Cyber Security | UK Regulatory Outlook April 2025

Government publishes Cyber Security and Resilience Bill policy statement 

The Department for Science, Innovation and Technology has published a policy statement setting out the measures to be included in the Cyber Security and Resilience Bill, which is expected to be introduced in the current Parliamentary session. 

The statement sets out the following confirmed measures in the bill: 

• Bringing more entities into scope of the regulatory framework: Duties will be placed on managed service providers (MSPs) and critical suppliers to businesses to improve their cybersecurity. Regulators will also be able to identify and designate high-impact suppliers as "designated critical suppliers" to address critical supply chain vulnerabilities.
• Empowering regulators and enhancing oversight: The secretary of state will be given powers to make regulations to update existing requirements, tailor them for specific sectors, and issue codes of practice to help businesses comply. There will be expanded incident reporting criteria for regulated entities, complemented by the measures in the ransomware legislative proposals currently under consultation. There will also be improved information gathering powers for the Information Commissioner's Office (ICO), including expanded criteria for the ICO to serve information notices on digital services firms.
• Powers of direction: The secretary of state will be granted new delegated powers to update the regulatory framework, including bringing new sectors and sub-sectors in scope of the regulations and changing the responsibilities and functions of network and information systems (NIS) regulators. 

Alongside the confirmed proposals, which were previously announced in the King's Speech, the policy statement sets out some additional measures under consideration more generally (not necessarily in this bill): 

• Bringing data centres into scope of the regulatory framework by classifying them as an essential service, in recognition of their new status as critical national infrastructure (as previously reported).
• Publishing a statement of strategic priorities for regulators once every three to five years, accompanied by an annual report from regulators on their progress against objectives set out in the statement.
• New executive powers for the secretary of state to direct a regulated entity or regulator to take action, where necessary for national security, with consideration to the precedent set by the enforcement regime under the Telecommunications (Security) Act 2021 (companies face a daily fine of £100,000, or up to 10% of turnover, for non-compliance). 

Read the press release and National Cyber Security Centre (NCSC) blog. 

Government response to call for views on code of practice for software vendors 

As previously reported, in May 2024 the government published a draft voluntary code of practice for software vendors and related call for views, establishing a set of voluntary security and resilience measures for organisations developing or selling software used by businesses. 

The government has now responded to its call for views, stating that minor revisions will be made before the new code is published in 2025. 

See more information on the wider governance package intended to help boards and directors manage digital risks and protect their organisations against cyber attacks.  

Cyber Security Breaches Survey 2025 

The government published the latest Cyber Security Breaches Survey, an annual survey on UK cyber resilience exploring policies, processes and approach to cyber security for businesses, charities and educational institutions.  

The survey, which is intended to be statistically representative of businesses of all sizes and relevant sectors in the UK, revealed that the threat of cyber attacks was largely consistent with 2024 (43% of businesses experienced a cyber security breach or attack in the last 12 months, compared to 50% of businesses in 2024). However, the prevalence of ransomware among businesses has increased significantly from less than 0.1% of businesses in 2024 to 1% in 2025 (which equates to around 19,000 businesses). 

Furthermore, a new trend has developed where board-level responsibility for cyber security has been gradually decreasing among businesses since 2021 (38% of businesses had a board member with responsibility for cyber security in 2021, compared to 27% in 2025). As with previous years, larger organisations (96%) demonstrated a higher prioritisation of cyber security compared to businesses overall (72%). 

The National Cyber Security Centre (NCSC) has released new online training designed to help boards and directors to govern cyber security risk and implement the cyber governance code of practice. The code focuses on the actions senior leaders should take to govern cyber risks effectively within their organisation. The government has also produced a diagram and mapping document showing how the cyber governance code of practice relates to existing cyber standards and frameworks.