Telecoms security and resilience: an update

4 Jun 2026 01:07 PM

This has been an important week for the security and resilience of the UK's communications networks.

On Monday, techUK was pleased to host the Department for Science, Innovation and Technology (DSIT) as it prepared to publish its response to the consultation on updating the Telecommunications Security Act (TSA) Code of Practice. This is the first time the Code has been updated since it came into force, and it marks a meaningful moment for a regime that was always intended to be a living document, evolving as threats and technologies change. 

The first update to the TSA Code of Practice 

The government will lay the revised Code in Parliament this week. It will sit for 40 days before taking effect, and barring the unexpected it is very likely to pass. 

techUK and our members engaged closely throughout, and we are pleased that the government has listened. Our response, shaped by the Telecoms Security and Diversification Working Group, offered strong support for the TSA alongside a number of clear asks, and many are reflected in the final Code. 

Several changes are particularly welcome. The government has dropped the proposal for network equipment to be restarted at least monthly, replacing it with a proportionate, risk-based approach. It has removed "shared sites" from the exposed edge, which could otherwise have pulled co-location and multi-tenant facilities into scope. It has dropped the proposed intrusion detection system measure for signalling, and softened the fortnightly review of number analysis data that we had flagged as disproportionate. Requirements to log APIs and service accounts in the asset register have been relaxed to a more practical central repository, the demand for a "fully funded" plan to remove end-of-life equipment has been loosened, and the Total Cost of Ownership definition has been narrowed to security costs alone. 

On timing, we pressed for new and amended measures to land no earlier than 31 March 2030. The government has not gone that far, but it has extended many deadlines, moving a swathe of new measures to December 2029 and the new Cyber Assessment Framework provisions to March 2028. That is welcome breathing space for providers already delivering multi-year programmes. Where the government has held firm, including on dedicated physical privileged access workstations, we will keep making the case for flexibility as attention turns to the next iteration alongside the Cyber Security and Resilience Bill. 

From networks to the seabed: strengthening resilience 

Resilience was high on the agenda elsewhere too. Speaking at RUSI, Telecoms Minister Liz Lloyd set out plans to toughen protections for the subsea cables that carry almost all of our international data. She announced that the government will consult on a modernised criminal framework, with tougher fines and prison sentences for those who damage this infrastructure, and on new measures, building on the TSA, to set a robust baseline of security across the cable network. 

This matters for a country whose economy and security depend on staying connected to the world, and it speaks to techUK's wider work on infrastructure resilience. Subsea connectivity also underpins the compute that will power greater adoption of technology (including AI) and keeping our world-leading sectors – like Financial Services – at the forefront. We will explore these themes at our Subsea Cables event in July, and we would encourage interested members to get involved. 

Join us on 26 June 

These conversations come together at our AI Assurance in Critical National Infrastructure half day conference on 26 June, from 13:00-17:00 at techUK in London. The event will examine how AI is reshaping telecoms, energy, water, data centres and transport, with cyber security resilience and the regulatory landscape firmly in focus. It is free to attend, and you can book your place here.