Telecoms | UK Regulatory Outlook June 2026

Draft revised Telecommunications Security Code of Practice recently published 

The revised Telecommunications Security Code of Practice was published in draft on 3 June 2026, following the Department for Science, Innovation and Technology (DSIT) consultation launched in summer 2025. It has not yet come into force, but operators should plan on the basis that it will do so around mid-July 2026, unless either House of Parliament objects within the 40-day scrutiny period. 

The code of practice was published in 2022 and provides guidance on how public telecoms operators can meet their existing legal duties under the Communications Act 2003 (as amended by the Telecommunications (Security) Act 2021) and the Electronic Communications (Security Measures) Regulations 2022. It applies primarily to Tier 1 providers (those with relevant annual turnover of £1 billion or more) and Tier 2 providers (£50 million to £1 billion). 

This update does not change the underlying law or introduce new statutory duties. Instead it refreshes the non-binding guidance on demonstrating compliance and expands the code across several areas: 

• Risk-based approach and in-house competency requirement: The revised code reinforces a risk-based approach rather than treating the code as a compliance checklist and explicitly encourages early implementation where prudent. Board-level accountability has been strengthened: the designated person or committee must now "have sufficient knowledge and competency to discharge these responsibilities", clarifying that formal nomination alone is insufficient. 
• Supply chain and third parties – tighter accountability: Operators cannot delegate security to suppliers and must maintain appropriate contracts, monitoring, and sufficient in-house capability to understand and appraise supplier activities. The revised code introduces a unified term "third-party administrators" (3PAs) for external partners with privileged or administrative access. Security must be a significant factor in procurement decisions, based on objective, evidence-backed assessments rather than documentation alone. 
• Cloud providers – new expectations: A dedicated section on cloud providers requires that security controls are applied correctly. Operators must not assume that moving a function to the cloud automatically delivers the necessary level of control. Under the shared-responsibility model, cloud providers are treated as both 3PAs (for underlying physical infrastructure and virtualisation fabric) and third-party suppliers (for the cloud services themselves). The operator remains responsible and accountable for management, oversight, and ensuring the overall architecture meets the code of practice. Operators must also understand the operational impact of losing connectivity to the cloud environment's control plane and plan accordingly. 
• Privileged access workstations (PAWs) – significantly expanded: The revised code contains more prescriptive guidance on PAWs, aligned to National Cyber Security Centre (NCSC) and ETSI standards, including requirements for written design records, annual reviews, secure build checks, segregated infrastructure, protective monitoring, and audited data transfer controls. These inherit the 31 March 2027 implementation deadline. 
• Signalling – stronger guidance, but IDS mandate removed: The revised code strengthens guidance on protecting the signalling plane. Following industry feedback on cost and proportionality, an independent signalling intrusion-detection system (IDS) is recommended but not mandated. 
• Security testing – greater emphasis on continuous and automated testing: Testing guidance has been expanded, including expectations around negative testing and automated scanning for vulnerabilities, missing patches, and configuration changes. TBEST is clarified as one option among several. 
• Incident response planning: The revised code expects operators to maintain a well-socialised, regularly practised incident response plan to ensure effective response and aid regulatory compliance during time-pressured situations. 
• Equipment restart frequency – new guidance: The revised code recommends periodic restarts of network equipment to mitigate non-persistent malware residing only in memory. Where restarts are not inherent in existing processes, operators must identify high-risk equipment and implement controlled restart procedures using a risk-based approach. 
• SIM and eSIM security: Operators must check SIM providers' certificates against the GSMA SAS accredited website and satisfy themselves that supporting sites and external parties are sufficiently trustworthy. This applies to all SIM types, including eSIMs. 
• Data protection – broader scope: The guidance broadens the data-protection focus beyond personal data to include network data and "bulk data", advising IPsec or TLS for data in transit and tight role-based, least-privilege access controls. 
• New measures introduced: The revised code introduces new measures with staggered implementation deadlines, including: initial measures (M22 series), covering CAF-related requirements; further new measures (M23 series), including the automated vulnerability-scanning requirement (M23.02) and automation pipeline controls (M23.03); and additional measures (M24 series) related to the signalling plane, including the logging-functionality testing requirement (M24.01) and API documentation and security controls (M24.08). Where proposed changes to measures with already-passed implementation deadlines were perceived as more than mere clarification, the government shifted those requirements into new standalone measures with future implementation timeframes. 

The revised code has practical implications for telecoms operators, who should consider the following steps: 

• Confirming tier classification and ensuring compliance programmes reflect the correct expectations and timelines. 
• Running a gap assessment against the revised code and the published changelog, focusing on the new measures in the M22, M23, and M24 series and the expanded PAW requirements. 
• Reviewing supply contracts, particularly with managed-service providers and cloud suppliers, to ensure contractual controls, audit rights, and security obligations align with the tighter expectations in the revised code. The code sets specific implementation dates for new and existing contracts, with a deadline of 31 March 2027 for all existing contracts to meet the relevant requirements. 
• Checking whether their board-level designee genuinely has sufficient knowledge and competency to discharge these responsibilities, not merely whether someone has been formally nominated. 
• Reviewing restart and patching procedures, mapping the new periodic-restart recommendation against existing schedules, identifying high-risk equipment, and documenting a risk-based rationale for restart frequency. A written restart policy referenced in the security governance framework is advisable. 
• Reviewing, socialising and regularly testing their incident response plan to minimise incident impact and meet regulatory obligations. 

Implementation deadlines for new measures: 

• Initial new measures (M22 series): 31 March 2028 
• Further new measures (M23 series): 31 December 2029 
• Additional measures (M24 series): 31 December 2029 

These dates sit alongside existing implementation deadlines from the 2022 code that remain in place. 

Implementation deadlines for existing supply contracts: 31 March 2027 to meet the relevant requirements. 

Ofcom published latest AI strategic report on safe and secure AI adoption 

On 4 June 2026, Ofcom published its latest report on the use of AI in the telecoms sector. This is the third AI strategic report by Ofcom, required by the government to demonstrate how regulators are supporting the AI Opportunities Action Plan. It marks a shift from Ofcom's earlier focus on mapping AI risks (2024–25) and enablement (2025–26) to a more proactive stance: consulting with operators and bodies such as the AI Security Institute and NCSC on the cybersecurity implications of AI, and launching the first formal regulatory investigation into an AI chatbot (X's Grok). 

This report highlights four key trends for telecoms operators to be aware of: 

• AI and Cybersecurity: Ofcom consulted earlier this year to seek input from operators regulated under the Communications Act 2003 (as amended by the Telecommunications (Security) Act 2021 (TSA)) and the NIS Regulations 2018, to understand how AI is currently being used in cybersecurity and whether regulatory requirements may present unintended barriers to adoption. 

Ofcom's priority is to ensure the safe and secure adoption of AI in cybersecurity environments, balancing innovation against regulatory risk. Levels of trust and assurance in AI are likely to affect both the pace and extent of adoption. Further clarity from Ofcom is expected later in 2026. 

• "AI for Networks" – potential for new guidance: Ofcom is exploring how AI is being applied by telecoms providers to support network management and optimisation, considering emerging issues around transparency, explainability, and accountability. This work will inform its policy development on network resilience and may lead to future guidance. Operators should review their internal governance frameworks for AI-driven network operations in preparation. 
• Customer-facing AI: Ofcom is researching how customers, telecoms companies, and third-party applications are using AI tools, with findings planned for publication in the second half of 2026. It is considering whether rule changes are needed to protect customers from potential harms, including adequacy of protections for vulnerable consumers, AI-related fraud risks, and protections for customers uncomfortable using AI tools. 
• Agentic AI: Ofcom has identified growing interest in agentic AI and flagged that accountability and control present challenges, noting that agentic systems can make consequential decisions without direct human intervention and risk becoming opaque "black boxes" without effective governance and meaningful human oversight. 

For telecoms operators, Ofcom has identified agentic AI as a potential use case for network optimisation and maintenance – envisaging systems that dynamically adjust network parameters within pre-defined guardrails. However, applicability to critical national infrastructure means cascading errors would have higher impact, and explainability challenges could complicate incident reporting. 

Agentic customer-service chatbots are identified as a cross-sector use case currently in pilot, capable of actions such as enacting refunds or cancelling orders. Ofcom notes consumer scepticism around chatbot effectiveness and concerns about users anthropomorphising AI systems. 

Operators deploying or planning agentic AI tools should develop effective governance frameworks that demonstrably address explainability and oversight by design. 

Ofcom is also preparing for increased AI-related regulatory responsibilities, including new responsibilities regarding data centres under the Cyber Security and Resilience Bill currently before Parliament. Ofcom will continue to use its powers under the TSA to address security and resilience risks arising from AI in telecoms networks.