Gov Set to Update 2022 UK Telecommunications Security Code of Practice
The UK Government’s Department for Science, Innovation & Technology (DSIT) has proposed to update their Telecommunications Security Code of Practice (2022). This sets out what sort of specific security measures public telecoms providers (broadband, mobile etc.) must take in order to protect their networks from attack and data breaches.
The code is an extension of the wider Telecommunications (Security) Act 2021 (summary), which itself was originally introduced to restrict the use of Huawei’s kit in UK mobile and broadband networks, while also imposing a variety of changes to make UK telecoms networks safer from cyberattack.
The law and its supporting Code of Practice effectively handed significant new powers to the Government and Ofcom, enabling them to intervene in how telecommunications companies run their business, manage supply chains, design and even operate networks. Fines of up to 10% of turnover or £100,000 a day can even be issued against those that fail to meet the required standards, albeit tiered to different sizes of provider.
Advertisement
However, the Code also included a commitment to “review and update the Code of Practice periodically as new threats emerge and technologies evolve“, which is what the government are now proposing to do. This partly reflects the result of feedback received from both the UK’s security agencies (e.g. NCSC) and evidence from public telecoms providers, which highlighted new vulnerabilities uncovered by continued and expanded security testing, as well as new incident reporting on security compromises.
Government Statement on Updating the Telecoms Security Code
In light of these factors, and regular feedback received from industry, the government believes now is an appropriate time to update the Code of Practice.
The updates being proposed are intended to:
- Reflect evolving technology. Since the Code of Practice was published, use of certain technologies has increased, including eSIMs, automation tools, and Application Programming Interfaces (APIs). To ensure safe and secure adoption of such technologies, we need to ensure we are providing effective and up-to-date guidance to public telecoms providers.
- Reflect emerging security threats. Recent hostile-state-linked attacks on US telecoms networks have demonstrated the dramatic impact a cyber-attack can have. We need to ensure the Code of Practice reflects the need for public telecoms providers to take appropriate and proportionate measures to protect their networks against such threats.
- Provide further clarity. Public telecoms providers have suggested the Code of Practice is ambiguous in places and lacks specific guidance on certain measures, such as those relating to security testing and use of privileged access workstations. The proposed updates look to give further guidance on these matters.
- Reemphasise the need to take a holistic approach to the Code of Practice.
In summary, the proposed updates include:
(i) some drafting changes for greater clarity in Sections 1, 2 and 3 of the Code
(ii) some additional measures in Section 3 of the Code, and
(iii) associated guidance in Section 2 of the Code.As set out above, these proposed updates are intended to help public telecoms providers protect UK telecoms networks and services in light of evolving threats and emerging technologies.
The related consultation on all this is set to run until 11:59pm on 22nd October 2025.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Broadband ISP Vodafone UK Now LIVE via CommunityFibre’s FTTP in London
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real person’s legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
One of the biggest emerging threats to data security is the UK government’s growing appetite for mass surveillance and, with it, secret orders to backdoor otherwise secure systems. Does the code of practice say anything about protecting people from that? Oh silly me.
Also be interesting to see how they react when the Online Safety Act proves to be totally ineffective at trying to regulate websites that are hosted abroad outside UK jurisdiction and how they react when Ofcom starts stacking up humiliating defeats in foreign courts, particularly in the USA. My fear is that they will use it as an excuse to impose large scale Internet censorship at the border like China does because.
Yep it’s going to get very unpleasant, I think. Ofcom also have a huge amount of power to disrupt the business of a service they deem non-compliant short of actually blocking access. For example they can, with a court’s consent, order search providers to delist the service from their results, order payment providers to stop providing payment services, order ad networks to stop working with them, order social media to block links to the service. It will be interesting to see if companies like Google, with a lot of business in the UK, will fight these orders or comply and at what scale. I hope they fight and overwhelm Ofcom’s resources!
First up 4chan here:- https://www.bbc.co.uk/news/articles/cq68j5g2nr1o .
Probably worth pointing out, in case it wasn’t already obvious, that this is a network security code intended for network operators and is not related to the Online Safety Act, which is focused more on the internet content side of things.
I came to the comments section just to see how many people got the wrong end of the stick.
Nothing too drastic in the changes but a lot of CAF and the regulation itself is heavy on intent. ‘Timely fashion’is in the eye of the beholder.
No-one got the wrong end of the stick. It’s just amusing that on the one hand the government is telling people how to secure their networks while at the same time forcing others to put theirs at risk (see Apple). You can’t have both secure networks and mass surveillance. OSA creating an environment where less tech literate individuals are likely to put their personal identity data at risk along with likely requirements for mass surveillance technology to be installed in private chat apps is another aspect of the government’s dissonant policy making.