Minister for AI and Online Safety (): I am repeating the
following Written Ministerial Statement made today in the other
place by my Noble Friend, the Parliamentary Under-Secretary of
State for Digital Economy, .
The UK Telecoms Supply Chain Review 2019 identified the need to
establish an enhanced legislative framework for telecoms
security. In response, the Government established a stronger
Telecoms Security Framework, which consists of:
- The Telecommunications (Security) Act 2021 - primary
legislation which established new duties on public telecoms
providers to prevent security compromises within their networks
and services.
- The Electronic Communications (Security Measures) Regulations
2022 – secondary legislation setting out specific cyber security
requirements with which the public telecoms providers must
comply.
- The Telecommunications Security Code of Practice 2022 (the
Code of Practice) - technical guidance on how providers can
comply with the requirements set out in the regulations.
The UK's future prosperity rests on the public electronic
communications networks and services (PECN and PECS) that provide
our telecoms and internet connectivity. It is important therefore
that the Telecoms Security Framework keeps pace with the scale of
the threat to UK telecoms networks and services, adapting to
evolving threats to network security and new innovations in
telecoms technology.
The UK National Cyber Security Centre's (NCSC) Annual Review 2025
highlights how State actors continue to pose a persistent and
escalating cyber threat to UK Critical National Infrastructure,
including telecoms, leveraging sophisticated cyber capabilities
and working closely with a growing commercial intrusion market.
This threat is becoming increasingly diffuse and dangerous, with
cyber-attacks a key tool in geopolitical competition. The volume
of nationally significant incidents managed by the NCSC continues
to grow, and we are seeing high-profile campaigns like Salt
Typhoon targeting over eighty countries worldwide.
At the same time, innovations in technology are redefining both
the cyber security threat and the tools available for cyber
security and resilience. The growing use of AI, for example,
delivers significant operational benefits for telecoms, but it
also introduces new risks. Adversaries can exploit AI to automate
the discovery of network vulnerabilities, and more rapidly
identify high-value targets within networks. Maintaining a
proactive, adaptive security posture is essential to safeguard
the UK's telecoms networks and services against these evolving
and increasingly sophisticated threats.
Within the Code of Practice, to account for this changing threat
landscape, the Government stated its intent to ‘review and update
the Code of Practice periodically as new threats emerge and
technologies evolve'.
Following discussions with the NCSC and Ofcom, and regular
feedback from industry, last year the Government consulted on
proposals to update some areas of the technical guidance within
Code of Practice in order to:
- Provide some further clarity on specific security measures in
the Code of Practice – Some providers suggested the Code lacked
specific guidance in some areas. The proposed updates intend to
give clearer direction to support compliance with legal duties in
the legislation. This includes clearer guidance on the use of
Privileged Access Workstations, approaches to security testing,
and the encryption and protection of data.
- Reflect evolving technology – Since the Code of Practice was
published, increased use of certain technologies warrants updated
technical guidance to support safe adoption. The proposed updates
include new security guidance on the secure use of public cloud,
automation, and Application Programming Interfaces.
- Reflect emerging security threats – Recent hostile state
linked attacks underline growing risks. The Code of Practice must
evolve to help ensure providers respond appropriately. The
proposed updates ensure the Code of Practice reflects the need
for providers to take appropriate and proportionate steps to
protect their networks against such threats.
The Department for Science, Innovation and Technology has
considered in detail the feedback received in response to the
consultation and has made amendments based on this feedback to
the draft revised Code of Practice where appropriate.
Following the conclusion of this work, the Department is today
laying the Draft Revised Telecommunications Security Code of
Practice (the Revised Code of Practice) in Parliament for
scrutiny under negative procedure. A copy of the Government
Response to the consultation on Proposals to Update the
Telecommunications Security Code of Practice 2022, which details
the changes made in response to feedback, is published on GOV.UK.
The Revised Code of Practice represents an important step in
ensuring the UK's telecoms security framework remains robust and
effective in the face of rapidly evolving cyber threats and
technological change. By providing clearer and more up-to-date
technical guidance, the Revised Code of Practice will help
telecoms providers to comply with their statutory duties,
strengthen the security and resilience of the UK's public
electronic communications networks and services, and protect
citizens, businesses, and critical services that rely on them.