Code of Practice · 2026 revision

What changed in the 2026 revised Code of Practice

The government consulted on updating the 2022 code in late 2025, published its response and a revised draft on 1 June 2026, and dropped the December 2026 and March 2027 dates it had originally floated for new measures. Here is what actually changed, and when each addition falls due.

Last reviewed 13 July 2026 · all sources linked in the text

The status, precisely

The draft revised code must be laid before Parliament for a 40-sitting-day scrutiny period before it is issued in final form; commentators expected it in force around mid July 2026. Until that happens, the 2022 code remains Ofcom's benchmark, and the existing 2024 to 2028 wave dates for current measures are unchanged. Nothing in the revision relaxes what providers should already be building.

Privileged access workstations, rethought

The prescriptive PAW checklist becomes eight principle-based design guidelines aligned with ETSI standards, plus new guidance on monitoring remote administrative access and holding third-party administrators (including MSPs) to the same bar with dedicated per-provider access.

Cloud gets its own section

New guidance (6.22 to 6.30) treats cloud providers as third-party administrators and suppliers, states plainly that lift and shift is insufficient, requires control-plane disconnection impact to be assessed, and keeps accountability with the telecoms provider.

APIs, comprehensively

A new section (7.11 to 7.26) covers exposure minimisation, authentication (basic auth excluded), input validation, rate limiting, logging, change control and secure development testing for consuming applications.

Automation as security critical

Automation tools that can affect network confidentiality, integrity or availability are classified as Security Critical Functions, with secure build, input validation, rollback capability and named business ownership required.

SIM and eSIM controls

Trustworthiness assessment extends to whoever provisions the eSIM, profile modifications must be logged and monitored, and SIM suppliers are verified against the GSMA's accredited sites list.

Signalling, sharpened

New measures (2.79 to 2.82) on preventing malicious signalling message injection, maintaining number analysis reference data, locking down operations codes and independent signalling intrusion detection on outgoing traffic.

Other notable adjustments in the official change log: BGP monitoring extended to routing leaks, alerts when logging or anti-virus stops, board-level ownership of security risk, procurement guidance making security a significant factor with total-cost-of-ownership analysis (firmware included), bulk-data protection emphasis, and a duty to reassess risks when the threat or geopolitical landscape shifts.

New dates, not new panic

When the new measures fall due

Industry feedback moved the new measures beyond the original proposals. Three tranches now sit alongside the existing timeline.

March 2028

First tranche of new measures, aligning the code with NCSC Cyber Assessment Framework v4.0 business-process measures, plus test-network passwords and fixed and mobile signalling additions.

December 2028

SIM and eSIM certificate checks, automated vulnerability scanning and automation pipeline validation.

December 2029

Most remaining new measures: API security, service accounts, threat modelling, trusted boot, anti-prepositioning controls, customer premises equipment monitoring, logging tests and signalling reference data.

These sit on top of the 2022 code's waves, including the major operational wave due 31 March 2027. The full timeline shows everything in one view.

3D rocket illustration for booking a free TSA discovery call

Plan the refresh

Get your compliance plan updated for the revised code

A free 45 minute discovery call reviews your current plan against the 2026 changes and sequences the additions sensibly alongside your March 2027 work.