Cybersecurity Laws in the UK: What Businesses Need to Know in 2025
The United Kingdom’s cybersecurity regulations continue to evolve as hybrid work expands, third-party risk grows, and cross-border data flows accelerate. Security leaders must keep pace by embedding compliance into every layer of their cyber risk strategy—not treating it as a checkbox.
This article outlines key cybersecurity laws in the UK and what they mean for CISOs, security operations teams, and compliance officers. For each regulation, we explain what it covers, why it matters, and what actions you need to take now.
Cybersecurity regulations in the UK are designed to address the growing complexity of digital threats and data governance. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 are key pieces of legislation that govern the use of personal data. Organizations must ensure they are compliant with these laws to avoid severe penalties and maintain consumer trust. The National Cyber Security Centre (NCSC) provides guidance and support to organizations to help them protect against cyber threats. Below, we explore the principles and responsibilities security leaders must address, especially around information systems, data protection, and threat readiness.
UK-GDPR: The Cornerstone of Data Privacy
The UK-GDPR is the UK’s version of the EU’s GDPR. It governs how personal data is collected, processed, stored, and shared. It took effect after Brexit and mirrors many of the same principles as the original GDPR.
The law exists to protect individuals’ privacy and ensure companies handle personally identifiable information (PII) responsibly. For cybersecurity leaders, the stakes are high:
- Data breaches involving PII must be reported to the Information Commissioner’s Office (ICO) within 72 hours.
- You must embed data protection by design and by default.
- Noncompliance can lead to fines of up to £17.5 million or 4% of global turnover.
- Third-party vendors must meet the same standards, adding a new layer to vendor risk management.
This year, the UK is in the process of updating its GDPR framework to introduce “recognized legitimate interests.” This change would allow some entities to process data without explicit consent in certain circumstances—such as national security, fraud prevention, or protecting vulnerable individuals—when doing so serves the public interest.
Ensuring compliance with this cybersecurity law is crucial for maintaining trust and safeguarding digital assets.
DPA 2018: The Legal Backbone Behind GDPR
The Data Protection Act 2018 (DPA 2018) supplements UK-GDPR by adding guidance around law enforcement access and national security exemptions.
It reinforces the need for risk-based security, especially where biometric or genetic data is involved. Security teams are required to:
- Minimize the use of sensitive data and ensure its accuracy
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
- Train staff on the handling of medical information, PII, and other sensitive data
For cybersecurity pros, DPA 2018 also means auditing access logs, enforcing least privilege, and building a defensible compliance trail.
NIS2: New Rules for Critical Infrastructure
NIS2, the updated Network and Information Systems Directive, builds upon the original Network and Information Systems Directive (NIS) directive to enhance cybersecurity throughout the European Union. It expands coverage to include digital services, healthcare, energy, and telecom. It requires rapid breach reporting and robust cyber hygiene. While the UK is not under the EU umbrella post-Brexit, the UK is in the process of developing guardrails that align closely.
Under NIS2, security teams must:
- Report incidents within 24 hours of detection
- Conduct and document regular cyber risk assessments for digital infrastructure
- Apply both technical and organizational safeguards
- Manage compliance from the board level—directors can be held liable for failures
NIS2 raises the bar for enterprise and third-party cyber resilience, putting pressure on organizations to rethink continuity planning.
DORA: Digital Resilience for Financial Services
The Digital Operational Resilience Act (DORA), another EU framework, targets financial entities and their third-party providers. It mandates operational continuity in the face of IT disruptions and vendor failure. UK entities that operate in EU jurisdictions ought to comply with DORA.
Key takeaways for cybersecurity leaders:
- Perform annual digital resilience testing
- Maintain and analyze incident logs
- Conduct risk assessments of cloud and third-party providers
- Quantify and document supply chain risk across the vendor ecosystem
Failure to comply with DORA can lead to financial penalties and reputational damage. DORA puts proactive cyber risk management at the center of operational resilience.
Computer Misuse Act: Defining Criminal Access
The Computer Misuse Act of 1990 remains the UK’s primary legislation against unauthorized access and data breaches.
It criminalizes both external and internal access violations. For security teams, this means:
- Implementing technical access controls and detection
- Regularly auditing user activity
- Building processes to prevent insider threats and enforce authorization policies
Any system intrusion, even accidental, can now have legal consequences.
Telecoms Security Act: Infrastructure Under Watch
The Telecommunications (Security) Act 2021 introduces mandatory security practices for telecom providers, in response to escalating state-sponsored cyber threats.
If your business depends on telecom vendors, be aware:
- Providers must complete risk assessments and prove resilience
- Supply chain security and vendor due diligence are required
- Noncompliant suppliers can jeopardize your own compliance
Third-party telecom risks must now be tracked, scored, and mitigated proactively.
PECR: Marketing, Messaging, and Consent
The Privacy and Electronic Communications Regulations (PECR) cover cookies, direct marketing, and telecoms privacy. It works alongside UK-GDPR.
Your team must:
- Gain explicit user consent before tracking with cookies
- Keep detailed logs of consent choices
- Provide opt-out mechanisms for marketing communications
For guidance on handling personal data and breach notifications, refer to the ICO website.
Breach of PECR can trigger fines, criminal prosecution, and ICO scrutiny, particularly for companies handling large volumes of PII.
What’s on the Horizon: Regulations to Watch
Cybersecurity regulation in the UK continues to evolve. Key frameworks to watch include:
- EU Cyber Resilience Act – Impacts companies exporting secure-by-design software into Europe
- AI Act – May apply to AI used in fraud detection and behavioral analytics
- UK Operational Resilience Framework – Emphasizes third-party risk and scenario-based planning
Security teams should track these developments and align controls early.
Why Compliance Failure Is a Business Risk
Failing to comply with UK cybersecurity laws can create material, organization-wide risk. For business and security leaders, this is no longer just a technical concern—it’s a core governance issue.
- Millions of pounds in financial penalties can erode earnings and trigger investor scrutiny
- Loss of trust from partners, regulators, and customers can jeopardize commercial relationships
- Legal liability may extend to contractors and business associates, amplifying third-party risk
- Mandatory reporting requirements to regulators, investors, and customers increase reputational exposure after a breach
Cybersecurity leaders must now demonstrate they have strong access controls in place, defend their data protection posture, and ensure that PHI, debit card numbers, and other sensitive data are properly secured at every layer of the vendor ecosystem.
Proactively auditing access privileges—and removing outdated or excessive permissions—is no longer a best practice for security leaders. It’s an operational imperative.
Go deeper: Explore How Third-Party Breaches Multiply Risk
Read: A Deep Dive Into Third-Party Cybersecurity Breaches SecurityScorecard research reveals how gaps in vendor and partner networks expose companies to enforcement risk. Learn how real-time monitoring and SCDR close those gaps before attackers find them.
Organizations like the NCSC provide support and advice to companies and regulators on cybersecurity matters. This support includes guidance on best practices, assistance during significant incidents, and ensuring compliance with regulatory obligations, emphasizing the importance of cohesive efforts across different sectors to minimize cybersecurity risks and enhance resilience.
Strengthen Compliance Through Visibility
Transform Third-Party Risk into a Supply Chain Resilience
With SecurityScorecard’s Supply Chain Detection and Response (SCDR), gain actionable insights into your vendors’ security postures. Our platform empowers you to make informed decisions, ensuring compliance and strengthening your supply chain’s cybersecurity.
