed implementation timeframe of 31 March 2027.

Supporting business processes – ‘public telecoms providers shall have regard to implementing the following parts of the CAF (contained within Annex C) that define the public telecoms provider’s business processes: B2b-Device Management.’

This proposed measure looks to give providers sufficient time to have regard to updated sections from the Cyber Assessment Framework contained in Annex C.

Question 3.12

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

The following new measures with an implementation timeframe of 31 December 2028.

Logging and monitoring – ‘regular tests should be conducted to ensure that the logging is functioning as expected’.

This proposed measure aims to reinforce security best practice with regards to logging and monitoring in light of evolving threats to the sector.

Question 3.13

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

SIMs – ‘public telecoms providers shall check the SIM providers’ certificates against the GSMA SAS accredited website and satisfy themselves that the supporting sites and external parties are sufficiently trustworthy.’

This proposed measure is intended to ensure that public telecoms providers, where outsourcing, are carrying out appropriate due diligence.

Question 3.14

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

Signalling – ‘number analysis reference data (as per the guidance in paragraph 2.80) that are used to configure network equipment shall be maintained regularly and shall be reviewed frequently.’

Signalling – ‘public telecoms providers shall protect against the injection of malicious signalling messages into the public telecoms provider’s network.’

Signalling – ‘the public telecoms provider should implement an Intrusion Detection System (IDS) that monitors outgoing signalling messages and alerts the public telecoms provider where data leaks are discovered. It is recommended that the IDS provider should be different to the signalling firewall (IPS) provider.’

These proposed measures are intended to ensure public telecoms providers are taking appropriate steps to protect their networks from malicious interference, ensure accurate and secure configuration of network equipment, and detect potential data leaks.

Question 3.15

Do you agree with the proposed new measures? If no, explain why and propose alternative solutions (if possible).

Governance – ‘public telecoms providers should conduct threat modelling to inform their risk assessments. This modelling must identify relevant threats, vulnerabilities, and potential attack vectors, and should be used to guide the identification and evaluation of security risks across networks and services. For example, through risk assessments or threat models, public telecoms providers should ensure that these risks do not materially affect the proper functioning of the entire network, service, or any significant part of it.’

This proposed measure is intended to encourage a holistic approach to security, including through the development of risks assessments and other documentation.

Question 3.16

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

Management plane – ‘equipment that is subject to high-end attacks shall, where technically possible, implement trusted boot, and periodically be rebuilt/redeployed to an up-to-date known-good state.’

This proposed measure is intended to ensure public telecoms providers are undertaking work to prevent and mitigate prepositioning and persistence attacks, in response to developing threat vectors.

Question 3.17

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

Automation – ‘public telecoms providers shall ensure that the data or software used within automation pipelines is from a trusted source, and validated, and check that the outputs are as expected.’

This proposed measure is intended to ensure public telecoms providers are using automation in their networks in a secure way, and validating the outputs of automated processes.

Question 3.18

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

Customer Premise Equipment (CPE) – ‘public telecoms providers shall monitor CPE activity for anomalous behaviour that may have an impact on their networks.’

This proposed measure is intended to ensure public telecoms providers are adequately protecting their networks, given this is a common attack vector.

Question 3.19

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

Service accounts – ‘for service accounts, public telecoms providers shall consider whether privileged access is required for each task and follow the role-based, least privilege model and document them in their asset register. They shall be dedicated to the task or service they have been assigned to (i.e. not associated to a user)’.

Service accounts – ‘a privileged access solution that securely stores and rotates credentials frequently should be used to manage service accounts.’

These proposed measures are intended to ensure service accounts are being managed securely, noting that due to their widespread and high privileged access they are a prime target for compromise and should be treated accordingly.

Question 3.20

Do you agree with the proposed new measures? If no, explain why and propose alternative solutions (if possible).

Application Programming Interfaces (APIs) – ‘public telecoms providers shall ensure their APIs are clearly and fully documented in the asset register, and implemented securely, to minimise exposure to the internet and/or unauthorised parties.’

This proposed measure is intended to ensure public telecoms providers are taking steps to mitigate the increase in attacks looking to exploit APIs and drive secure use.

Question 3.21

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

Security testing – ‘public telecoms providers shall implement an automated scanning process to identify vulnerabilities, missing patches or configuration changes.’

Security testing – ‘public telecoms providers are responsible for determining a holistic approach to security testing, which includes security testing that is appropriate, risk-based, and tailored to their specific deployments.’

This proposed measure is in response to industry feedback. It intends to reduce the time that public telecoms providers are exposed to vulnerabilities, and drive a holistic approach to testing, in line with the additional guidance provided in Sections 1 and 2.

Question 3.22

Do you agree with the proposed new measures? If no, explain why and propose alternative solutions (if possible).

Cost estimates

We would like to provide the opportunity for public telecoms providers to let us know of any additional costs for their businesses they foresee from implementing the proposed new/amended measures proposed in Section 3 (questions 3.1 to 3.22).

Question 4.1

Provide an estimate of any additional costs related to the implementation of the new/amended measures proposed in Section 3. If possible, break these costs down with reference to each specific measure.

These estimates should only reflect additional costs relating to the proposed measures. They should not include costs already incurred through implementing measures currently within the Code of Practice.

Annex A – glossary

We propose several new definitions to the glossary within the Code of Practice. These additions are mostly in response to industry feedback or to support the guidance and measures that we are proposing to add in the Code.

Where possible, these definitions replicate existing definitions in guidance or legislation.

Question 5.1

Do you agree with the new definitions added to the Annex A? If no, explain why and propose alternative definitions (if possible).

Annex B – vendor security assessment

We propose to add a new section to the vendor security assessment annex – ‘V.K – Business Continuity and Disaster Recovery (BCDR) planning’ .

This section has been added due to the increase in reliance on 3rd parties when it comes to ensuring continuity of service. This has been designed to broadly reflect the requirements in the Telecommunications (Security) Act and the Code of Practice that are placed on the public telecoms providers themselves.

Question 5.2

Do you agree with the additions to Annex B? If no, explain why.

Annex C – extracts from the Cyber Assessment Framework (CAF)

The information included in this annex was initially taken from the NCSC’s Cyber Assessment Framework (CAF) Version 3.1, which was published on 11 April 2022.

Since the publication of the Code of Practice, this framework has been updated multiple times.

We propose to make amendments to the CAF annex to reflect the current version of the CAF (Version 4.0, which was published on 6 August 2025).

Question 5.3

Do you agree with the additions to Annex C? If no, explain why.

Question 2

How to respond

Accepted Answer

Submit your responses online: consultation form.

This consultation will run until 11:59 pm on 22 October 2025.  

Question 3

The proposals

Accepted Answer

Overview

The UK’s future prosperity rests on the security and resilience of the public electronic communications networks and services that connect us. Yet as technologies evolve, new threats to those networks and services are emerging.

Cyber hackers are capable of threatening communications worldwide, as the cost barriers to mass-scale disruption continue to fall. Countering state threats is a high priority, with greater competition and aggression in cyberspace by countries such as Russia, China, Iran and North Korea.

We are becoming ever more dependent on telecoms infrastructure as the speed and scale of networks and services develop. The increased reliance of our economy, society and critical national infrastructure (CNI) on telecoms infrastructure means we need to have confidence in its security. Without that confidence, the disruptive impact of successful cyber-attacks by threat actors will continue to grow and the consequences of connectivity compromises or outages could be catastrophic.

The Telecommunications Security Framework

The UK Telecoms Supply Chain Review 2019 identified the need to establish an enhanced legislative framework for telecoms security, which was introduced through the Telecommunications (Security) Act 2021.

The Telecommunications (Security) Act 2021 amended the Communications Act 2003 (the ‘2003 Act’) to establish a new telecoms security framework to improve the security and resilience of public telecoms networks and services.

The 2003 Act, as amended, includes:

Overarching security duties on public telecoms providers to identify and reduce the risk of security compromises occurring, prepare for the occurrence of security compromises, prevent adverse effects arising from a security compromise that has occurred, and to remedy or mitigate such adverse effects.
Powers for the Secretary of State to make regulations setting out specific security measures to be taken by public telecoms providers.
Powers for the Secretary of State to issue codes of practice giving guidance on the measures to be taken by public telecoms providers to meet their legal obligations.
Provisions to ensure the telecoms regulator, Ofcom, can effectively monitor and enforce public telecoms providers’ compliance with their legal obligations under the Act.

The Electronic Communications (Security Measures) Regulations 2022 (the ‘Regulations’) and the Telecommunications Security Code of Practice were made using these powers. They are intended to address risks to the security of the UK’s public telecoms networks and services. They have been developed in conjunction with the National Cyber Security Centre (NCSC), the UK’s national technical authority for cyber security, and Ofcom, the telecoms regulator.

The Regulations came into force on 1 October 2022. They set out specific security measures that public telecoms providers must take in addition to the overarching legal duties in sections 105A and 105C of the 2003 Act (as amended by the Telecommunications (Security) Act 2021).

The Code of Practice was issued in December 2022. It provides detailed guidelines to large and medium-sized public telecoms providers (i.e. those with a relevant turnover in the relevant period of more than or equal to £50 million) on the governments preferred approach to demonstrating compliance with the duties in the 2003 Act and the requirements within the Regulations.

Proposals to update the Telecommunications Security Code of Practice

The government is committed to continuously evaluating the effectiveness of the Telecommunications Security Framework.

In the current Code of Practice (paragraph 0.30), the government outlined the intention to ‘review and update the Code of Practice periodically as new threats emerge and technologies evolve’, and specified that ‘in doing so, it will be supported by Ofcom through its regular reporting on security to the Secretary of State under Section 105Z of the Act’.

The first reporting period for Ofcom was 2 years following commencement of section 11 of the Act (i.e. 1 October 2022 - 1 October 2024). The security report prepared by Ofcom for that period included information about the extent to which providers have acted in accordance with the Code of Practice. Access to this information has helped the government to determine how well the new framework is working and help identify where changes to the Code of Practice need to be made.

The government has also considered:

security advice provided to the government by the NCSC that sets out where these new threats and vulnerabilities lie, based on its analysis and intelligence.
evidence from public telecoms providers of new vulnerabilities uncovered by continued and expanded security testing, as well as new incident reporting on security compromises.

In light of these factors, and regular feedback received from industry, the government believes now is an appropriate time to update the Code of Practice.

The updates being proposed are intended to:

Reflect evolving technology. Since the Code of Practice was published, use of certain technologies has increased, including eSIMs, automation tools, and Application Programming Interfaces (APIs). To ensure safe and secure adoption of such technologies, we need to ensure we are providing effective and up-to-date guidance to public telecoms providers.
Reflect emerging security threats. Recent hostile-state-linked attacks on US telecoms networks have demonstrated the dramatic impact a cyber-attack can have. We need to ensure the Code of Practice reflects the need for public telecoms providers to take appropriate and proportionate measures to protect their networks against such threats.
Provide further clarity. Public telecoms providers have suggested the Code of Practice is ambiguous in places and lacks specific guidance on certain measures, such as those relating to security testing and use of privileged access workstations. The proposed updates look to give further guidance on these matters.
Reemphasise the need to take a holistic approach to the Code of Practice.

In summary, the proposed updates include:

(i) some drafting changes for greater clarity in Sections 1, 2 and 3 of the Code
(ii) some additional measures in Section 3 of the Code, and
(iii) associated guidance in Section 2 of the Code.

As set out above, these proposed updates are intended to help public telecoms providers protect UK telecoms networks and services in light of evolving threats and emerging technologies.

The proposed updates also include some changes to:

The glossary in Annex A, for the purpose of clarifying the meaning of certain terms used in the proposed new guidance;
The Vendor Security Assessment in Annex B, for the purpose of adding a new section taken from the Vendor Security Assessment (‘V.K – Business Continuity and Disaster Recovery (BCDR) planning’);
Extracts from the Cyber Assessment Framework in Annex C, for the purpose of reflecting updates that have been made to the Cyber Assessment Framework since publication of the Code of Practice; and
The mapping of measures to the Regulations in Section 3 of the Code of Practice. As specified in the Code of Practice, that mapping is only indicative and non-exhaustive.

The PDF document - ‘Proposed updates to the Telecommunications Security Code of Practice 2022’ includes our proposed updates, reflected in tracked changes.

All substantive changes to the Code of Practice are reflected in the document. In some instances, we have made more minor changes which have not been reflected in tracked changes. These are:

the terms ‘telecoms providers’ and ‘providers’ have been replaced with ‘public telecoms providers’ throughout to ensure consistency across the document.
corrections to minor formatting and grammatical errors, including capitalising the term ‘Code of Practice’ throughout the document.

Our proposed approach

This consultation seeks views on proposed updates to the Telecommunications Security Code of Practice.

The consultation questions set out each of the substantive proposed updates in the order they appear within the 3 core sections of the Code of Practice:

Section 1 – introduction and background
Section 2 – key concepts
Section 3 - technical guidance measures

Each of these updates are described alongside justification for their inclusion. Consultation questions are provided to encourage targeted feedback related to these proposed changes.

Where relevant there is a more open question at the end of each section in response to which stakeholders can provide broader feedback on the proposed updates that does not align to the more specific consultation questions.

Please note that this consultation is:

only seeking feedback on the specific updates being proposed.
not seeking feedback on the full Code of Practice. Any feedback provided on the wider content of the Code of Practice will not be considered as part of this consultation.

Question 4

Consultation questions

Accepted Answer

Answer each consultation question on our online consultation form.

Question 0.1

Please provide your name, organisation, and a contact email. We may contact you if we need further information or clarification on your response.

Section 1 – introduction and background

Section 1 of the Code of Practice provides the key context for the document, including setting out:

The legislative framework, including the Telecommunications (Security) Act 2021, the Electronic (Security Measures) Regulations 2022, and the existing Telecommunications Security Code of Practice.
Roles and responsibilities of public authorities, including government, Ofcom, and the NCSC.
Information to support the practical application of the Code of Practice including the tiering system, explanation of key terms, the legal status of the Code of Practice, and the associated implementation timeframes.

Section 1: substantive proposed changes outlined below

Introduction

Addition of proposed language encouraging a holistic approach to the ‘security work’ outlined in the Code in relation to the taking of appropriate and proportionate security measures (paragraphs 0.1, 0.3, 0.6). References have been added to emphasise the importance of taking a holistic, risk-based approach to the security work, instead of taking individual security measures in isolation.

Implementation timeframes

Addition of proposed language to encourage timely implementation of security measures (paragraphs 0.28 and repeated throughout the Code of Practice). In light of the ever-evolving threat landscape, we have added references to encourage public telecoms providers, where possible, not to delay implementing measures until the dates set out in Section 3 of the Code if they are able to implement them sooner.

Question 1.1

Do you agree with the proposed amendments to Section 1? If no, explain why. Proposed amendments to Section 1 will encourage a holistic approach to security work and encourage providers, where possible, to implement measures in advance of the implementation date.

Question 1.2

Do you have any more feedback on the proposed amendments to Section 1 (Question 1.1)? If yes, provide details.

Section 2 – key concepts

Section 2 of the Code of Practice intends to establish a clear understanding of the terminology and principles which underpin the security measures detailed in the document.

Section 2: substantive proposed changes outlined below

The headings below mirror the relevant sections of the Code of Practice.

Overarching key concepts

Clarification of existing guidance on security critical functions (paragraphs 1.3 – 1.5). The Regulations (reg. 2) specify that a ‘security critical function’, in relation to a public electronic communications network or a public electronic communications service, means ‘any function of the network or service whose operation is likely to have a material impact on the proper operation of the entire network or service or a material part of it’. Providers have requested further clarity on what constitutes a Security Critical Function, the proposed additional guidance provides examples to address this request.

Network architecture

Amendments to the guidance on third party administrators (paragraphs 2.25 – 2.27) – in the context of public cloud providers having requested clarity around who is captured by the terminology in the current Code of Practice. These proposed amendments are intended to explicitly include third party suppliers where they could have a material effect on the confidentiality, integrity or availability of the cloud environment.
Addition of new guidance on network automation (paragraphs 2.67 – 2.72) – this is an area where use of new technology is growing and will continue to grow. The NCSC has issued new guidance, including a set of principles for securing machine learning, and the proposed new text aims to align with that existing guidance.
Addition of new guidance on the signalling plane (paragraphs 2.76 – 2.89) – the proposed amendments expand this section in places based on feedback from public telecoms providers, and continued targeting of the signalling plane by cyber threat actors.
Addition of new guidance on retaining national resilience (paragraphs 2.103 and 2.107) – this proposed text has been added to encourage consideration of appropriate expertise among those involved in securing public telecoms networks and services, and to ensure that public telecoms providers reassess existing risks in response to changes in the threat or geopolitical landscape.

Protection of data and network functions

Re-writing of existing guidance on workstations and privileged access (paragraphs 3.3 – 3.6) – this proposed amendment is in response to feedback from providers, who have suggested the original guidance lacks detail and is difficult to interpret as currently written. This sub-section of the Code has been significantly updated due to advancements in technology and based on feedback from public telecoms providers, providing additional clarity and alignment with new European Telecommunications Standards Institute (ETSI) standards.
Addition of new guidance on eSIMs (paragraphs 3.21 – 3.24) – these proposed updates are intended to reflect the growing uptake of eSIMs, and the associated threats to the technology.
Addition of new guidance around encryption and the protection of data (paragraphs 3.26 – 3.32) – these proposed updates are intended to ensure that as well as the need to protect personal data, public telecoms providers are aware of the need to protect network data and other bulk data.

Monitoring and analysis

Expansion of guidance on monitoring and analysis (paragraphs 5.8, 5.9, 5.14, 5.18, 5.44) – this sub-section of the Code has been expanded with proposed additional guidance to reinforce security best practice with regards to logging and monitoring, in light of evolving threats.

Supply chain

Amendments to guidance on third party administrators (paragraphs 6.12 and 6.19) – public telecoms providers have suggested there is a lack of clarity over who is captured by the terminology in the current Code of Practice. This proposed amendment is intended to explicitly include third party suppliers where they could have a material effect on confidentiality, integrity, or availability of the network.
Addition of new guidance on vendor security assessments (paragraphs 6.36) – this proposed guidance has been added to ensure public telecoms providers are considering the Total Cost of Ownership (TCO) when making procurement decisions.

Prevention of unauthorised access or interference

Addition of new guidance on service accounts (paragraphs 7.4 – 7.10) – this proposed new guidance reflects the fact that service accounts, due to their widespread and highly privileged access, are a prime target for compromise and should be treated accordingly.
Addition of new guidance on Application Programming Interfaces (APIs) (paragraphs 7.11 – 7.26) – Application Programming Interfaces (APIs) have become more routinely used since the Code of Practice was drafted, and we have seen an increase in attacks looking to exploit them. This proposed additional guidance aims to ensure public telecoms providers are taking steps to mitigate this growing threat.

Patching and updates

Addition of new guidance on the appropriate patching period (paragraphs 11.6, 11.7, 11.8) – this proposed guidance is intended to provide additional guidance on patching and updating, including best practice in ensuring that patches are installed, applied and working correctly.

Testing

Addition of new guidance on testing (paragraphs 13.3 – 13.18) – this proposed guidance is added in response to requests from industry. The guidance intends to provide additional clarity around testing and better reflect current business practices within operator and vendor communities.

Question 2.1

Do you agree with the thematic areas targeted through the proposed amendments in Section 2? If no, explain why.

Question 2.2

Do you agree with the specific amendments proposed in Section 2? If no, explain why and propose alternative suggestions (if possible).

Question 2.3

Do you have any more feedback on the proposed amendments to Section 2 (Question 2.1 and Question 2.2)? If yes, provide details.

Section 3 - technical guidance measures

Section 3 of the Code of Practice sets out specific technical measures to be taken by public telecoms providers, grouped by the date by which they are expected to be completed.

Each individual guidance measure in this section is also mapped to the relevant security requirements in the regulations, including regulations which may be indirectly linked to the guidance measure. It should be noted that in some instances, where the proposed amendments would materially change a specific technical measure, the existing mapping to the regulations has also been updated to reflect the proposed amendments.

To reflect evolving threats and technology, we have proposed various updates to Section 3 (set out below), alongside justifications for them.

Overarching security measures

M1.03 – the amendment proposes to insert the word ‘unnecessary’ in this measure, to qualify the sensitive data of Security Critical Functions which shall not be hosted in equipment in the exposed edge.

Question 3.1

Do you agree with the proposed amendment? If no, explain why and propose an alternative solution (if possible).

Management plane 1

M2.01 – the amendment proposes to add ‘as required by the role-based, least privilege model’. This is intended to stress the importance of this principle, which aims to make it harder for an attacker to be able to get system administrator level privileges.
M2.05 – the amendment proposes to add ‘this includes test networks or services’, to clarify that default passwords should not be used in any part of the network.

Question 3.2

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Signalling plane 1

M3.08 – the amendment proposes to add ‘or other identifiers’, ‘or identifier’, and ‘fraud or’, to reflect evidence to suggest that it is not just number ranges that can be exploited and that this might lead to further fraud as well as security implications.
M3.10 – the amendment proposes to add ‘mobile and fixed’, ‘for Mobile Network Operators’, and ‘however public telecoms providers shall also consider for this measure any signalling protocols, including those not explicitly covered by the Global System for Mobile Communications Association (GSMA) guidance.’ This has been added to help ensure public telecoms providers consider relevant guidance beyond that of the GSMA.

Question 3.3

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Third-party supplier 1

M4.02 – the amendment proposes to add ‘and consider the Total Cost of Ownership’, to clarify that public telecoms providers should, as a minimum, be considering the end-to-end product costs when making procurement decisions.
M4.05 – the amendment proposes to add ‘and document actions’ and ‘when managing risk’, to clarify that as well as documenting risks public telecoms providers should also be documenting the necessary actions undertaken to mitigate those risks.

Question 3.4

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Supporting business processes

M5.01 – the amendment proposes updated references to relevant sections of the Cyber Assessment Framework (CAF). These include separating out some sections of the CAF framework from this specific measure, to include in additional new measures with later implementation timeframes.
M5.03 – the amendment proposes to add ‘these backups shall be tested regularly’, to clarify that backups, which act as the main defence against ransomware, should be regularly tested to ensure they are working as intended.

Question 3.5

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Management plane 2

M8.06 – the amendment proposes to add ‘any unused protocols, ports or services including’, in response to a developing threat landscape and to reflect security best practice in this area.
M8.07 – the amendment proposes to add ‘and regular tests should be conducted to ensure that the logging is functioning as expected’, to clarify that public telecoms providers should be ensuring that logging is functioning appropriately as a fundamental element of fault finding and a good indicator of compromise.

Question 3.6

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Customer Premises Equipment (CPE)

M9.01 – the amendment proposes to replace ‘configured’ with ‘installed’, to emphasise that credentials should be secure from the point of installation.
M9.03 – in response to feedback from providers and evolving threats, we propose to redraft this measure to better reflect security best practice for ensuring that no customer premises equipment (CPE) management interfaces are internet reachable.
M9.04 – the amendment proposes to add ‘non-deprecated’, to ensure that protocols that have become obsolete are no longer in use.
M9.06 – the amendment proposes to add ‘detected and’, to clarify that the two-step process for protecting the network from unsolicited incoming connections towards the customer’s network (and to support logging and monitoring), shall include detecting such connections in addition to blocking them.

Question 3.7

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Third party supplier measures 3

M10.08 – the amendment proposes to add ‘and carried out securely’, to ensure that any necessary data transfers are being undertaken following security best practice.
M10.22 – the amendment proposes to add ‘and have an associated trouble ticket’, which reflects security best practice in tracking and monitoring access to network equipment.
M10.53 – the amendment proposes to add references to ‘M8.07, M10.41’ and the addition of ‘and retains any security related configuration’ to ensure consistent protection against threats.

Question 3.8

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Management plane 3

M11.21 – we propose to replace ‘these’ with ‘all the management plane’ to help ensure testing procedures are applied to all the rules, policies, and security measures for managing network devices and systems.
M11.24 – M11.26, M11.29, M11.30 and M11.31 – in response to industry feedback, we propose to update and rewrite these measures to provide additional guidance to support the development of an appropriate privileged access workstations (PAWs) solution. The updates are also intended to bring the guidance in the Code of Practice in line with ETSI standards on PAWs.
M11.36 – M11.42 – we propose to add 7 new measures on PAWs. As set out above, we are also proposing to supplement these new measures with additional related guidance in Section 2 of the Code of Practice. The addition of these measures is in response to feedback from public telecoms providers. They are intended to ensure the Code of Practice aligns with ETSI standards on PAWs.

Question 3.9

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Third party supplier measures 4

M14.01 – the amendment proposes to add 2 further conditions (‘d’) and (‘e’) to be met for public telecoms providers to continue to use equipment that has reached the vendor’s end-of-life date. These additional conditions relate to having a funded plan to remove equipment and a risk assessment which is updated at least annually and when there is a significant change affecting the equipment in question. These conditions are intended to ensure that decommissioning is completed, and that there is no end-of-life equipment staying in the network that creates unnecessary risks.

Question 3.10

Do you agree with the proposed amendments? If no, explain why and propose alternative solutions (if possible).

Additional new measures

As well the 7 new PAWs measures mentioned above (M11.36 – M11.42) which would be subject to the existing implementation timeframes, we are proposing the introduction of additional new measures to the Code of Practice. This includes:

The following new measure with a proposed implementation timeframe of 31 December 2026.

Supporting business processes – ‘Public telecoms providers shall have regard to implementing the following parts of the CAF (contained within Annex C) that define the public telecoms provider’s business processes: A2b-Understanding Threat; B2d-Identity and Access Management; B3 a-c Understanding Data, Data in Transit, Stored Data; D2-Lessons Learned.’

This proposed measure looks to give providers sufficient time to have regard to updated sections from the Cyber Assessment Framework contained in Annex C.

Question 3.11

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

The following new measure with a proposed implementation timeframe of 31 March 2027.

Supporting business processes – ‘public telecoms providers shall have regard to implementing the following parts of the CAF (contained within Annex C) that define the public telecoms provider’s business processes: B2b-Device Management.’

This proposed measure looks to give providers sufficient time to have regard to updated sections from the Cyber Assessment Framework contained in Annex C.

Question 3.12

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

The following new measures with an implementation timeframe of 31 December 2028.

Logging and monitoring – ‘regular tests should be conducted to ensure that the logging is functioning as expected’.

This proposed measure aims to reinforce security best practice with regards to logging and monitoring in light of evolving threats to the sector.

Question 3.13

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

SIMs – ‘public telecoms providers shall check the SIM providers’ certificates against the GSMA SAS accredited website and satisfy themselves that the supporting sites and external parties are sufficiently trustworthy.’

This proposed measure is intended to ensure that public telecoms providers, where outsourcing, are carrying out appropriate due diligence.

Question 3.14

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

Signalling – ‘number analysis reference data (as per the guidance in paragraph 2.80) that are used to configure network equipment shall be maintained regularly and shall be reviewed frequently.’

Signalling – ‘public telecoms providers shall protect against the injection of malicious signalling messages into the public telecoms provider’s network.’

Signalling – ‘the public telecoms provider should implement an Intrusion Detection System (IDS) that monitors outgoing signalling messages and alerts the public telecoms provider where data leaks are discovered. It is recommended that the IDS provider should be different to the signalling firewall (IPS) provider.’

These proposed measures are intended to ensure public telecoms providers are taking appropriate steps to protect their networks from malicious interference, ensure accurate and secure configuration of network equipment, and detect potential data leaks.

Question 3.15

Do you agree with the proposed new measures? If no, explain why and propose alternative solutions (if possible).

Governance – ‘public telecoms providers should conduct threat modelling to inform their risk assessments. This modelling must identify relevant threats, vulnerabilities, and potential attack vectors, and should be used to guide the identification and evaluation of security risks across networks and services. For example, through risk assessments or threat models, public telecoms providers should ensure that these risks do not materially affect the proper functioning of the entire network, service, or any significant part of it.’

This proposed measure is intended to encourage a holistic approach to security, including through the development of risks assessments and other documentation.

Question 3.16

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

Management plane – ‘equipment that is subject to high-end attacks shall, where technically possible, implement trusted boot, and periodically be rebuilt/redeployed to an up-to-date known-good state.’

This proposed measure is intended to ensure public telecoms providers are undertaking work to prevent and mitigate prepositioning and persistence attacks, in response to developing threat vectors.

Question 3.17

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

Automation – ‘public telecoms providers shall ensure that the data or software used within automation pipelines is from a trusted source, and validated, and check that the outputs are as expected.’

This proposed measure is intended to ensure public telecoms providers are using automation in their networks in a secure way, and validating the outputs of automated processes.

Question 3.18

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

Customer Premise Equipment (CPE) – ‘public telecoms providers shall monitor CPE activity for anomalous behaviour that may have an impact on their networks.’

This proposed measure is intended to ensure public telecoms providers are adequately protecting their networks, given this is a common attack vector.

Question 3.19

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

Service accounts – ‘for service accounts, public telecoms providers shall consider whether privileged access is required for each task and follow the role-based, least privilege model and document them in their asset register. They shall be dedicated to the task or service they have been assigned to (i.e. not associated to a user)’.

Service accounts – ‘a privileged access solution that securely stores and rotates credentials frequently should be used to manage service accounts.’

These proposed measures are intended to ensure service accounts are being managed securely, noting that due to their widespread and high privileged access they are a prime target for compromise and should be treated accordingly.

Question 3.20

Do you agree with the proposed new measures? If no, explain why and propose alternative solutions (if possible).

Application Programming Interfaces (APIs) – ‘public telecoms providers shall ensure their APIs are clearly and fully documented in the asset register, and implemented securely, to minimise exposure to the internet and/or unauthorised parties.’

This proposed measure is intended to ensure public telecoms providers are taking steps to mitigate the increase in attacks looking to exploit APIs and drive secure use.

Question 3.21

Do you agree with the proposed new measure? If no, explain why and propose an alternative solution (if possible).

Security testing – ‘public telecoms providers shall implement an automated scanning process to identify vulnerabilities, missing patches or configuration changes.’

Security testing – ‘public telecoms providers are responsible for determining a holistic approach to security testing, which includes security testing that is appropriate, risk-based, and tailored to their specific deployments.’

This proposed measure is in response to industry feedback. It intends to reduce the time that public telecoms providers are exposed to vulnerabilities, and drive a holistic approach to testing, in line with the additional guidance provided in Sections 1 and 2.

Question 3.22

Do you agree with the proposed new measures? If no, explain why and propose alternative solutions (if possible).

Cost estimates

We would like to provide the opportunity for public telecoms providers to let us know of any additional costs for their businesses they foresee from implementing the proposed new/amended measures proposed in Section 3 (questions 3.1 to 3.22).

Question 4.1

Provide an estimate of any additional costs related to the implementation of the new/amended measures proposed in Section 3. If possible, break these costs down with reference to each specific measure.

These estimates should only reflect additional costs relating to the proposed measures. They should not include costs already incurred through implementing measures currently within the Code of Practice.

Annex A – glossary

We propose several new definitions to the glossary within the Code of Practice. These additions are mostly in response to industry feedback or to support the guidance and measures that we are proposing to add in the Code.

Where possible, these definitions replicate existing definitions in guidance or legislation.

Question 5.1

Do you agree with the new definitions added to the Annex A? If no, explain why and propose alternative definitions (if possible).

Annex B – vendor security assessment

We propose to add a new section to the vendor security assessment annex – ‘V.K – Business Continuity and Disaster Recovery (BCDR) planning’ .

This section has been added due to the increase in reliance on 3rd parties when it comes to ensuring continuity of service. This has been designed to broadly reflect the requirements in the Telecommunications (Security) Act and the Code of Practice that are placed on the public telecoms providers themselves.

Question 5.2

Do you agree with the additions to Annex B? If no, explain why.

Annex C – extracts from the Cyber Assessment Framework (CAF)

The information included in this annex was initially taken from the NCSC’s Cyber Assessment Framework (CAF) Version 3.1, which was published on 11 April 2022.

Since the publication of the Code of Practice, this framework has been updated multiple times.

We propose to make amendments to the CAF annex to reflect the current version of the CAF (Version 4.0, which was published on 6 August 2025).

Question 5.3

Do you agree with the additions to Annex C? If no, explain why.

Cookies on GOV.UK

Why we are consulting

Consultation details

How to respond

Confidentiality and data protection

Quality assurance

The proposals

Overview

The Telecommunications Security Framework

Proposals to update the Telecommunications Security Code of Practice

Our proposed approach

Consultation questions

Section 1 – introduction and background

Section 1: substantive proposed changes outlined below

Introduction

Implementation timeframes

Section 2 – key concepts

Section 2: substantive proposed changes outlined below

Overarching key concepts

Network architecture

Protection of data and network functions

Monitoring and analysis

Supply chain

Prevention of unauthorised access or interference

Patching and updates

Testing

Section 3 - technical guidance measures

Overarching security measures

Management plane 1

Signalling plane 1

Third-party supplier 1

Supporting business processes

Management plane 2

Customer Premises Equipment (CPE)

Third party supplier measures 3

Management plane 3

Third party supplier measures 4

Additional new measures

Cost estimates

Annex A – glossary

Annex B – vendor security assessment

Annex C – extracts from the Cyber Assessment Framework (CAF)

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK