Cyber security | UK Regulatory Outlook May 2026

Cyber Security and Resilience Bill progress update 

The King's Speech on 13 May 2026 confirmed that the bill will be carried over to the next session of Parliament. 

NCSC publishes new cross domain guidance  

The National Cyber Security Centre (NCSC) has published new guidance on its approach to using cross domain architecture. Cross domain architecture describes a set of systems that allow information to be shared or processed across multiple security domains or classification levels. Effective cross domain architecture prevents the unauthorised flow of data (for example, from a classified to an unclassified network) and enables authorised transfers across different trust levels. 

In addition to organisations sharing data with public bodies in sensitive sectors, particularly defence and intelligence, the NCSC emphasises that any organisation which could face harmful targeted attacks should be aware of the risks. 

The new guidance describes effective end-to-end architecture and the types of likely threats an organisation may face. It sets out six new cross domain design principles, replacing the NCSC's previous security principles, which it no longer recommends adopting for any new end-to-end architecture.  

The NCSC's press release promises future practical guidance on how to design cross domain architecture and select appropriate technology for implementation, as well as providing template cross domain patterns for secure data transfer. 

NCSC call to action for CNI sectors to follow its severe cyber threat guidance 

The NCSC has called upon all organisations operating as part of a critical national infrastructure (CNI) sector, such as energy, health, or financial services, to plan their responses to severe cyber threats, per its guidance from earlier this year. 

It emphasises that not all severe cyber attacks will be prevented, so cyber resilience includes the ability to continue operating critical services while recovering from the attack. Given the urgent time pressures involved, the NCSC reminds organisations that they must have plans in place, ready to deploy in the event of a severe cyber attack.  

International cyber security warning of risks of using agentic AI 

The NCSC has co-published guidance on how to use caution when adopting agentic AI services, collaborating with its counterparts in Australia, Canada, New Zealand and the US. 

The guidance points out that agentic AI involves many of the same risks that organisations already face (such as access control, incident responses and supply chain risks) but also comes with a new set of risks. AI agents can act unpredictably or interpret instructions in an unexpected manner. It may be more difficult to identify (and explain) when and how something has gone wrong, as agents act quickly and can access external systems. Any organisation using an AI agent should remember that a human remains accountable for its actions and their consequences. 

The guidance advises organisations to take a gradual approach, starting with using agents for only discrete low-risk tasks, while keeping established cyber security controls in place. It also reminds organisations to apply cyber security best practices to minimise risks, such as by applying least privilege, constraining the access and abilities of the agent, using temporary credentials and secure defaults, and conducting threat-modelling and incident response planning. 

ICO publishes guidance on AI-enabled cyber attacks 

The Information Commissioner's Office (ICO) has published advice on the enhanced cyber security threats posed by AI. These include more convincing phishing attacks and deepfakes; more rapid capabilities for vulnerability-scanning and brute-force attacks; malware that uses AI to adapt to avoid detection; corrupted training data; and the embedding of malicious instructions in content processed by an AI (prompt injection). 

The ICO recommends layering defences, thereby giving more time for vulnerabilities to be patched before an AI tool can detect and exploit a vulnerability in another layer. It also advises organisations to enforce access restrictions by using multi-factor authentication, applying least privilege, and holding third-party suppliers to appropriate standards. Organisations should also monitor suspicious activity and conduct penetration testing. AI can itself be used to support these processes. 

None of the ICO's recommendations are unique to AI-enabled cyber attacks, but the increased speed and capabilities brought by AI mean that it is even more crucial to implement cyber security best practices.  

DSIT publishes cyber security breaches survey 2026 

The Department for Science, Innovation and Technology (DSIT) has published its Cyber Security Breaches Survey for 2025-26. 

Key findings and conclusions include: 

• The overall prevalence of cyber security breaches or attacks has remained in line with the previous survey, with 43% of UK business and 28% of charities having experienced a breach or attack. However, this increases to 69% when looking at large businesses, underlining the importance of having robust cyber defences in place. 
• There remains a resilience gap between large firms and SMEs. 
• An increased number of businesses reported a loss of revenue or share value (5%) or reputational damage (3%) as a result of a cyber breach or attack. 
• Cyber security was considered a high priority for senior management in businesses and charities, although lower than previous years. Given the potentially disruptive and costly nature of a cyber attack, boards should keep cyber defence and resilience high on their lists of priorities. 

DSIT publishes cyber security sectoral analysis 2026 

DSIT has published its annual Cyber Security Sectoral Analysis for 2026. 

Findings include: 

• Growth of 11% for the UK cyber security sector, with revenue of £14.7 billion generated. 
• 47 deals within cyber security firms in 2025 raised £184 million in investments. 
• 967 public procurement contracts representing a value of £1.5 billion were awarded in 2025, a 62% increase from 2024. 
• The sector continues to face challenges of inertia and budget constraints in take-up by SMEs. 
• 111 firms in the UK are offering cyber security products or services specific to AI systems. Of these, 32 are focused exclusively or primarily on AI. This is DSIT's first update on AI in the cyber security sector.