Cyber security | UK Regulatory Outlook April 2026

Government invites organisations to sign Cyber Resilience Pledge 

The government has announced the introduction of a voluntary Cyber Resilience Pledge, inviting organisations to commit to three actions to improve their resilience to cyber attacks. 

Announced at the CyberUK conference, the pledge, which will be formally launched in the summer, will require signatory organisations to commit to: ensuring board-level responsibility for cyber security (including implementing actions within the Cyber Governance Code of Practice); signing up to the Early Warning service (within one month of signing the pledge); and requiring Cyber Essentials certification across their supply chains. 

Organisations will also be encouraged to publish the signed pledge declaration on their website and to promote adoption of these actions within their supply chains. 

The requirement for board-level responsibility reflects a growing trend in cyber regulation, although this notably contrasts with the UK government's most high-profile new cyber law, the Cyber Security and Resilience Bill (CSRB), currently going through the legislative process. The CSRB, as currently drafted, imposes no statutory obligation on management bodies to approve cybersecurity measures or bear personal liability for non-compliance (in contrast to its EU sister legislation, the NIS2 Directive, which does both expressly). 

DESNZ and Ofgem consult on cyber resilience regulation for downstream gas and electricity 

The Department for Energy Security and Net Zero (DESNZ) and Ofgem have launched a consultation seeking views on proposals for a new approach to cyber resilience regulation for downstream gas and electricity (DGE) operators in Great Britain. 

The proposals include introducing baseline cyber resilience requirements (through the Cyber Essentials certification scheme) for all Ofgem licensees, and exploring the possible expansion of scope of the NIS Regulations to cover DGE operators that can materially impact energy system stability. The consultation closes on 22 May 2026. 

NCSC advisory on Russian APT28 group exploiting vulnerable routers for cyber attacks 

The NCSC has published an advisory revealing how Russian cyber threat group APT28 have exploited vulnerable routers to hijack DNS, enabling adversary-in-the-middle attacks, thefts of passwords and authentication tokens, putting organisations at risk of credential theft, data manipulation and broader compromise.  

The advisory contains details of tactics, techniques and procedures associated with APT28’s exploitation of routers and notes that the activity is likely opportunistic in nature, beginning with targeting a wide pool of victims, before narrowing in on targets of intelligence interest as the attack develops. 

The NCSC encourages organisations to follow the mitigation advice to protect against DNS hijacking attacks, ensuring devices and software are maintained and kept up to date and setting up multi-factor authentication. 

Read the related NCSC blog. 

NCSC blog on frontier AI model benefits for cyber security defence plans 

The NCSC has published a blog post outlining the evolution of frontier AI (referring to the most advanced models available at any given time), its cyber capabilities and how threat actors are already leveraging these capabilities to aid their attacks. It also highlights three ways in which organisations may deploy frontier AI within their own systems to strengthen defences, including system hardening, improving threat detection and investigation, and exploring automated response capabilities. 

The NCSC notes that organisations that invest early in "strong security baselines and carefully deployed AI-enhanced defence will be best placed to retain defender advantage as AI increasingly shapes the cyber risk environment". 

Government response to call for views on enterprise connected device security 

The government has published its response to its May 2025 consultation on the security of enterprise connected devices (IoT devices), which include office printers, internet-connected telephones, building entry systems and room booking systems. 

In response to the feedback received, the government will: 

• Review whether to expand the scope of this work beyond enterprise connected devices as part of its ongoing analysis of securing the broader technology landscape.
• Look to finalise the security principles, including making them modular within the broader set of secure by design codes of practice for technology, and explore the possibility of a certification scheme for manufacturers.
• Assess options for potential regulatory measures, in light of respondent feedback that the government should go further than voluntary adoption and incorporate some form of assurance or enforcement mechanism. 

In the meantime, the government states that it expects manufacturers to use the device security principles for manufacturers to make their products secure by design and, where applicable, asks organisations to also apply the principles set out in the software security code of practice where they are embedding software into their devices. 

EU Commission consults on draft guidance on Cyber Resilience Act 

The European Commission is seeking views on its draft guidance intended to help manufacturers, developers and other stakeholders meet the obligations of the Cyber Resilience Act (CRA). The draft guidance focuses on remote data processing solutions, free and open-source software, "support periods", and the interplay between CRA and other EU legislation. The consultation closed on 13 April 2026.  

To find out more, sign up for Osborne Clarke's Digital Regulation Download webinar, where our international expert panel will explore the interplay between the new cyber security regulations in the EU and UK, including the NIS2 Directive, the UK Cyber Security and Resilience Bill, the CRA and the UK Product Security and Telecommunications Infrastructure Act.