Cyber security | UK Regulatory Outlook October 2025

National Cyber Security Centre publishes 2025 annual review 

The National Cyber Security Centre (NCSC) published its latest annual review, detailing ongoing efforts to address the cyber threats facing the UK and efforts to adapt to an evolving digital landscape.  

Escalating threat levels 

The review reveals that the NCSC handled 429 cyber incidents between September 2024 and August 2025, averaging four "nationally significant" cyber attacks every week. Of these, 204 were classified as "nationally significant", representing a sharp increase from 89 incidents in the previous year. A further 18 incidents were categorised as "highly significant" due to their potential to seriously impact essential services: an increase from 13 incidents in 2024 that continues an upward trend for the third consecutive year. 

Threat landscape 

A substantial portion of all incidents overseen by the NCSC were linked to advanced persistent threat (APT) actors, comprising either state-backed threat actors or criminal groups. Ransomware remains one of the most pervasive cyber threats to organisations. The review notes that most cyber criminals are sector agnostic, targeting victims most vulnerable to operational downtime, those holding sensitive data, and those most likely to pay a ransom. 

Building cyber resilience 

The review includes an open letter from Shirine Khoury-Haq, chief executive officer of the Co-op Group, warning other business leaders to prepare for and defend against cyber threats. The NCSC urges boards to recognise the importance of investing in cyber resilience and fostering a "cyber security culture" to reduce the likelihood of costly disruption and reputational harm. 

Ministerial letter on cyber security to UK companies 

The UK government announced that a letter had been sent to all companies in the FTSE 350, as well as other leading UK firms, in the wake of recent, high-profile cyber attacks.  

The letter, directed to CEOs and chairs of leading businesses, asks companies to take three steps to improve their cyber resilience: 

• Elevate cyber risk to board-level priority: The government urges organisations to use the Cyber Governance Code of Practice to ensure that they have a plan to respond to and recover from a cyber incident impacting business operations.
• Register for the NCSC's Early Warning service: Organisations and their suppliers are encouraged to sign up to receive email alerts from the Early Warning service, which informs a business of potential cyber attacks on an organisation's IP address.
• Embed Cyber Essentials certification across supply chains: Organisations are encouraged to require its suppliers to meet the government-backed Cyber Essentials scheme requirements as the minimum cyber-security standard. Organisations should also implement the cyber Essentials technical controls on their own systems.  

The three actions, which are based on lessons learnt from previous attacks, can help organisations achieve the outcomes in the NCSC’s Cyber Assessment Framework, which the government recommends businesses implement regardless of whether they are already in scope. In the coming months, the government plans to host events designed to gather industry insight and foster collaboration between government and industry. 

ENISA Threat Landscape 2025 report identifies latest cyber trends 

The European Union Agency for Cybersecurity (ENISA) has published its latest flagship report on the latest cyber threats and trends in the EU, analysing a total of 4875 incidents from July 2024 to June 2025.  

Ransomware continues to be the greatest threat in the EU, alongside distributed denial-of-service attacks. The ENISA report notes a convergence between threat groups in their tactics, techniques and procedures, the growing use of artificial intelligence (AI), such as being used to enhance phishing campaigns and automate social engineering activities.  

The top five targeted sectors were: public administration, transport, digital infrastructure and services, finance, and manufacturing. Essential entities, as defined under the revised Network and Information Systems Directive (NIS2), represented 53.7% of all recorded incidents. The report notes the parallels between the highest-ranked sectors and the sectors under the scope of NIS2. (Track the latest updates on our Digital Regulation Timeline.)  

European Commission calls for evidence on simplifying rules on cyber security  

The European Commission has published a call for evidence seeking feedback on the proposed amendments to data, cyber security and AI legislation as part of the upcoming "Digital Omnibus" package. 

Proposed amendments seek to simplify compliance with the incident reporting obligations under the to the Cybersecurity Act. Currently, businesses face significant burdens in incident and data breach reporting obligations at different EU levels. Further amendments related to cyber security risk management have also been proposed under a separate review of the Cybersecurity Act.  

The consultation closed on 14 October 2025. The Commission plans to adopt the Digital Omnibus in the last quarter of 2025. 

See the press release.  

G7 Cyber Expert group issues statement on AI and cyber security  

The G7 Cyber Expert Group has published a statement detailing the cyber-security policy issues facing the financial sector and steps firms should take to utilise AI to enhance their cyber defence capabilities.  

The statement notes that the increased uptake by AI by criminal groups has the potential to increase the frequency and impact of cyber activity. The group encourages financial authorities to: 

• Explore AI's potential for enhancing cyber defence capabilities.
• Update risk frameworks to reflect AI-specific cyber security vulnerabilities and mitigation strategies.
• Collaborate with, among others, financial institutions, AI developers and technology firms to deepen their shared understanding of AI-related cyber security issues and to develop strategies that mitigate cyber risk.  

Firms should read the statement in conjunction with their G7 Fundamental Elements series, which can be used to guide discussions on the performance and assessment of effective cyber security practices.