Cyber security | UK Regulatory Outlook June 2026

Cyber Security and Resilience Bill progress update 

As previously reported, the Cyber Security and Resilience Bill did not complete its passage through the last parliamentary session before Parliament was prorogued at the end of April 2026. 

The government passed a carry-over motion for the bill, which was reintroduced in the 2026-27 session of Parliament on 14 May 2026 at the report stage. The third reading took place on 16 June 2026, after which the bill will proceed to the House of Lords for further consideration. 

ICO publishes guidance on protecting organisations from AI-powered cyber threats 

The ICO has published a blog post outlining five steps organisations should take to strengthen their resilience against AI-powered cyber threats. 

• Know what you're up against – the ICO highlighted several AI-powered risks facing organisations, including AI-enhanced phishing attacks, deepfake social engineering and AI malware. The ICO recommends the Cyber Assessment Framework to understand the potential threats posed by criminals using AI technologies. 
• Get the basics right and layer your defences – the ICO expects organisations storing or using personal data to implement the Cyber Essentials scheme and Cyber Governance Code of Practice. In addition, the ICO emphasises the importance of patching and updating processes to ensure security fixes are applied in a timely manner.  
• Restrict access points – the ICO emphasises that organisations should implement multi-factor authentication on all remote access, admin accounts and email, and strong password policies, applying the "principle of least privilege". It also highlights the importance of supply chain security, through inclusion of security requirements in contracts and conducting proportionate due diligence. 
• Improve your detection, monitoring and incident response – the ICO expects organisations to implement security monitoring for suspicious activity, vulnerability scanning and penetration testing, and to maintain an incident response plan.  
• Protect personal data – the ICO reminds organisations that obligations under the UK GDPR require the implementation of appropriate technical and organisational measures to protect personal data. 

Although the measures are not new, the ICO emphasises that AI brings renewed urgency given the increased speed and sophistication of AI-powered attacks. 

Ofgem consults on draft supply chain security guidance for downstream gas and electricity 

Ofgem has launched a consultation seeking views on draft supply chain security guidance for the downstream gas and electricity (DGE) sector. The guidance aims to establish a consistent, proportionate and outcome-focused approach to managing supply chain security risks across a wide range of supplier relationships. The consultation also invites evidence on how the draft guidance aligns with existing operational, engineering, assurance and commercial practices. The consultation closes on 29 June 2026. 

Separately, Ofgem launched a consultation in April 2026 seeking views on cyber resilience regulation for the DGE sector. 

ESAs publish first report on DORA major ICT-related incidents 

The European Supervisory Authorities (the European Banking Authority, European Insurance and Occupational Pensions Authority, and ESMA) have published the first annual overview of major ICT-related incidents in the EU financial sector based on a reporting mechanism introduced by the Digital Operational Resilience Act (DORA). 

The report covers incidents that occurred in 2025 and highlights issues including: 

• The increasingly borderless nature of ICT risks, with one third of reported major incidents having a cross-border impact. The ESAs note the growing interconnectedness of financial entities through shared infrastructures, common ICT services and cross-border business models. 
• The fact that almost a third of major incidents originated from failures attributable to third parties (including ICT third-party providers, other financial entities and infrastructure providers). The ESAs argue that this illustrates the critical role of outsourced services, the interconnectedness of the financial system, and the importance of robust third-party risk management, oversight and co-ordination. 
• The relatively low frequency of cybersecurity incidents. The ESAs suggest that existing security safeguards and detection mechanisms have been effective in preventing cyber incidents from escalating in seriousness. 

Visit Osborne Clarke's Digital Regulation Timeline to monitor developments on DORA. 

EU Commission welcomes G7 cybersecurity declaration to strengthen global digital resilience 

The European Commission welcomed the adoption of the G7 Cybersecurity Working Group declaration, which outlined the need for coordinated action on post-quantum cryptography, AI-related cybersecurity risks, telecoms resilience and the protection of SMEs. Regarding next steps, the Commission will actively engage in the working group's autumn meeting to advance these key priorities, which closely align with the EU's Cybersecurity Strategy, and to finalise the work prior to transitioning the presidency of the working group to the US for 2027.