Requirements · Signalling

Signalling security: SS7, Diameter and 5G duties

The signalling plane is where telecoms-specific attacks live, and the Code of Practice treats it accordingly: continuous monitoring at external interfaces, telecoms-aware detection, secure handling of signalling data and hard testing of exposed edges.

Last reviewed 13 July 2026 · all sources linked in the text

The four signalling expectations

From the 31 March 2027 wave, providers need active detection and protection, not just architecture. In practice that means:

Continuous signalling monitoring

Inbound and outbound signalling traffic watched at externally facing interfaces, with detection tuned to telecoms-specific abuse patterns rather than just volume spikes.

Signalling data handled as sensitive

Records from the signalling plane carry real intelligence value, so the code expects them stored and accessed like the sensitive data they are, with analysts examining unusual or hostile signalling behaviour rather than filing it.

Warn the neighbours

When hostile signalling traffic is identified, the code expects you to be able to warn the operators on the other end of it. UK networks are treated as a community that defends together.

Test the exposed edges

Externally reachable signalling interfaces get adversarial treatment: fuzzing and hostile-input testing on a schedule, on the sound logic that attackers run the same tests uninvited.

The practical challenge

Signalling detection needs telecoms analysts

Generic security monitoring does not recognise a malicious MAP query or a suspicious Diameter pattern. The code expects analysis by people who understand telecoms networks, which is precisely the gap most providers' generalist tooling and MSPs leave open. Signalling telemetry belongs in the same SOC that watches the rest of your estate.

How CyPro covers it

Quick answers

Signalling security FAQs

Why does the Act care so much about signalling?

Signalling protocols (SS7, Diameter and their 5G successors) were designed for a world where every connected network was trusted. Attackers exploit them for location tracking, interception and fraud without touching a single endpoint, which is why the code demands active detection and protection on the signalling plane, not just perimeter firewalls.

What did the 2026 revision add for signalling?

New measures on preventing malicious signalling message injection, maintaining and reviewing number analysis reference data, locking operations codes down to known address lists, and independent signalling intrusion detection on outgoing traffic to catch bypass and data obfuscation failures. Fixed and mobile signalling additions sit in the March 2028 tranche.

The 2026 changes in full

When do the signalling measures fall due?

Baseline signalling and BGP controls sat in the waves already passed (March 2025), active signalling detection and protection falls due with the 31 March 2027 wave, and the revised code's signalling additions arrive from March 2028. Signalling is a genuine multi-wave programme.

See the full timeline

3D rocket illustration for booking a free TSA discovery call

A multi-wave programme

Get your signalling roadmap straight

A free 45 minute discovery call maps your signalling exposure against the 2025, 2027 and 2028 waves and what to build in which order.