Skip to content

Perspectives

The revised TSA Code of Practice: what changed, and by when

The updated Telecommunications Security Act Code and its revised timetable, and what they mean for how operators evidence their security governance.

Last reviewed June 2026 5 min read


The revised Telecommunications Security Act Code of Practice was laid before Parliament on 3 June 2026 under the negative procedure — a 40-sitting-day period after which it takes effect — alongside DSIT's consultation response of 1 June 2026. The version now heading through Parliament is not the version the industry was working against a year ago. Two things have changed in ways that matter for how operators plan their evidence work.

The near-term cliff edge has moved

The 2025 consultation floated deadlines that placed a first tranche of CAF v4.0 measures at 31 December 2026, with a further set at 31 March 2027 and a further set at 31 December 2028. Those dates are no longer the ones to plan against.

The revised timetable groups the new measures into approximately:

  • March 2028 — the first CAF v4.0 tranche.
  • December 2028 — SIM/eSIM certificate checks and automated vulnerability scanning.
  • December 2029 — further measures.

The near-term December 2026 pressure point has effectively been removed. This is meaningful — it makes the Code a longer-runway obligation for planning purposes than the previous consultation implied. For an operator working to the older dates, this changes what "urgent" versus "important" looks like on the security-governance roadmap.

The penalty has not moved

Ofcom retains the ability to fine up to 10% of relevant turnover for material non-compliance with the underlying security duties. So while the near-term deadline pressure has softened, the size of the eventual downside has not. The pattern that matters is not "when does something have to be true" but "what does the evidence look like at the point Ofcom asks."

What the Code actually asks operators to evidence

The Code is not itself the source of the security requirements — those sit in the underlying regulations and the Cyber Assessment Framework (CAF) that the Code points to. Where the Code lives is in the expected practice for how an operator implements those measures. That means, in practice, that an operator's evidence of compliance has to sit at two levels: the security-governance documentation itself (policies, procedures, controls), and a structured self-assessment (typically the CAF) that reads coherently against those documents.

The failure mode we expect to see, and the one an operator should plan against, is the same one that shows up in every regulated evidence pack: the documents and the self-assessment drift apart. A control is described one way in the policy, another way in the CAF, and a third way in an ISMS artefact. All three may be defensible on their own; together they read as inconsistent, and Ofcom's questions get harder.

What to do about it

Three things follow from the shift.

Treat the Code as a longer-runway obligation, but not a distant one. Building the evidence discipline takes longer than the compliance work itself. Operators that have used the near-term-deadline anxiety to justify a quick fix will find that the fix does not scale to the March 2028 tranche.

Reconcile the governance pack against itself. The single most useful thing an operator can do this year is a rigorous internal cross-check of their security-governance documents against their CAF self-assessment, flagging every place the two disagree. This is the same shape as an assurance-readiness exercise for a climate disclosure — different subject matter, same discipline.

Bind claims to source. When Ofcom asks how a control is implemented, the answer that lands well is not "here is our policy" — it is "here is the policy clause, here is the implementation artefact it points to, and here is the operational evidence that shows it in force." That linkage is easy to describe and painful to maintain by hand.

The productised version of that discipline — evidence log, gap report against the Code, consistency check across the pack — is what our telecoms security work does.


This piece rests on the position of the revised Code of Practice as of June 2026, after the DSIT consultation response and Parliamentary laying. The 40-sitting-day negative-procedure window and the eventual entry-into-force are still moving; the position stated here should be re-checked against the final in-force Code before being relied upon.


More perspectives

Back to the index