Skip to main content
Guidance

Explanatory memorandum to the revised Telecommunications Security Code of Practice 2026 (accessible)

Published 3 June 2026

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/draft-revised-telecommunications-security-code-of-practice-2026/explanatory-memorandum-to-the-revised-telecommunications-security-code-of-practice-2026-accessible

1. Introduction

1.1 This explanatory memorandum has been prepared by the Department for Science, Innovation and Technology and is laid before Parliament by Command of His Majesty.

2. Declaration

2.1 Baroness Lloyd of Effra, Parliamentary Under-Secretary of State for Digital Economy at the Department for Science, Innovation and Technology, confirms that this explanatory memorandum meets the required standard.

2.2 David Haynes, Deputy Director for Telecoms Security and Resilience, at the Department for Science, Innovation and Technology, confirms that this explanatory memorandum meets the required standard.

3. Contact

3.1 Thomas Baker at the Department for Science, Innovation and Technology (DSIT) can be contacted by email at the following address with any queries regarding the instrument: telecomssecurityresilience@dsit.gov.uk. Alternatively, the department can be contacted by telephone: 07922 578186.

Part 1: Explanation, and context, of the Instrument

4. Overview of the Instrument

What does the revised code do?

4.1 The Telecommunications (Security) Act 2021 amended the Communications Act 2003 (‘the Act’) to strengthen the security and resilience of public telecoms networks and services. Using powers in the Act, in 2022 the government made the Electronic Communications (Security Measures) Regulations 2022 (S.I. 2022/933) (‘the Regulations’) and issued the Telecommunications Security Code of Practice (‘the 2022 Code’).

4.2 The explanatory memorandum relates to a revised version of this Code (the revised code). This revised code contains revisions to guidance on key telecoms network security concepts and technical measures to assist public telecoms providers in complying with duties in the Act and requirements in the Regulations.

4.3 This revised code provides detailed guidance to Tier 1[footnote 1] and Tier 2[footnote 2] public telecoms providers (as defined in paragraph 0.12 of the 2022 Code, and retained in paragraph 0.14 of the revised code) on the government’s preferred approach to demonstrating compliance with the duties in the Act and the requirements in the regulations.

Where does the revised code extend to, and apply?

4.4 The extent of this instrument (that is, the jurisdiction(s) which the instrument forms part of the law of) is England and Wales, Northern Ireland, and Scotland.

4.5 The territorial application of this instrument (that is, where the instrument produces a practical effect) is England and Wales, Northern Ireland, and Scotland.

5. Policy context

What is being done and why?

5.1 Following security advice provided by the UK’s technical authority on cyber security, the National Cyber Security Centre (NCSC), the government intends to issue the revised code to ensure that the technical guidance provided to public telecoms providers adequately reflects emerging threats and evolving technologies, and responds to requests from industry for additional technical guidance.

What was the previous policy, how is this different?

5.2 The revised code retains the original detailed technical guidance for large and medium sized public telecoms providers but, to help them meet their legal obligations under the Act and the regulations, it also contains new guidance on specific key concepts and technical measures.

5.3 This new guidance is intended to: reflect evolving technology, the use of which has increased since the 2022 Code was issued (for example, eSIMs); reflect emerging security threats, particularly hostile-state-linked cyber-attacks; provide further clarity in response to public telecoms providers’ working experience with the 2022 Code; and reemphasise the need for public telecoms providers to take a holistic approach to the security guidance set out within the revised code.

5.4 Specific revisions to the revised code include but are not limited to:

5.5 New guidance on network automation which aligns the revised code with existing guidance from the NCSC, including on secure principles for machine learning[footnote 3].

  • new guidance on signalling (used to control how connections are set up, maintained, routed and cleared), to address feedback from industry and the continued targeting of the signalling plane by cyber threat actors

  • new guidance, and amendments to existing guidance, on privileged access workstations (devices used to access and make changes to the most security critical parts of the network) to align the revised code with European Telecommunications Standards Institute (ETSI) standards[footnote 4]

  • new guidance on Application Programming Interfaces (rules or protocols that enable software applications to communicate with each other), which have become more routinely used and linked to significant data losses.

  • new guidance on patching and updates, to mitigate threats posed by non-persistent malware

How has the law changed?

6.1 The law has not changed. The revised code provides technical guidance to public telecoms providers on the government’s preferred approach to demonstrating compliance with the duties in the Act and the requirements in the regulations.

Why was this approach taken to change the law?

6.2 This is the only possible approach to make the necessary changes, pursuant to ss. 105E(b) and 105F of the Act.

7. Consultation

Summary of consultation outcome and methodology

7.1 The government, in the 2022 Code, established that “where changes to the Code of Practice are proposed, the government will consult affected public telecoms providers, Ofcom, and any other relevant parties”.

7.2 Public telecoms providers and Ofcom, as well as the wider public, were consulted on a set of proposed revisions to the 2022 Code through an eight-week public consultation held between 28 August and 22 October 2025. In addition, a survey was circulated to the UK’s large and medium public telecoms providers between 25 November 2025 and 28 January 2026 (9 weeks) seeking feedback on potential cost impacts of the changes.

7.3 In total, 30 responses were received to the consultation, and 7 responses were received to the additional cost survey. Respondents broadly supported the overall intent of the proposed revisions, but raised concerns about potential costs, implementation timelines, and the technical feasibility of some proposals.

7.4 The government carefully reviewed all consultation feedback and cost survey returns. In response, the government made amendments to the proposed revisions that were consulted upon where appropriate. The government response to the consultation has been published on GOV.UK[footnote 5]. It sets out how the views of respondents were considered and where amendments were made to the draft of the revised code that was consulted on.

8. Applicable guidance

8.1 The revised code is itself guidance and is aligned to guidance on various topics issued by various bodies such as NCSC and ETSI. No guidance is planned to be produced to specifically accompany the revised code.

Part 2: impact and the Better Regulation Framework

9. Impact assessment

9.1 A full regulatory Impact Assessment has not been prepared for this instrument. The instrument revises the 2022 Code and provides guidance on how public telecommunications providers may demonstrate compliance with existing statutory security duties under the Act, as amended by the Telecommunications (Security) Act 2021, and the Regulations. The instrument does not introduce new statutory duties or regulatory requirements and therefore does not constitute a regulatory provision under the Better Regulation Framework.

Impact on businesses, charities and voluntary bodies

9.2 The impact on in-scope telecommunications providers (Tier 1 and Tier 2 telecommunications providers with relevant turnover above £50 million) is expected to result in a low overall financial impact. The main impacts are expected to arise as a result of familiarisation with the revised code, and from the implementation of further technical and organisational processes to address evolving security threats and technological developments.

9.3. Based on analysis undertaken by DSIT, the familiarisation costs associated with the revised code are expected to be negligible. Where providers implement changes in line with the revised guidance, indicative estimates suggest potential one-off implementation costs in the order of £1.9 million to £3.2 million per provider, with ongoing annual costs of approximately £285,000 to £445,000 per provider. These estimates are indicative and subject to variation depending on provider size, network architecture, and existing security maturity. When considered in the context of the scale and revenues of the UK telecommunications sector, these costs are minor.

9.4 The main benefits of the revised code arise from improved clarity and consistency in how security duties should be complied with in practice, supporting enhanced resilience of UK telecommunications networks that underpin critical national infrastructure, public services and economic activity. While these benefits are not readily quantifiable, they relate to a reduced likelihood and potential impact of security incidents, reduced risk of service disruption, and greater confidence in the security of digital infrastructure.

9.5 There is no, or no significant, impact on other business, charities or voluntary bodies because the revised code only applies to Tier 1 and Tier 2 public telecoms providers.

9.6 The revised code does not impact small or micro businesses.

9.7 There is no, or no significant, impact on the public sector, including on Ofcom, because the revised code only applies to Tier 1 and Tier 2 public telecoms providers.

10. Monitoring and review

What is the approach to monitoring and reviewing the revised code?

10.1 The approach to monitoring, as outlined in paragraph 0.32 of the revised code, is to “review and update the Code of Practice periodically as new threats emerge and technologies evolve”.

10.2 As the revised code is technical guidance, and not legislation, no statutory review clause is required.

Part 3: statements and matters of particular interest to Parliament

11. Matters of special interest to Parliament

11.1 None.

12. European Convention on Human Rights

12.1 As the instrument is subject to the negative procedure, and does not amend primary legislation, no statement is required.

13. The Relevant European Union Acts

13.1 This instrument is not made under the European Union (Withdrawal) Act 2018, the European Union (Future Relationship) Act 2020 or the Retained EU Law (Revocation and Reform) Act 2023 (“relevant European Union Acts”).

  1.  Public telecoms providers with relevant turnover in the relevant period of £1bn or more. 

  2. Public telecoms providers with relevant turnover in the relevant period of more than or equal to £50m but less than £1bn. 

  3.  Machine learning principles 

  4.  Cyber Security (CYBER); Privileged Access Workstations; Part 1: Physical Device 

  5.  Proposals to update the Telecommunications Security Code of Practice 2022: government response 

Back to top