Decoding the world of cybersecurity

UK revises telecoms security code

The revised code updates technical guidance for public telecoms providers as state-linked threats, cloud adoption, automation, APIs, and network dependency reshape UK telecoms resilience.

UK revises telecoms security code
Summary
  • DSIT has laid a draft revised Telecommunications Security Code of Practice before Parliament.
  • The code gives large and medium public telecoms providers guidance on complying with UK telecoms security duties and regulations.
  • The update covers changing threats, cloud adoption, automation, APIs, privileged access, testing, and data protection.

The UK government has laid a draft revised Telecommunications Security Code of Practice before Parliament, updating the technical guidance that large and medium public telecoms providers use to comply with statutory security duties.

The code sits under the UK telecoms security framework created after the 2019 telecoms supply chain review. That framework includes the Telecommunications (Security) Act 2021, the Electronic Communications (Security Measures) Regulations 2022, and the code of practice first published in 2022. The revised draft refines the guidance as threats, telecoms technology, and operational models change.

The Department for Science, Innovation and Technology says the code provides detailed guidance on how public telecoms providers can meet their legal duties to protect networks and services. The updated version applies to large and medium-sized public telecoms providers and reinforces a risk-based approach to security.

In a written ministerial statement, the government said the UK’s public electronic communications networks and services underpin prosperity, connectivity, businesses, citizens, and critical services. It also pointed to persistent and escalating state actor threats to critical national infrastructure, including telecoms, and referred to campaigns such as Salt Typhoon as evidence of the changing threat environment.

The revised code is a regulatory resilience development rather than a breach story. It concerns the minimum expected security posture of the networks that carry business operations, emergency communications, financial transactions, cloud access, remote work, and public services. Telecoms providers are no longer just connectivity suppliers. They are part of the national operating environment for digital life and economic continuity.

The government says the updates are intended to give clearer direction on specific security measures, including privileged access workstations, security testing, encryption, and data protection. They also address evolving technology, including public cloud, automation, and application programming interfaces. Those areas reflect how telecoms networks are becoming more software defined, remotely operated, and dependent on complex vendor ecosystems.

The consultation response and draft code should be read against a broader threat pattern. State-linked actors have shown sustained interest in telecoms infrastructure because communications networks can provide intelligence value, operational leverage, and routes into wider national systems. Telecoms providers are also adopting cloud infrastructure, orchestration, virtualised network functions, APIs, and automation to run networks more efficiently. Those changes can improve resilience while creating new access paths and dependencies.

Regulating telecoms security requires enough prescription to lift the baseline without forcing identical architectures across different providers and network generations. A risk-based code gives operators flexibility, but flexibility can lead to uneven implementation unless it is backed by evidence, testing, audit, and regulatory challenge. Ofcom’s supervision of telecoms security will make the quality of provider evidence important.

The code also reaches into supply chain governance. Public telecoms providers depend on equipment vendors, managed service providers, cloud platforms, software suppliers, contractors, and specialist maintenance teams. Controls around privileged access, data protection, APIs, testing, and secure use of cloud depend on knowing which third parties can affect the network, what access they hold, and how that access is monitored or revoked.

Telecoms security can feel remote to enterprise customers until it fails. Businesses depend on mobile networks, fixed connectivity, internet access, private circuits, cloud interconnects, voice services, and emergency communications. A compromise or prolonged disruption at telecoms level can cut across sectors at once, affecting customer service, branch operations, incident coordination, and recovery from other failures.

The revised code belongs alongside the UK Cyber Security and Resilience Bill, NIS2 in Europe, and sector-specific operational resilience rules. Telecoms security is now an enduring regulatory responsibility rather than a one-off response to vendor risk or geopolitical pressure.

Parliament’s scrutiny will shape the formal update, while Ofcom’s supervision and provider execution will determine whether it improves the resilience of the networks the UK economy assumes will remain available. Updated guidance has value only when providers can evidence control maturity, testing, remediation, supplier oversight, and incident readiness.

×