The Department for Science, Innovation and Technology has published the consultation outcome to the Proposals to update the Telecommunications Security Code of Practice 2022.
This is the first revision since the Code came into force in 2022. It marks a critical pivot toward treating the framework as a "living document" capable of adapting to an escalating threat landscape. The revised Code will be laid in Parliament shortly, triggering a 40-day scrutiny period before taking final effect.
The government has dropped the proposal for network equipment to be restarted at least monthly, replacing it with a proportionate, risk-based approach. It has removed "shared sites" from the exposed edge, which could otherwise have pulled co-location and multi-tenant facilities into scope. It has dropped the proposed intrusion detection system measure for signalling, and softened the fortnightly review of number analysis data that we had flagged as disproportionate.
Requirements to log APIs and service accounts in the asset register have been relaxed to a more practical central repository, the demand for a "fully funded" plan to remove end-of-life equipment has been loosened, and the Total Cost of Ownership definition has been narrowed to security costs alone.
The government has extended many deadlines, moving a swathe of new measures to December 2029 and the new Cyber Assessment Framework provisions to March 2028.