On 12 May, Ofcom launched a consultation on proposed updates to its General statement of policy under section 105Y of the Communications Act 2003 (the “Statement of Policy”) in respect of how it will assess compliance by public telecommunications operators with their security obligations under the UK telecommunications security regulatory regime (see Background below for further details). The consultation closes on 4 August 2026, with a final statement expected later this year.

In parallel, the UK government has published proposed revisions to the Telecommunications Security Code of Practice 2022 following consultation with the industry, Ofcom and other stakeholders (“Revised Code“).

This article provides a summary of the proposed changes to Ofcom’s Statement of Policy and the key updates to the Revised Code.

Background of telecommunications security

In 2021, the UK government made major changes to the regulation of the security of public telecommunications networks and services. As part of the changes, regulation shifted from an operator-led approach, where operators would determine “appropriate and proportionate” measures to secure their networks and services, to a regime where such measures are set out on a prescriptive basis under regulation and codes of practice.

These changes were brought into effect through the Telecommunications (Security) Act 2021 (which amended the Communications Act 2003), the Electronic Communications (Security Measures) Regulations 2022, and the Telecommunications Security Code of Practice 2022 (together, the “Security Instruments“).

Ofcom Statement of Policy

Under this new regime, Ofcom plays a role in supervising, and enforcing, compliance by operators with their security duties under the Security Instruments.

Section 105Y of the Communications Act 2003 requires Ofcom to publish a statement explaining how it will exercise such supervisory and enforcement functions in relation to telecoms security duties. We previously wrote about Ofcom’s Statement of Policy here.

The Statement of Policy is procedural rather than substantive: it does not impose new obligations on providers but sets out:

  • how Ofcom monitors compliance;
  • how it exercises enforcement powers; and
  • what types of “security compromises” must be reported, and how.

Telecommunications Security Code of Practice

Under the Security Instruments, the Telecommunications Security Code of Practice 2022 provides detailed guidance from the UK government as to how it expects telecom operators to comply with the broader obligations in the Telecommunications (Security) Act 2021 and the Electronic Communications (Security Measures) Regulations 2022.

What is changing?

Ofcom Statement of Policy

The proposed updates reflect Ofcom’s evolving approach to its supervisory and enforcement role, more than three years since the introduction of the Security Instruments, and are primarily aimed at improving the consistency, clarity and usefulness of incident reporting, while refining its supervisory approach.

Below, we provide a summary of some of the key changes proposed by Ofcom.

1. Standardisation of incident reporting thresholds

One of the key proposed changes is the introduction of standard thresholds for incident reporting.

In particular:

  • A move away from bespoke thresholds per MNO to a standard threshold for all MNOs: Ofcom proposes to remove operator-specific thresholds, and replace them with a universal standard threshold for all MNOs.

The Ofcom proposal is that for all MNOs, a security compromise that affects  ≥100,000 customers for any duration, and compromises affecting ≥10,000 or ≥25% of customers where the duration is for ≥8 hours, must be reported.

  • Introduction of infrastructure-based thresholds for MNOs: due to the difficulty of assessing mobile customers affected by a security compromise, Ofcom proposes to introduce a threshold based on the number of cell sites affected, and for there to be a specific threshold for rural areas.

This includes reporting of security compromises affecting ≥25 cell sites for ≥2 hours; ≥150 cell sites for any duration of time; or ≥1 rural cell site for ≥8 hours.

2. Clarification on what to report

Ofcom is proposing to clarify that incidents having a significant effect on the operation of a network or service in scope will remain reportable even if they do not meet the Ofcom criteria or thresholds. This means operators cannot rely solely on Ofcom’s reporting criteria and must still consider this catch-all reporting obligation when assessing security compromises.

3. Evolution to Ofcom’s approach to compliance monitoring

Beyond reporting, the consultation signals a shift in how Ofcom intends to exercise its broader powers. In particular, Ofcom suggests that it will begin to use assessment notices on a more standard basis as part of its compliance monitoring activities.

Originally, Ofcom would primarily use information notices which simply request information from an operator. Assessment notices were to act as the next escalation step in the enforcement process, and to permit Ofcom to direct operators to take specific action or perform specific tests. 

The change is intended to reduce the burden on operators, and provide for greater efficiency, as this permits Ofcom more directly to assess non-compliance, rather than proceed through a two-step process of seeking general information through an information notice, and then more specific information and action through an assessment notice to verify matters identified through facts gathered through an information notice.

Telecommunications Security Code of Practice

Why is the 2022 Code changing?

Since the original 2022 Code, different threats have emerged and new technologies have developed, which were not addressed in the 2022 Code.

The UK government is revising the 2022 Code following security advice from the National Cyber Security Centre (NCSC), and to reflect the need for the 2022 Code to remain up to date to achieve its purpose of establishing measures for how operators can comply with their obligations under the Security Instruments.

Key changes to the 2022 Code

The Revised Code introduces additional guidance and targeted updates in key areas, including:

  • network automation, aligning with National Cyber Security Centre (NCSC) guidance, including secure principles for machine learning;
  • signalling, which is noted to address continued targeting of signalling systems by cyber threat actors and reflect industry feedback;
  • privileged access workstations, including updates to align with European Telecommunications Standards Institute (ETSI) standards;
  • application programming interfaces (APIs), reflecting their increased use and associated security risks, including data loss; and
  • patching and updates, to mitigate risks associated with threats such as non-persistent malware.

Key takeaways for communications providers

Public telecommunication operators who are caught under the Security Instruments will need to carefully review the updates proposed by Ofcom and the new requirements in the Revised Code. This is because these instruments require proactive action by operators in their day-to-day management of the security of their telecommunications networks and the structuring of compliance functions.

In particular:

  1. Ofcom’s proposed updates will change criteria and triggers for reporting security compromises, as well as replace existing reporting templates. Operators should review any internal processes established to comply with the original Ofcom Statement of Policy, and update these accordingly once Ofcom has published its final decision to ensure ongoing compliance.
  • The UK government’s Revised Code presents updated expectations for how telecommunications networks will be secured in respect of updated threats and technologies. Operators should assess whether these updates apply to their networks and the way they are deployed, and assess if they can become/are compliant with the revised procedural guidance.

As these documents form part of the broader regulation under the Security Instruments, telecommunications operators should consider both documents together and assess the combined impact on their operational and compliance frameworks, including incident reporting processes, technical controls, and internal governance arrangements. Early engagement may help identify implementation challenges and inform any response to Ofcom.

Next Steps

Stakeholders have until 4 August 2026 to respond to the Ofcom consultation.

The Revised Code has already been subject to a consultation process, and the UK government has now indicated that the Revised Code will be finalised and laid before Parliament.