The Code of Practice
The Telecommunications Security Code of Practice
The TSA Code of Practice is the statutory guidance behind the Telecoms Security Act: around 258 technical measures that Tier 1 and Tier 2 providers are expected to implement to phased dates, first published in December 2022 and revised in 2026. Here is how it works and what it demands.
Last reviewed 13 July 2026 · all sources linked in the text
Where the code sits in the legal stack
The Act creates the duties, the 2022 Regulations make them specific, and the Code of Practice explains, in engineering detail, what good looks like. Issued under sections 105E and 105F of the Communications Act 2003, it is guidance with legal weight: depart from it and Ofcom can require you to explain why your alternative still meets the law.
Section 1: who and when
The tiering system, the code's legal status, and the implementation timeframes: which providers are expected to follow the measures, and by what dates.
Section 2: fourteen key concepts
The substance, from network architecture and protection of data to monitoring, supply chain, governance, patching, competency and testing. This is where the security thinking lives.
Section 3: the technical measures
Around 258 individual guidance measures, each mapped to the regulations it supports and stamped with the date by which providers are expected to have it in place.
The fourteen concept areas
- Overarching key concepts
- Network architecture
- Protection of data and functions
- Monitoring tools
- Monitoring and analysis
- Supply chain
- Preventing unauthorised access
- Remediation and recovery
- Governance
- Reviews
- Patching and updates
- Competency
- Testing
- Assistance
Our requirements guide walks each area in plain English.
Timeframes, honestly
Every measure in Section 3 carries an implementation date, and the dates arrive in waves:
- 31 Mar 2024 Earliest measures, Tier 1
- 31 Mar 2025 Tier 2 catch-up + next shared wave
- 31 Mar 2027 The operational wave: PAM, SOC, signalling
- Mar 2028 Final 2022 wave + first revised-code tranche
- Dec 2028 / Dec 2029 Remaining revised-code additions
Most dates are shared by Tier 1 and Tier 2; only a subset of the most straightforward measures came earlier for Tier 1 (code paragraph 0.27).
The full timeline, every dateRevised in 2026
The code just changed. Did your plan?
The draft revised code published on 1 June 2026 rewrites the privileged access workstation guidance, adds cloud, API, automation and eSIM measures, and sets new dates through to December 2029. Compliance plans written against the 2022 code need a structured refresh, not a panic.
Quick answers
Code of Practice FAQs
Is the Code of Practice legally binding?
Not directly, but it is far more than advice. Providers can meet their legal duties in other ways, but must be ready to justify any departure to Ofcom under section 105I of the Act, and both Ofcom and the courts must take the code into account in relevant decisions. In practice, following the code is the default route to demonstrable compliance.
Who is expected to follow the code?
Tier 1 providers (relevant turnover of £1bn or more) and Tier 2 providers (£50m to £1bn). Tier 3 providers are not expected to follow it by default but still owe the Act's duties, and often meet the code anyway through flow-down clauses when they supply larger networks.
What changed in the 2026 revision?
A draft revised code published on 1 June 2026 adds guidance on cloud deployments, API security, network automation, eSIM provisioning and principle-based privileged access workstations, with new measures phased at March 2028, December 2028 and December 2029. The 2022 code remains Ofcom's benchmark until the revision formally takes effect.
More questions answered on the full FAQ page.
From reading to doing
Turn the code into a delivery plan
A free 45 minute discovery call maps the code's measures against what you already have, and tells you honestly where the real work is.