Original article ISPreview UK:Read More
The UK Government’s Department for Science, Innovation & Technology (DSIT) has proposed to update their Telecommunications Security Code of Practice (2022). This sets out what sort of specific security measures public telecoms providers (broadband, mobile etc.) must take in order to protect their networks from attack and data breaches.
The code is an extension of the wider Telecommunications (Security) Act 2021 (summary), which itself was originally introduced to restrict the use of Huawei’s kit in UK mobile and broadband networks, while also imposing a variety of changes to make UK telecoms networks safer from cyberattack.
The law and its supporting Code of Practice effectively handed significant new powers to the Government and Ofcom, enabling them to intervene in how telecommunications companies run their business, manage supply chains, design and even operate networks. Fines of up to 10% of turnover or £100,000 a day can even be issued against those that fail to meet the required standards, albeit tiered to different sizes of provider.
However, the Code also included a commitment to “review and update the Code of Practice periodically as new threats emerge and technologies evolve“, which is what the government are now proposing to do. This partly reflects the result of feedback received from both the UK’s security agencies (e.g. NCSC) and evidence from public telecoms providers, which highlighted new vulnerabilities uncovered by continued and expanded security testing, as well as new incident reporting on security compromises.
Government Statement on Updating the Telecoms Security Code
In light of these factors, and regular feedback received from industry, the government believes now is an appropriate time to update the Code of Practice.
The updates being proposed are intended to:
- Reflect evolving technology. Since the Code of Practice was published, use of certain technologies has increased, including eSIMs, automation tools, and Application Programming Interfaces (APIs). To ensure safe and secure adoption of such technologies, we need to ensure we are providing effective and up-to-date guidance to public telecoms providers.
- Reflect emerging security threats. Recent hostile-state-linked attacks on US telecoms networks have demonstrated the dramatic impact a cyber-attack can have. We need to ensure the Code of Practice reflects the need for public telecoms providers to take appropriate and proportionate measures to protect their networks against such threats.
- Provide further clarity. Public telecoms providers have suggested the Code of Practice is ambiguous in places and lacks specific guidance on certain measures, such as those relating to security testing and use of privileged access workstations. The proposed updates look to give further guidance on these matters.
- Reemphasise the need to take a holistic approach to the Code of Practice.
In summary, the proposed updates include:
(i) some drafting changes for greater clarity in Sections 1, 2 and 3 of the Code
(ii) some additional measures in Section 3 of the Code, and
(iii) associated guidance in Section 2 of the Code.As set out above, these proposed updates are intended to help public telecoms providers protect UK telecoms networks and services in light of evolving threats and emerging technologies.
The related consultation on all this is set to run until 11:59pm on 22nd October 2025.