Policy paper

Electronic Communications (Security Measures) Regulations and Telecommunications Security Code of Practice

The Electronic Communications (Security Measures) Regulations 2022 and the Telecommunications Security Code of Practice are now in force.

Documents

Telecommunications Security Code of Practice

Electronic Communications (Security Measures) Regulations 2022

Explanatory memorandum

Impact assessment

Telecommunications (Security) Act 2021 (Commencement) Regulations 2022

Details

The Electronic Communications (Security Measures) Regulations 2022, along with a Telecommunications Security Code of Practice, are intended to address risks to the security of the UK’s public telecoms networks and services. They have been developed in conjunction with the National Cyber Security Centre (NCSC), the UK’s national technical authority for cyber security, and Ofcom, the telecoms regulator.

The Electronic Communications (Security Measures) Regulations came into force on 1 October 2022. They set out specific security measures that public telecoms providers must take in addition to the overarching legal duties in sections 105A and 105C of the Communications Act 2003 (as amended by the Telecommunications (Security) Act 2021). These measures are designed to ensure that providers of public networks and services are following appropriate and proportionate security practices.

Public telecoms providers that fail to comply with the regulations could face fines of up to ten per cent of turnover or, in the case of a continuing contravention, £100,000 per day. Ofcom will monitor and enforce public telecoms providers’ compliance with the regulations and Code of Practice.

The Telecommunications Security Code of Practice contains guidance on how providers can comply with the regulations. It sets out what good telecoms security looks like, explaining key concepts underpinning the regulations and specific technical guidance measures that can be taken by providers to demonstrate compliance with their legal obligations.

The Code of Practice has been issued and published here pursuant to sections 105E and 105F of the Communications Act 2003 (as amended by the Telecommunications (Security) Act 2021). The Code of Practice came into force at the time of its publication, on 1 December 2022, in accordance with section 105F(6) of the Act.

Published 5 September 2022
Last updated 1 December 2022 + show all updates
  1. Added Telecommunications Security Code of Practice.

  2. First published.