Cyber security | UK Regulatory Outlook March 2026

NCSC issues alert to UK organisations over conflict in Middle East 

The National Cyber Security Centre (NCSC) has issued an alert advising UK organisations to review their cyber security posture in light of the ongoing conflict in the Middle East. 

Directed in particular at organisations with a presence or supply chains in the Middle East, the alert recommends that organisations take steps to mitigate the risk of collateral impacts in the UK from Iran-linked hacktivists by: 

• reviewing previous advisories on DDoS attacks, phishing activity, and ICS Targeting;
• taking the steps outlined in the NCSC's guidance on actions to take when the cyber threat is heightened; and
• considering increased monitoring of threats and network activity, and reviewing external attack surface management. 

Critical national infrastructure (CNI) organisations are also advised to pre-emptively review the guidance on actions to take to prepare CNI organisations for severe cyber threats. 

DSIT publishes survey on cyber security behaviours of UK organisations 

The Department for Science, Innovation and Technology (DSIT) has published the results of wave five of the Cyber Security Longitudinal Survey. It tracks the cyber security behaviours of organisations over time to understand how their experiences evolve. 

The latest research shows that cyber incidents continue to affect a significant proportion of UK organisations, underlining the need for continuous vigilance. Very large businesses (500+ employees) were significantly more likely to experience a cyber incident than medium-sized businesses (74% versus 62%), reflecting the heightened exposure that accompanies greater scale and complexity. 

With regard to the prevalence of incidents, two-thirds of large businesses that experienced a cyber incident with a material impact or outcome at one point in time went on to experience a further such incident at the next point in time. Of these, 34% experienced the subsequent incident without a material impact or outcome, suggesting that steps had been taken to improve resilience or that the latter incident was less intrusive. This underscores that serious cyber incidents are rarely isolated events and highlights the limitations of purely reactive governance frameworks. 

Supply chain cyber security management remains a low priority: only 40% of large businesses formally assessed the cyber security risks presented by their suppliers. For organisations with complex supplier networks, this represents a significant gap in cyber governance and an area of unmitigated legal risk, particularly as both national and international regulatory frameworks continue to raise standards around supply chain due diligence. 

For a comparison with the results from wave four of the survey, see our previous Regulatory Outlook. 

Progress of the Cyber Security and Resilience Bill  

The Cyber Security and Resilience Bill had its second reading in the House of Commons on 6 January 2026. 

Throughout February, the Public Bill Committee met to hear from expert witnesses on their views on the bill and scrutinise it line by line. The committee stage has now concluded, and the bill will progress to the report stage when parliamentary time allows.   

European Commission publishes consultation on draft Cyber Resilience Act guidance 

As part of its ongoing efforts to strengthen the EU's cyber security resilience and capabilities, the European Commission has published a consultation seeking views on draft non-binding guidance designed to clarify the obligations and scope of the Cyber Resilience Act (CRA) for manufacturers, developers, microenterprises and SMEs.  

The guidance focuses on remote processing solutions and free and open-source software, building on the frequently asked questions on CRA implementation published by the Commission in December 2025. 

The consultation closes on 31 March 2026. Separately, the Commission proposed a new cybersecurity package on 20 January 2026, aimed at enhancing the EU's cyber resilience framework.