The UK cybersecurity legal system is well-developed and similar to those across the European Economic Area (EEA), rather than the USA, although post-Brexit divergence in the approach to cybersecurity regulation between the EU and the UK is starting to emerge. Since the General Data Protection Regulation (GDPR) came into force in 2018, the enforcement of cybersecurity rules in the UK has remained a focus, particularly by the UK data protection regulator, the Information Commissioner’s Office (ICO). In November 2025, the UK government introduced the Cyber Security and Resilience (Network and Information Systems) Bill (the “CS&R Bill”) to address the changing cyberthreat landscape and more closely align UK law with developments in the EU (such as the Network and Information Systems Directive 2, which was enacted after Brexit) (see 2. Critical Infrastructure Cybersecurity Regulation for further details).

The UK government has signalled an enhanced approach to supporting and promoting cybersecurity through its national cyber strategy for 2022 (the “National Cyber Strategy”) and its (government-specific) Government Cyber Security Strategy for 2022–30. The National Cyber Strategy takes a “whole of society” approach, aiming to shift the burden of cybersecurity from individual citizens to the organisations and professionals best placed to manage cyber risks. The National Cyber Strategy is comprised of five pillars as follows:

• strengthening the UK cyber ecosystem – by investing in people and skills, and deepening the partnership between government, academia and industry;
• building a resilient and prosperous digital UK – by reducing cyber-risks so that businesses can maximise the economic benefits of digital technology and provide more security for UK citizens online;
• taking the lead in technologies vital to cyber power – by building industrial capacity and developing frameworks to secure future technologies;
• advancing UK global leadership and influence for a more secure, prosperous and open international order – by working with government and industry partners and sharing the expertise that underpins UK cyber power; and
• detecting, disrupting and deterring adversaries to enhance UK security in and through cyberspace – by making more integrated, creative and routine use of the UK’s full spectrum of levers.

The National Cyber Strategy also proposed a number of regulatory reforms, including, but not limited to, expanding the scope of the Network and Information Systems Regulations (the “NIS Regulations”) (see 2. Critical Infrastructure Cybersecurity Regulation for further details).

In addition to the National Cyber Strategy, a UK cyber growth action plan commissioned by the Department for Science, Innovation and Technology (“DSIT”) was published in September 2025 (the “Growth Plan”). The Growth Plan focuses on the UK’s cybersecurity sector and market, rather than on prospective legislative developments. However, the UK government has indicated that the Growth Plan will inform its refresh of the National Cyber Strategy, announced in May 2025.

The UK has a well-developed – and growing – network of civil and criminal laws relating to cybersecurity contained in UK legislation, companion rules made under such legislation, decisions of UK courts, and a steady stream of regulatory guidance from UK regulators.

Key cybersecurity requirements imposed on organisations in the UK, or on organisations that are established outside the UK but are processing personal data of individuals located in the UK, are derived from the UK General Data Protection Regulation (the “UK GDPR”), as supplemented by the UK Data Protection Act 2018, as amended (DPA).

The UK GDPR applies to the security of “personal data” (ie, any information relating to an identified or identifiable individual who can be identified – directly or indirectly – by reference to an identifier such as a name, an identification number, location data or an online identifier). As such, only cybersecurity incidents that impact personal data will be regulated by the UK GDPR (see also 6.1 Cybersecurity and Data Protection). The UK GDPR requires organisations to maintain “appropriate” technical and organisational security measures and to comply with certain notification obligations when “personal data breaches” occur. The DPA also allows for criminal prosecutions to be brought for certain cybersecurity-related breaches.

Secondly, the NIS Regulations currently apply to two categories of key infrastructure operators ‒ namely, “operators of essential services” (OESs) and “relevant digital service providers” (RDSPs). Like the UK GDPR, the NIS Regulations require organisations subject to them to implement certain cybersecurity measures and to report certain cybersecurity incidents that affect them. On 12 November 2025, the UK government introduced the CS&R Bill, which would expand the remit of the NIS Regulations to protect more digital services and supply chains. Please see 2.1 Scope of Critical Infrastructure Cybersecurity Regulation for additional information on these proposed updates.

Thirdly, the Product Security and Telecommunications Infrastructure Act 2022 (the “PSTI Act”), which came into force on 29 April 2024, requires manufacturers, importers and distributors of UK consumer-connected products to meet certain cybersecurity standards. This includes more stringent security requirements (eg, default password requirements and minimum support periods for security updates), requirements to investigate any compliance failures and take remediation action, and to notify relevant authorities and other third parties about such compliance failures (see 4.2 Key Obligations Under Legislation).

Fourthly, the Computer Misuse Act 1990 (CMA) is the UK’s primary legislation for criminalising unauthorised access to computers and other IT systems. It contains a number of cybersecurity-related offences. A key offence under the CMA (Section 1) is where a defendant obtains “unauthorised access” to a computer – ie, the defendant causes a computer “to perform any function with intent to secure access to any program or data held in any computer” or “to enable such access to be secured” where such access is “unauthorised” and this is known to the defendant at the relevant time.

Fifthly, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) (the “PECR”), the EU Notification Regulations 611/2013, and the Communications Act 2003 (the “CA 2003”) contain cybersecurity obligations applicable primarily to electronic communications networks and service operations (such as telecommunications systems operators).

There are also sector-specific laws that contain cybersecurity obligations, such as:

• Financial Conduct Authority (FCA) rules (applicable to FCA-regulated firms);
• the Payment Services Regulations 2017 (PSRs) (which transposed the Second EU Payment Services Directive into English law and apply to payment service providers); and
• the Official Secrets Act 1989 (OSA) (which is applicable to certain official government information).

Similarly, the Investigatory Powers Act 2016 (IPA) and the Regulation of Investigatory Powers Act 2000 (RIPA) regulate electronic surveillance and interception in the UK and contain associated safeguards.

These laws are increasingly being enforced by UK governmental authorities – including the ICO and sector-specific regulators such as the FCA – as well as by private individuals and organisations. Regulators are also increasingly collaborating on cybersecurity enforcement; for example, the ICO has teamed up with:

• the Competition and Markets Authority;
• the Office of Communications (Ofcom); and
• the FCA to form the Digital Regulation Co-operation Forum (DRCF).

In addition to legislation, English “common law” contains rules that are relevant to cybersecurity. There is a legal and ethical duty of confidence: information shared in confidence must not be disclosed without legal authority. The duty applies to information not already in the public domain and is subject to a number of exceptions, including where disclosure:

• has been consented to by the discloser; or
• is required by law.

The FCA rules, the PSRs, the OSA, the IPA, the RIPA and other sector-specific or specialised laws or the common-law duty of confidence are not further considered in this guide.

The competent UK regulator can differ for each of the key UK cybersecurity legislations under consideration.

UK GDPR and DPA

In the UK, the ICO – which will be reconstituted as the “Information Commission” as mandated by the Data (Use and Access) Act 2025 (the “DUA Act”) – is responsible for monitoring the application of the UK GDPR and the DPA and taking enforcement action against organisations for non-compliance with such legislation, including investigating personal data breaches and inadequate security measures. The ICO may initiate an investigation of its own accord or based on a complaint submitted by, for example, a private individual or organisation. The ICO also has the power to conduct both off-site and on-site audits. Please note that prosecutions under the DPA can only be brought by the ICO or by (or with the consent of) the Director of Public Prosecutions (DPP). In November 2025, the ICO published new draft guidance on how it proposes to conduct data protection investigations and enforcement actions, including when and how it expects to use its new investigative and enforcement powers granted under the DUA Act.

NIS Regulations

Under the NIS Regulations, the “competent authority” is determined on an industry-by-industry basis by the DSIT, which oversees the implementation of the NIS Regulations across the UK. For OESs in the oil sector, for example, the competent authority in England, Scotland and Wales is the Secretary of State for Energy Security and Net Zero – whereas in Northern Ireland it is the Department of Finance. The ICO is the competent authority for RDSPs.

Competent authorities may be reactive or proactive in the incidents they choose to investigate, and they are supported by the National Cyber Security Centre (NCSC), which offers technical advice (except in healthcare, where this support is provided by the National Health Service (NHS) Digital). Certain organisations are also subject to regular compliance audits from their relevant competent authority – failing these audits can lead to fines of up to the greater of 4% of annual worldwide turnover or GBP17 million.

PECR and CA 2003

As regards the PECR, the ICO may audit service providers’ compliance under Regulation 5B of the PECR. Notifiable personal data breaches under Regulation 5A of the PECR must be reported to the ICO. The ICO is, in turn, responsible for investigating the breach and taking any subsequent enforcement action.

However, with regard to the CA 2003 (a companion to the PECR), Ofcom is the primary regulator. Pursuant to Section 105C of the CA 2003, Ofcom may carry out an audit of the security measures taken by a network provider or a service provider under Section 105A. Notifiable security breaches under Section 105 of CA 2003 must be reported to Ofcom, which is in turn responsible for investigating the breach and taking any subsequent enforcement action.

CMA

Although there is no regulatory authority with oversight of the CMA per se, the CMA’s provisions are enforced by the UK Crown Prosecution Service (CPS), which is the public authority responsible for prosecuting the majority of criminal cases in the UK. The CPS is notified of CMA investigations and potential offences by the police and other investigative organisations in England and Wales. See 4.2 Key Obligations Under Legislation for more information.

PSTI

The Office for Product Safety and Standards is responsible for enforcing the PSTI Act. Non-compliance with the PSTI Act can result in fines of up to GBP10 million or 4% of a company’s global turnover (whichever is greater), as well as up to GBP20,000 per day in the case of an ongoing contravention.

NCSC

The NCSC is the key UK cybersecurity agency, coordinating UK cybersecurity policy and technical standards, particularly with regard to the NIS Regulations and the UK GDPR. The NCSC acts as the national computer security incident response team (CSIRT) under the NIS Regulations and supports organisations that suffer cybersecurity incidents. It also acts as a “single point of contact” for competent authorities under the NIS Regulations. Following Brexit, the UK has forfeited its position on the EU Agency for Cybersecurity (ENISA); however, some operational co-operation continues in order to allow for improved cybersecurity across Europe.

The regulation of cybersecurity for critical infrastructure in the UK is primarily governed by the NIS Regulations. See 1.2 Cybersecurity Laws for a summary of the scope of the NIS Regulations.

On 12 November 2025, the UK government presented the CS&R Bill to Parliament for its first reading. It is intended to strengthen UK defences against cyber-attacks and protect critical infrastructure. Broadly, the CS&R Bill would update the UK’s cyber regulatory framework by:

• expanding the scope of the NIS Regulations to cover “more digital services and supply chains”, including managed service providers and large capacity data centres;
• giving further power to regulators to ensure measures are being implemented, whilst empowering the Secretary of State to issue codes of practice; and
• mandating increased incident reporting to provide a better picture of the threat landscape and cyber-attacks, including a requirement to provide initial incident notification within 24 hours.

OESs and RDSPs are required under the NIS Regulations to implement appropriate and proportionate technical and organisational measures to ensure a level of security appropriate to the risk posed.

RDSPs

For RDSPs, these requirements are supplemented by the Commission Implementing Regulation (EU) 2018/151 (the “DSP Regulation”). In summary, RDSPs must take into account the following:

• the security of systems and facilities ‒ measures in this area should cover systematic management of network and information systems, physical and environmental security measures, security of supplies and access controls to systems;
• incident handling ‒ measures should include incident detection processes and procedures, processes and policies on incident reporting, incident response and incident assessment (see 2.3 Incident Response and Notification Obligations for further detail);
• business continuity management – this is the capability to maintain or restore the delivery of services to acceptable predefined levels following a disruptive incident;
• monitoring, auditing and testing – measures should establish and maintain policies and processes concerning the assessment, inspection and verification of systems;
• compliance with international standards ‒ measures are not specified by the DSP Regulation, but instead, the NIS Regulations refer to “standards” as:
1. standards adopted by an international standardisation body as specified in Regulation 1025/2012; and/or
2. any European, national or internationally accepted standards and specifications relevant to the security of networks and information systems.

The ICO notes that examples of appropriate standards may include the International Organisation for Standardisation/International Electrotechnical Commission (ISO/IEC) 27001 on information security management systems and ISO/IEC 22301 on business continuity management systems, as well as any other related standards.

OESs

OESs are subject to similar requirements as RDSPs in that they must also take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies, and subject to guidance from the relevant competent authority (which, as noted in 1.3 Cybersecurity Regulators (NIS Regulations), is on a sector-specific basis).

Supply Chain Security Requirements

The NCSC has published guidance on supply chain security. This sets out 12 principles designed to assist organisations in establishing “effective control and oversight” of their supply chains. The principles are divided into four distinct stages:

• understand the risks;
• establishing control;
• checking arrangements; and
• continuous improvement.

Under the NIS Regulations, different incident reporting obligations apply to OESs and RDSPs.

For OESs, cybersecurity event notification is required when an incident has a “significant impact” on the continuity of the essential service they provide. Determining this requires a fact-specific analysis of the number of users affected by the disruption of the service, the duration of the incident, and the geographical area affected by the incident, as well as any other relevant guidance issued by their designated “competent authority”.

For RDSPs, notification is required where there will be a “substantial impact” on the provision of a relevant service. From 12 January 2022, the ICO (the lead regulator for RDSPs) must be notified by an RDSP of any incident that has a substantial impact on the provision of any digital services, including online marketplaces, online search engines, and cloud computing services. It should be noted that, in comparison with the UK GDPR, notifiable incidents under the NIS Regulations need not always involve personal data – that is, cybersecurity incidents that do not involve personal data (such as cyber-attacks on industrial control systems) could be notifiable under the NIS Regulations, but would not be notifiable under the UK GDPR if they do not involve personal data.

Under the NIS Regulations, as with the UK GDPR, OESs and RDSPs must notify their relevant competent authority and the ICO, respectively, of an incident “without undue delay” and, in any event, no later than 72 hours after the OES or RDSP (as applicable) becomes aware of the incident. Under proposed amendments in the CS&R Bill, there will be an additional requirement to submit an “initial” notification no later than 24 hours after becoming aware of the incident.

The NIS Regulations require that OESs and RDSPs adopt “appropriate and proportionate” technical and organisational security measures, as well as “appropriate” measures to prevent and minimise the impact of incidents affecting those systems (considering the state of the art), so as to ensure the continuity of the essential services that the OES provides. Although serious incidents must be reported under the NIS Regulations, the ICO has also explained that software vulnerabilities – ie, weaknesses in a system that can be exploited by an attacker – may also need to be reported, as per the “additional information” required in the ICO’s NIS reporting form.

This is not applicable in the UK.

In the UK, operational resilience in the financial sector is primarily addressed by the FCA, the Prudential Regulatory Authority (PRA) and the Bank of England (BoE) in their rules and guidance on requirements to strengthen operational resilience in the financial services sector ‒ for example, the FCA’s rules on operational resilience under Chapter 15A of its Senior Management Arrangements, Systems and Controls Sourcebook and the PRA’s supervisory statement “Operational resilience: Impact tolerances for important business services” (SS1/21) (collectively, the “Operational Resilience Requirements”), which were published on 31 March 2022 and address how firms identify, map, test and enhance their important business services to withstand disruptions. From 31 March 2025, UK firms have been required to perform mapping and testing to ensure they remain within impact tolerances for each important business service. The rules are intended to align closely (albeit not entirely) with international standards and other regimes, such as the EU’s Digital and Operational Resilience Act (DORA).

In November 2024, the FCA, the PRA and the BoE published a joint policy statement, “Operational resilience: Critical third parties to the UK financial sector” (PS16/24) (the “CTP Policy Statement”). This confirmed that operational resilience remains a priority for the regulators and that they are focusing, among other things, on further defining obligations regarding critical third parties (CTPs). The CTP requirements apply regardless of the service provider’s location (see 3.2 ICT Service Provider Contractual Requirements for further details).

In December 2024, the PRA, the FCA and the BoE published further consultation papers – respectively, “Operational resilience: Operational incident and outsourcing and third-party reporting” (PRA CP17/24) and “Operational Incident and Third-Party Reporting” (FCA CP24/28). The papers propose a framework for reporting operational incidents and material third-party arrangements. Notably, the proposals would require firms to report some incidents which fall short of breaching the impact tolerance of the relevant business service under the operational resilience rules.

In October 2025, the PRA, the FCA and the BoE published a review of “effective practices” which the authorities had observed in the self-assessments of relevant firms. Such practices include the implementation of “pre-defined crisis communication” plans, testing against impact tolerance metrics beyond duration alone (eg, volume, payment type, and value), and the use of immutable back-ups to accelerate cyberattack recovery.

In the event of an incident causing major disruption to UK financial services, the PRA, the FCA, the BoE and HM Treasury may coordinate a joint response under the Authorities Response Framework.

As noted in 3.1 Scope of Financial Sector Operational Resilience Regulation above, CTPs are a key focus of UK financial services operational resilience. The CTP Policy Statement introduced new rules that apply to a CTP designated under the regime.

Under the applicable rules, CTPs are expected to:

• meet the minimum resilience standards in respect of any “systemic third party services” that they are providing to financial services firms;
• comply with six “Fundamental Rules”, five of which are applicable specifically in relation to the provision of systemic third-party services to firms. These six rules include having effective risk strategies and dealing with the FCA or PRA (as applicable) in a co-operative manner; and
• comply with eight “Operational Risk and Resilience Requirements” that will apply to a CTP’s material services, such as the requirement to appropriately manage incidents that may adversely affect, or may reasonably be expected to adversely affect, the delivery of a systemic third-party service.

The new regime for CTPs was created under the Financial Services and Markets Act 2023, which amended the Financial Services and Markets Act 2000 (FSMA). The relevant provisions allow the UK Treasury to designate a person who provides services to regulated firms and financial market infrastructures as “critical”. CTPs will typically be service providers that provide outsourced, third-party services to large numbers of financial institutions and whose services are very difficult to substitute. CTPs are required to conduct a self-assessment, which must be submitted to the regulator within three months of the CTP’s designation, and annually thereafter. Although the concepts in FSMA are broadly analogous to DORA, the criteria for designation and the scope of regulatory powers differ in several important respects.

The FCA has demonstrated a strong focus on cybersecurity in the financial services industry. This is particularly relevant in the context of:

• Principle 3 (Management and Control) of the FCA Handbook’s Principles for Businesses, which states that “a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems”; and
• Principle 11 (Relations with Regulators), which requires that “a firm must deal with its regulators in an open and co-operative way and must disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice”.

In relation to Principle 11, the FCA has confirmed that regulated firms must report material cyber-incidents. The FCA considers that an incident may be material if it:

• results in significant loss of data or the availability or control of a firm’s IT systems;
• affects a large number of customers; and
• results in unauthorised access to, or malicious software present on, a firm’s information and communication systems.

The FCA goes on to require that, where such an incident is deemed to be material:

• the FCA (and the PRA for dual-regulated firms) should be notified;
• if the incident is criminal, Action Fraud (the UK’s national fraud and cybercrime reporting centre) should be contacted; and
• where the incident is also a personal data breach, organisations may need to report the incident to the ICO.

The FCA also recommends that firms refer to the NCSC guidance on reporting incidents, and that reports be shared on the Cyber Security Information Sharing Partnership (CiSP) platform. The CiSP is a key information-sharing organisation in the UK. It is a joint industry and UK government initiative managed by the NCSC. The CiSP allows members to voluntarily exchange cyber-risk information in a secure environment, thereby reducing the impact of cyber-risks on UK businesses in general.

More generally, as part of the FCA’s goal to assist firms in becoming more resilient to cyber-attacks, it recommends that firms of all sizes develop a “security culture,” identify and prioritise information assets and constantly evolve to meet new threats.

In addition, certain categories of FCA-regulated firms have additional reporting requirements. By way of example, payment services providers are required to report major operational and security incidents pursuant to the PSRs.

For CTPs, the rules established in the CTP Policy Statement introduce a phased approach to notifications for incidents affecting CTP services, including those that impact the availability, authenticity, integrity or confidentiality of assets. This reporting will consist of:

• an initial notification, without undue delay, to the relevant parties after the CTP is aware that the relevant incident has occurred;
• one or more intermediate incident reports as needed; and
• a final incident report.

The CTP Policy Statement notes that regulators “normally expect” a CTP to submit a final incident report within 30 working days of the incident’s resolution.

Looking forward, the Operational Resilience Requirements will require financial services firms to comply with a number of obligations around operational resilience, including:

• performing mapping and scenario testing (including for cyber-related disruptions);
• investing to enable a firm to operate within its impact tolerances and respond effectively and recover quickly when disruption does occur;
• documenting and maintaining operational resilience policies and procedures;
• assigning clear roles and responsibilities within the firm; and
• engaging with key stakeholders (eg, regulators, clients, suppliers, and CTPs).

As described in 3.1 Scope of Financial Sector Operational Resilience Regulation, in December 2024, the PRA and FCA published further consultation papers – respectively, “Operational resilience: Operational incident and outsourcing and third-party reporting” (PRA CP17/24) and “Operational Incident and Third-Party Reporting” (FCA CP24/28), which propose a framework for reporting operational incidents and notification and reporting of material third-party arrangements. As of January 2026, the comments from the consultation papers have not been published.

The FCA and PRA have a broad legislative mandate and powers to enforce rules made under the CTP regime against designated CTPs. As this is a relatively new regime, it remains to be seen how such powers will be exercised. As of January 2026, no entities have yet been designated as CTPs.

This is not applicable in the UK.

See 3.3 Key Operational Resilience Obligations for operational resilience requirements, including the requirement to perform mapping and testing to ensure firms remain within impact tolerances for each important business service.

In addition, the Critical National Infrastructure Banking Supervision and Evaluation Testing (CBEST) programme is a cyber-assessment tool that assists UK firms in assessing the cyber-resilience of key financial institutions through security testing conducted in “live” corporate environments. On 13 December 2024, the FCA (together with the PRA) published their annual CBEST thematic report (the “CBEST Report”). The CBEST Report contains cyber-resilience good-practice recommendations and insights, including those from the NCSC, to help firms maintain their operational resilience. The good practice recommendations are the result of a programme that assesses the cyber-resilience of systemic financial institutions through live testing. The report highlights the importance of building a strong foundation of cyber hygiene to prevent common cyber incidents, including training and awareness and robust authentication.

The key areas of focus based on the 2024 CBEST Report are:

• cybersecurity risks to assets and individuals;
• cyber-risk management and impact-based approaches to the protection of key resources (people, process, technology and data);
• detection and response capabilities leveraging the latest threat intelligence; and
• cyber-incident response to eradicate threats and mitigate impacts.

As outlined in 1.2 Cybersecurity Laws, several laws supplement the UK’s cyber-resilience strategy alongside the NIS Regulations. Please refer to 4.2 Key Obligations Under Legislation for more information.

PSTI Act

Under the PSTI Act, manufacturers (the person responsible for manufacturing, designing or otherwise marketing a product under their own name or trade mark) of “UK consumer connectable products” are required to comply with obligations to manage cybersecurity risks for connected products made available in the UK. Similar obligations also apply to importers and distributors. These include:

• duty to comply with security requirements as defined by the Secretary of State;
• duty to investigate and take action in relation to compliance failures ‒ this may include preventing the product from being made available in the UK and/or remedying the compliance failure and notifying enforcement authorities, other manufacturers, importers and distributors; and
• duty to maintain records of investigations and compliance failures for a minimum of ten years ‒ these records may be requested by the Secretary of State in the course of investigating and enforcing the legislation.

The PSTI Act provides the Secretary of State with the power to deem compliance with security requirements. This is further elaborated in the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the “2023 PSTI Regulations”), as amended by the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No 2) Regulations 2025 (the “2025 PSTI Regulations Amendment”), which set out conditions for deemed compliance with security standards, including compliance with relevant parts of ETSI EN 303 645 or ‒ in some cases ‒ ISO/IEC 29147.

Schedule 1 of the 2023 PSTI Regulations includes the following security requirements for manufacturers:

• all passwords for UK consumer-connected products must be unique and incapable of being reset to any universal factory setting;
• manufacturers, importers and/or distributors of UK consumer-connected products must provide a public point of contact for reporting vulnerabilities and these must be acted on in a timely manner; and
• manufacturers, importers and/or distributors of UK consumer-connected products must explicitly state the minimum length of time for which the device will receive security updates at the point of sale.

CMA

As mentioned in1.2 Cybersecurity Laws, a key offence under the CMA (Section 1) is where a defendant obtains “unauthorised access” to a computer. Although the CMA primarily applies to offences committed within the UK, it allows for prosecutions to be brought in the UK where some or all of the offending acts were committed outside the UK – reflecting the cross-border nature of many cybersecurity-related offences. By way of example, Section 1 of the CMA can apply to offending acts committed outside the UK and can – as a result – be prosecuted in the UK where there is “at least one significant link with the domestic jurisdiction”. A significant link can include where:

• the accused is in a relevant country of the UK (England, Wales, Scotland and Northern Ireland) at the time of the offence;
• the target of the CMA offence is in a relevant country of the UK; or
• the technological activity that has facilitated the offending may have passed through a server based in a relevant country of the UK.

An offence committed under the CMA is prosecuted by the CPS in the UK courts. When determining whether to bring a prosecution under the CMA, the CPS must be satisfied that there is enough evidence to provide a “realistic prospect of conviction” against each defendant and that the public interest factors tending against prosecution outweigh those tending in favour. Offences under the CMA can carry imprisonment or a fine (or both). In addition, a serious crime prevention order can be made against an individual or an organisation in relation to a breach of the CMA.

The UK government continues to progress amendments to the CMA, as commentators have long stated that the CMA has failed to keep pace with the cybersecurity landscape. Commentators highlight issues with the ambiguity around the meaning of “authorisation” and its subsequent impact on cybersecurity professionals, as well as issues with the current jurisdictional scope of the CMA, given the international nature of many cybersecurity incidents. In November 2023, the UK government published responses to a consultation on proposed CMA reforms, noting that work will continue on engagement with private and public sector organisations to understand further impacts and mitigations in this area before it is considered for legislation. In December 2025, the UK government confirmed plans to amend the CMA by introducing a statutory defence for cybersecurity professionals conducting legitimate vulnerability research.

PECR and CA 2003

Regulation 5(1A) of the PECR requires service providers to:

• restrict access to personal data to only authorised personnel for legally authorised purposes;
• protect personal data against “accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure”; and
• implement a security policy with regard to the processing of personal data.

Service providers are also required to retain a log of personal data breaches under Regulation 5A(8) of the PECR.

Guidance on Security Requirements published by Ofcom in relation to the CA 2003 states that it is necessary to establish “clear lines of accountability, up to and including board or company director level, and sufficient technical capability to ensure that potential risks are identified and appropriately managed”. The guidance further states that “a level of internal security expertise, capacity, and appropriate accountability mechanisms, sufficient to provide proper management of (security risks)” must be maintained. The guidance also references the following:

• the importance of internal risk assessments;
• the need for sufficient oversight of networks and services to enable fast identification of significant security incidents;
• a requirement to put in place security measures that exceed those in the Cyber Essentials scheme; and
• the importance of intelligence-led vulnerability testing to manage cyber-risks.

Regulation 2(1) of the PECR defines a “personal data breach” as a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of – or access to – personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service. The security and breach notification requirements under Regulation 5 of the PECR apply to personal data.

Under Regulation 5A(2) of the PECR, service providers are required to notify the ICO of a personal data breach; such notification must be made, where feasible, no later than 72 hours after becoming aware of the breach. A notification to the ICO is not required where an organisation is responsible for delivering part of the service but does not have a direct contractual relationship with end users. In such cases, the organisation must notify the organisation that has the contractual relationship with end users and that organisation must then notify the ICO. The service provider is also required to notify (without undue delay) the concerned subscriber or user where the breach is likely to adversely affect their personal data or privacy, unless the service provider can demonstrate to the ICO that the data has been rendered unintelligible (eg, encrypted).

The security breach notification requirements under Section 105K(1)(a) of the CA 2003 apply to public electronic communications networks and systems: network and service providers must notify Ofcom of security breaches that have a significant impact on the operation of a public electronic communications network. Section 105(A) of the CA 2003 broadly defines a “security compromise” as including “anything that compromises the availability, performance or functionality of the network or service”. In determining whether the effect that a security compromise has – or would have – on the operation of a network or service is “significant”, certain matters should be considered, including the length of the period during which the operation of the network or service is or would be affected, the number of affected persons, the geographical size and location affected, and the extent to which activities of persons who use the network or service are or would be affected by the effect on the operation of the network or service.

There are numerous cybersecurity frameworks that are expressly or implicitly recognised by UK cybersecurity regulators. By way of example, the ICO recommends that organisations review the Cyber Essentials scheme (a UK government- and industry-backed scheme) for basic guidance on preventing and limiting the impact of cyber-attacks.

Similarly, Ofcom repeatedly references the International Organisation for Standardisation (ISO) standards in its Guidance on Security Requirements. In addition, Ofcom states that the controls in the Cyber Essentials scheme should be implemented and exceeded; it adds that obtaining the Cyber Essentials Plus certification is “a powerful way to demonstrate this”.

Regarding the NIS Regulations, the NCSC has published 14 cybersecurity and resilience principles that provide guidance in the form of the Cyber Assessment Framework (CAF). The CAF is particularly relevant to OESs that are subject to the NIS Regulations.

Lastly, the most used account and payments data security standard, the Payment Card Industry Data Security Standard (PCI DSS), was most recently revised in June 2024 with the publication of Version 4.0.1.

As mentioned in 1.2 Cybersecurity Laws, the UK GDPR and the DPA contain cybersecurity obligations in relation to the processing of personal data. These laws apply to:

• all organisations established in the four countries of the UK (ie, England, Northern Ireland, Scotland and Wales); and
• organisations not established in the UK processing personal data of data subjects in the UK to offer them goods or services or to monitor their behaviour.

The UK GDPR requires that controllers and processors implement “appropriate” technical and organisational security measures, taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of the processing of personal data, as well as the risks of such processing to the data subject’s rights (eg, from accidental or unlawful destruction, loss, alteration or unauthorised disclosure of ‒ or access to – personal data transmitted, stored or otherwise processed by the organisation).

The UK GDPR itself sets out examples of “appropriate” security measures, which are:

• pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of personal data processing.

Importantly, according to the ICO, there is no “one size fits all” approach to “appropriate” security and recommends that ‒ before taking a view on what is “appropriate” ‒ organisations should assess the level of risk by reviewing the type of personal data held, whether it is sensitive or confidential, and the damage caused to data subjects if compromised (eg, identity fraud).

In addition, when considering which cybersecurity measures to adopt, the ICO recommends that organisations consider:

• system security – security of the organisation’s network and information systems (particularly systems that process personal data);
• data security – security of the personal data held in the organisation’s systems (eg, ensuring appropriate access controls are in place within the organisation);
• actively managing software vulnerabilities –including using in-support software and the application of software update policies (patching), as well as taking other mitigating steps where patches cannot be applied;
• online security – website and mobile application security; and
• device security – considering information security policies for bring-your-own devices, where offered by the organisation.

The UK GDPR and the DPA continue to be enforced by the ICO, including with regard to cybersecurity matters, but only to the extent that they impact personal data. The ICO is required to adhere to specific procedures before undertaking enforcement action – for example, before imposing an administrative fine on an organisation for:

• breaching the integrity and confidentiality principle;
• inadequate security measures; or
• failing to report a personal data breach to the ICO or affected data subjects.

Where applicable, the ICO is required under Section 149 of the DPA to first issue the organisation with a written “enforcement notice”, which requires the organisation to take steps specified in the notice and/or refrain from taking steps specified in the notice. If the ICO is of the view that the organisation has failed to comply with the enforcement notice, the ICO may issue a written notice (penalty notice) imposing a monetary penalty on the organisation of up to the greater of 4% of annual worldwide turnover or GBP17.5 million. When determining the monetary penalty amount, the ICO will consider a number of aggravating or mitigating factors. These factors include the nature, gravity and duration of the infringement – for example, personal data breach or inadequate security measures – and the intentional or negligent character of the infringement. The DUA Act also expands aspects of the ICO’s toolkit (including powers to request technical reports and compel witness attendance in certain circumstances), which may increase regulatory expectations around demonstrable cyber governance and incident readiness.

In determining whether to undertake criminal prosecution under the DPA, the ICO must refer to the Code for Crown Prosecutors and the ICO’s own prosecution policy. Although the ICO has several enforcement tools available to it (including providing a caution to offending organisations), the ICO’s Prosecution Policy Statement requires the ICO to consider aggravating factors in order to bring a prosecution instead of a caution. These include:

• the accused breaching the law for financial gain;
• abusing a position of trust; or
• damage or distress being caused to data subjects.

The maximum penalty for criminal offences under the DPA is an unlimited fine. Imprisonment is not available for conviction under any of the DPA offences. Defendants are entitled to normal rights of appeal against a conviction or sentence in the legal system.

On 26 November 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s NCSC published joint Guidelines for Secure AI System Development (the “AI Guidelines”). The AI Guidelines aim to ensure that developers take a “secure by design” approach, integrating cybersecurity into the development process from the outset and throughout. The AI Guidelines cover:

• secure design;
• secure development;
• secure deployment; and
• secure operation and maintenance.

Relatedly, in its annual review published on 3 December 2024, the NCSC noted significant advances in AI that will enable and enhance existing cybersecurity challenges.

In January 2025, the DSIT published a sector-agnostic Code of Practice for the Cyber Security of AI (the “AI COP”) to establish the minimum cybersecurity standards that developers and system operators should incorporate when building and using AI solutions. The AI COP, which is voluntary, is based on the AI Guidelines and is intended to sit alongside the UK government’s 2023 White Paper “A pro-innovation approach to AI regulation”, which includes “Safety, Security and Robustness” as one of the five key principles – the focus of the AI COP. The AI COP is structured around 13 principles and stakeholders to which each principle primarily applies are identified. Requirements include AI security awareness training, system design and dataset considerations, incorporating threat-modelling into the risk management process, and evaluation and testing. The AI COP aligns expectations across the AI lifecycle (including secure design, secure development, secure deployment, secure maintenance, and secure end-of-life) and places particular emphasis on supply-chain security, dataset integrity, secure configuration and access controls, and incident management processes.

While the AI Guidelines and AI Code are non-statutory, they are likely to be treated as benchmarks when assessing whether an organisation has implemented appropriate security measures, such as security-by-design “appropriate” security under Article 32 UK GDPR (particularly where AI systems process personal data).

Under the NIS Regulations, NHS trusts, foundation trusts, integrated care boards, and certain other healthcare providers are designated as OESs. Consequently, these healthcare providers are required to comply with the obligations of an OES as described in 2.2 Critical Infrastructure Cybersecurity Requirements.

Medical devices in the scope of the Medical Devices Regulations 2002 are expressly excluded from the PSTI Act. However, the UK government is expected to continue its overhaul of the UK’s medical devices legislative framework following the application of the Medicines and Medical Devices Act 2021 (the “MMD Act”). The MMD Act grants the Secretary of State the power to introduce regulations relating to the manufacture of medical devices. In February 2024, the Department for Health and Social Care (DHSC) confirmed that it would introduce a package of legislative reforms for UK medical devices. In December 2024, the Medicines & Healthcare Products Regulatory Agency (MHRA) issued a revised roadmap for reform (the “Roadmap”), announcing new guidance on cybersecurity requirements for software incorporated into medical devices. In addition, strengthened post-market surveillance requirements for medical devices took effect in June 2025, increasing expectations for incident detection, investigation, and reporting (including when cyber vulnerabilities pose patient safety risks). In December 2025, the MHRA published an In Vitro Diagnostic (IVD) Medical Device Road Map. This roadmap outlines the planned priority deliverables for the IVD medical device work programme until mid-2027.

The MHRA has produced a number of work packages in its proposed Software and AI as a Medical Device Change Programme, with Work Package WP5 dedicated to “Cyber Secure Medical Devices”. This work package focuses on ensuring that cybersecurity is adequately reflected in software as a medical device (SaMD) requirements and explains that secondary legislation will be developed to impose cybersecurity and IT requirements to guard against cybersecurity risks in medical devices and IVDs that may result in device malfunction, loss or tampering with personal data, damage to the device and ultimately injury to the patient. Guidance will be developed on cybersecurity issues across the life-cycle management processes for medical devices and IVDs, and on the reporting of cybersecurity vulnerabilities.

NHS England (including the functions formerly carried out by NHS Digital, the body responsible for information, data and IT systems in health and social care in the UK) has published a variety of guidance, including the Data Security and Protection Toolkit, which is an online self-assessment tool that all organisations must use if they have access to NHS patient data and systems. This includes an incident reporting tool that incorporates the notification requirements of the UK GDPR and the NIS Regulations. There is also a GDPR-focused document entitled “Respond to an NHS Cyber-Alert”, which explains the intersection between medicine, personal data, and cybersecurity and sets operational expectations for NHS organisations to acknowledge and remediate cyber alerts within specified timeframes.

At an EU level (albeit highly persuasive, rather than legally binding, from a UK perspective), the Medical Device Co-Ordination Group published updated guidance in June 2020 on cybersecurity for medical devices, which is intended to assist medical device manufacturers in meeting the cybersecurity requirements in the EU’s Medical Devices Regulation and the In Vitro Diagnostic Regulation. According to the updated guidance, manufacturers must consider safety and cybersecurity throughout the life cycle of a product – that is, they must integrate security “by design”. This concept closely aligns with the privacy-by-design requirement under the UK GDPR. Manufacturers must also perform increased post-market surveillance and vigilance. Such post-market surveillance should address the following:

• operation of the device in the intended environment;
• sharing and dissemination of cybersecurity information and knowledge of cybersecurity vulnerabilities and threats across multiple sectors;
• vulnerability remediation; and
• incident response.

The MHRA clearly states in its Roadmap that the regulations will move the UK towards greater alignment of the cybersecurity requirements for medical devices with the approach taken by the EU and other international regulators.

Lastly, it is worth noting that, rather than taking a separate approach to any AI-enabled product, the UK’s approach to regulating cybersecurity risks arising from AI is sector-specific. In the healthcare space, the MHRA has announced in its Policy Paper “Impact of AI on the regulation of medical products” of April 2024 that it will follow a principles-based approach to avoid constraining innovation, including guidance on cybersecurity for AI, expected to be published in 2026.