HomeInsightsGovernment lays new telecoms security Regulations and an accompanying draft Code of Practice in Parliament in the UK


The Government has laid the new Electronic Communications (Security Measures) Regulations 2022 in Parliament, along with a draft Telecommunications Security Code of Practice. The Regulations and Code are intended to address risks to the security of the UK’s public telecoms networks and services and have been developed in conjunction with the National Cyber Security Centre (NCSC) and Ofcom.

The Electronic Communications (Security Measures) Regulations come into force on 1 October 2022. They set out specific security measures that public telecoms providers need to take in addition to the overarching legal duties in sections 105A and 105C of the Communications Act 2003 (as amended by the Telecommunications (Security) Act 2021). These measures are designed to ensure that public networks and services are following appropriate and proportionate security practices.

Public telecoms providers that fail to comply with the Regulations could face fines of up to 10% of turnover or, in the case of a continuing contravention, £100,000 per day. Ofcom will monitor and enforce public telecoms providers’ compliance with the regulations. Ofcom’s new powers include:

  • identifying and assessing the risk to any “edge” equipment that is directly exposed to potential attackers, including radio masts and internet equipment supplied to customers such as Wi-Fi routers and modems which act as entry points to the network;
  • keeping tight control of who can make network-wide changes;
  • protecting against certain malicious signalling coming into the network which could cause outages;
  • having a good understanding of risks facing their networks; and
  • making sure business processes are supporting security (e.g., proper board accountability).

Providers will be expected to have achieved these outcomes by March 2024.

The draft Code of Practice contains guidance on how providers can comply with the Regulations. It sets out what good telecoms security looks like, explaining key concepts underpinning the Regulations and specific technical guidance measures that can be taken by providers to demonstrate compliance with their legal obligations.

The draft Code has been laid in Parliament under the requirement in section 105F of the Communications Act 2003. It will remain in draft for Parliamentary scrutiny for forty sitting days, after which the Government plans to issue and publish the Code of Practice. To access the legislation and Code of Practice, click here.