Requirements · Signalling
Signalling security: SS7, Diameter and 5G duties
The signalling plane is where telecoms-specific attacks live, and the Code of Practice treats it accordingly: continuous monitoring at external interfaces, telecoms-aware detection, secure handling of signalling data and hard testing of exposed edges.
Last reviewed 13 July 2026 · all sources linked in the text
The four signalling expectations
From the 31 March 2027 wave, providers need active detection and protection, not just architecture. In practice that means:
Continuous signalling monitoring
Inbound and outbound signalling traffic watched at externally facing interfaces, with detection tuned to telecoms-specific abuse patterns rather than just volume spikes.
Signalling data handled as sensitive
Records from the signalling plane carry real intelligence value, so the code expects them stored and accessed like the sensitive data they are, with analysts examining unusual or hostile signalling behaviour rather than filing it.
Warn the neighbours
When hostile signalling traffic is identified, the code expects you to be able to warn the operators on the other end of it. UK networks are treated as a community that defends together.
Test the exposed edges
Externally reachable signalling interfaces get adversarial treatment: fuzzing and hostile-input testing on a schedule, on the sound logic that attackers run the same tests uninvited.
The practical challenge
Signalling detection needs telecoms analysts
Generic security monitoring does not recognise a malicious MAP query or a suspicious Diameter pattern. The code expects analysis by people who understand telecoms networks, which is precisely the gap most providers' generalist tooling and MSPs leave open. Signalling telemetry belongs in the same SOC that watches the rest of your estate.
Quick answers
Signalling security FAQs
Why does the Act care so much about signalling?
Signalling protocols (SS7, Diameter and their 5G successors) were designed for a world where every connected network was trusted. Attackers exploit them for location tracking, interception and fraud without touching a single endpoint, which is why the code demands active detection and protection on the signalling plane, not just perimeter firewalls.
What did the 2026 revision add for signalling?
New measures on preventing malicious signalling message injection, maintaining and reviewing number analysis reference data, locking operations codes down to known address lists, and independent signalling intrusion detection on outgoing traffic to catch bypass and data obfuscation failures. Fixed and mobile signalling additions sit in the March 2028 tranche.
When do the signalling measures fall due?
Baseline signalling and BGP controls sat in the waves already passed (March 2025), active signalling detection and protection falls due with the 31 March 2027 wave, and the revised code's signalling additions arrive from March 2028. Signalling is a genuine multi-wave programme.
A multi-wave programme
Get your signalling roadmap straight
A free 45 minute discovery call maps your signalling exposure against the 2025, 2027 and 2028 waves and what to build in which order.