Telecoms | UK Regulatory Outlook September 2025

Consultation on the Telecommunications Security Code of Practice 

The government is consulting on updates to the Telecommunications Security Code of Practice. The aim is to reflect new technologies (eSIMs, APIs, automation), respond to emerging threats, and give clearer implementation guidance, including addressing issues related to the supply chain. 

Who it applies to 

As a reminder, the telecoms security code of practice applies to all telecoms providers (provides of an electronic communications service or network) with an annual revenue from its telecoms services which exceeds £50m (i.e. Tier 1 and Tier 2). Providers who are below the £50m threshold (Tier 3 providers) are not required to follow the measures set out the code expressly, however they do still have an overarching obligation to ensure they have appropriate and proportionate measures in place to protect the security its network and services, and therefore the measures in the code may be a helpful indication of what might be appropriate and proportionate. 

Headlines

• The proposals do not rewrite the regime but sharpen it: clearer guidance, targeted new measures, and stronger supply chain resilience expectations.
• Clearer expectations in the code so providers know what “good” looks like, including around security testing and the use of dedicated, locked down admin devices for sensitive tasks and improving the mapping of the code requirements to the Telecoms Security Regulations and relevant CAF objectives.
• New or strengthened measures providers will be expected to implement, with practical guidance on how to do so.
• Re-emphasis on a holistic approach: aligning governance, risk, operations and supplier management across the full telecoms stack with clearer lines of ownership for risk and response across organisational boundaries.
• A stronger supply chain focus: recent attacks show that weaknesses in vendors, software components and third-party access can undermine network resilience. The updated Vendor Security Assessment raises expectations for supplier resilience and recoverability. The government Vendor Security Assessment is expanded with a new Business Continuity and Disaster Recovery(BCDR) section and extracts from the NCSC Cyber Assessment Framework are updated;
• eSIMs: new guidance on remote provisioning of eSIMs.
• Security testing: broadened scope and depth (for example, red/purple teaming, attack path validation, API and automation pipeline testing) tied to threat intelligence and materiality.
• Privileged access workstations (PAWs): firmer expectations around the use, hardening and segregation of PAWs to reduce compromise risk for sensitive administrative tasks. 

What you may want to do now 

• Review the helpful tracked changes PDF of the code of practice against your current controls and assurance programme.
• Check vendor due diligence and contract baselines against the updated Vendor Security Assessment, including BCDR expectations.
• Validate privileged access workstation policy, security testing scope, and API/eSIM/automation security controls.
• Prepare input for the consultation where clarification or proportionality would be helpful – the deadline for responses is 22 October 2025. 

Ofcom publishes statement and launches further consultation of direct-to-device services 

On 9 September, Ofcom published a statement confirming the outcome of the consultation it launched in March on satellite direct-to-device (D2D) services. In the statement Ofcom confirmed that it will authorise the use of D2D services using UK mobile spectrum, with the goal of enabling commercial launch from early 2026. In order to achieve this a new consultation has been launched on specific implementing measures.  

What has been decided already 

• Authorisation model: Ofcom will (i) create a discretionary licence exemption for handsets/SIM-enabled devices connecting to D2D; and (ii) vary participating mobile network operator (MNO) licences to add D2D conditions. Ofcom is not intending to directly license satellite operators at this stage.
• Spectrum scope: D2D can be enabled in existing FDD/SDL mobile bands below 3 GHz. TDD bands are excluded for now. Some bands (notably 1.4 GHz and 2.1 GHz) may need further technical work before practical authorisation.
• Coexistence protections: Aggregate PFD limits for unwanted emissions into mobile downlink (for example, −119 dBW/MHz/m2 at 700/800/900; −113 at 1400; −111 at 1800/2100; −108 at 2600). Minimum satellite elevation angle reduced to 10 degrees.
• Cross-border: the aggregate PFD limits must be met at borders/coastlines; in 2100 MHz, any stricter existing cross-border thresholds prevail.
• Geographic scope: UK mainland and territorial seas only (excluding Channel Islands and Isle of Man).
• 999/emergency access: no new D2D-specific obligations now; if a D2D offer includes voice as defined in the General Conditions, GC A3 applies. 

What is being consulted on

• Draft exemption regulations to permit handsets/SIM-enabled devices to connect to D2D.
• Additional technical conditions to protect 2.7–3.1 GHz Air Traffic Control radars where D2D uses 2.6 GHz (proposed apportionment of the existing radar protection threshold).
• Drafting of the non-technical licence conditions to be included in the MNO licence variation.  

What you may want to do now

• MNOs intending to offer D2D should approach Ofcom now to initiate licence variation, preparing: targeted bands, evidence of a commercial agreement with the satellite operator (including compliance clauses), cross-border engagement, UK trial results and PFD service maps.
• Stakeholders should respond to the consultation by 5pm Friday 10 October 2025.