UK - Consultation on updates to the UK Telecommunications Security Framework

Three years since its entry into force, the UK  Government has launched a consultation on updates to the Telecommunications Security Code of Practice 2022 (“Code”). The consultation is open until 22 October 2025.  

In the UK, communications providers are subject to detailed telecoms security requirements.  These flow from the underlying duties for telecoms providers to take appropriate and proportionate measures to identify and reduce the risks of security compromises occurring and preparing for the occurrence of such events as well as notifying Ofcom (the UK regulator) of relevant security compromises.  The duties and requirements are set out in the Communications Act 2003, as amended by the Telecommunications (Security) Act 2021 (“TSA”), with specific security measures then further specified in the Electronic Communications (Security Measures) Regulations 2022. Technical guidance is then provided in the Code.   

The Code details the granular measures for communications providers to address telecoms security risks.  Whilst the Code is not mandatory as companies can adopt different technical solutions to those set out in the Code to comply with the security duties, Ofcom will use the Code as a starting point for its compliance assessment and if companies depart from the Code requirements they will need to explain how they otherwise meet the requirements.  

These proposals represent substantial changes to the UK's TSA regime since its introduction. Organisations impacted by these changes should view these updates in parallel to the wider cyber security regulatory changes expected via the Cyber Security and Resilience Bill expected in autumn 2025 and proposals to introduce ransomware incident reporting.  

What are the proposals?

The Government has received feedback from Ofcom, industry and the National Cyber Security Centre (NCSC) indicating that sections of the current Code require updating.  

The proposed updates are wide ranging and target several areas where businesses will need to adapt their security practices. These include among others: 

• Emerging technologies: Since the Code's publication, the Government believes that the use of eSIMs, automation tools, and Application Programming Interfaces (APIs) has increased significantly. The proposals include new guidance on securing these technologies, recognising their growing importance in modern telecoms infrastructure. 
• Enhanced threat protection: New measures are designed to address service accounts and APIs, both of which have become prime targets due to their widespread and highly privileged access. Additional protections include requirements for Intrusion Detection Systems to monitor outgoing messages, making it more explicit that obligations relating to third party administrators extend to third party suppliers, and new guidance on encryption and protecting data. 
• Privileged access workstations: Responding to industry feedback about unclear guidance, the Government proposes updates to privileged access workstation requirements, bringing them in line with European Telecommunications Standards Institute (ETSI) standards. 
• Updated assessment requirements: The Code will be updated to account for new sections of the Cyber Assessment Framework (“CAF”) that have been introduced since the first publication of the Code. Other changes include updates to Vendor (supplier) Security Assessments processes so that they consider Business Continuity and Disaster Recovery as well as introducing strengthened governance requirements and threat modeling. 
• Implementation timeline: The proposals encourage communication providers to implement security measures ahead of mandatory deadlines where possible and to adopt a holistic risk-based approach, instead of taking individual security measures in isolation. New measures will have staggered implementation dates focused on implementing elements of the CAF by December 2026 and March 2027. Separate additional measures would then need to be implemented by December 2028.

What’s next?

The consultation is open until 22 October 2025.  

We recommend organisations in scope of the TSA to closely review the proposed changes, in particular:  

• Review the proposals to assess their practicality and clarity - The proposals aim to provide greater clarity where the current Code has been considered ambiguous. Importantly, the consultation only seeks feedback on the specific proposed updates, not the entire Code of Practice, but now is the opportunity to raise any issues. 
• Map how these changes affect your compliance – the TSA applies directly to telecommunications operators or indirectly to suppliers (who consequently will be subject to contractual flow through requirements and supplier risk assessments). Gaining an understanding of how these apply to you will help you prepare.  
• Prepare to update your agreements – the TSA requires parties to ensure contractual flow through in their supply chain. Organisations in scope will need to review and update agreements to account for these changes. This can require a close review as Ofcom has criticised a ‘copy and paste’ approach where measures are simply lifted into agreements. 

For more information please contact Rory Coutts.