Enhancing UK cyber security resilience and leadership engagement

The UK’s cyber threat landscape continues to evolve, with the rapid emergence of new technologies introducing novel risks across all sectors and attacks escalating in frequency and sophistication. Regulatory bodies and the UK Government have intensified their focus on cyber security and resilience, as evidenced by the latest National Cyber Security Centre (NCSC) 2025 annual review (Review) and the proposed UK Cyber Security and Resilience Bill (Bill), alongside recent developments in ransomware regulation.

The Review reiterated that organisations should already be fully aware of the importance of embedding cyber security priorities across their entire business, it is not only a technical or IT department challenge. Cyber security is a critical Board-level issue, and demands strategic attention from senior leadership.

We anticipate in the UK that this focus on operational resilience required at the Board level will receive increasing scrutiny after the recent high profile cyber-attacks requiring UK Government financial assistance and with the advent of new cyber legislation.

Cyber security updates on the horizon

The UK Government first announced plans for the new Bill in the July 2024 King’s Speech, and the initial wording is expected to be formally introduced to Parliament in 2025. In their policy statement, the Government’s aim is to “strengthen the UK’s cyber defences and build the resilience of our essential services, infrastructure, and digital services”. We expect key measures are likely to include:

• Expanding existing framework: Bringing more entities into the scope, rather than just those subject to the current NIS Regulations 2018.  This will be to protect services and operators across the supply chain, including managed service providers and the designation of ‘Critical Suppliers’, which we anticipate will include any critical national infrastructure (CNI). It remains to be seen if data centres will be brought into scope or just the energy companies that will be powering them.
• Enhanced powers for regulators: More resources and powers for regulators to proactively investigate and enforce cyber safety measures, including the ICO. Regulators would also be able to make regulations to update requirements and issue codes of practice.
• Incident reporting: Currently reporting is only required if it has resulted in interruption to the service, the intention is to expand this to capture incidents that are “capable of having a significant impact”. There will be a two-stage reporting process, informing the NCSC within 24 hours of becoming aware, followed by an incident reporting in 72 hours.
• Adaptability: There will be delegated powers to ensure that emerging threats are adapted to. This could bring sectors into scope of the rules, or introduce new duties - following consultation.  

In on our previous alert, we also set out the UK Home Office’s response to the ransomware consultation. In short, it currently shows favour to barring those in the public sector and CNI operators from paying ransoms with a mandatory 72-hour reporting regime of ransomware incidents. Reporting requirements are clearly under a lens and organisations will have to assess this regime alongside those to be introduced by the Bill.

Based on recent events and the views of regulators, we may see these potential rules expanded to cover more of the supply chain. For instance, the UK Government has recently stepped in to provide financial assistance to upstream suppliers in a supply chain, who were affected by a data breach that incapacitated a manufacturer’s operations. There is increasing emphasis on closing security risks related to supply chains but equally ensuring the prime has operational resilience to ensure that SMEs are not severely impacted, signalling the potential for more comprehensive obligations to protect those within the supply ecosystem. Leadership needs to be fully engaged on the impacts of what this may mean for their business, especially when reviewing incident response plans. Businesses should anticipate updates to insurance coverage and consider multidisciplinary planning.

NCSC 2025 Annual Report

Published in October 2025, the NCSC’s Review provides a comprehensive overview of the UK’s cyber threat environment. Increasingly sophisticated attacks from state actors and criminal groups, the proliferation of ransomware, and the rapid adoption of AI and emerging technologies all underscore the urgent need for robust, forward-looking cyber defences.

A core message throughout the Review is that cyber security is now unequivocally a boardroom priority. The NCSC continues to promote Board-level accountability, amplifying that cyber risk management must be a shared responsibility and an integral component of organisational governance. Through initiatives like the Cyber Governance Code of Practice and dedicated training programmes, Boards are given tools to oversee cyber risk confidently and translate cyber risk into how it would impact the organisation. This shift is reinforced by NCSC guidance for CISOs on communicating with Boards.

The Review reiterates that threats, such as ransomware, demand comprehensive approaches that anticipate, absorb, recover from, and adapt to cyber compromise. The NCSC’s resilience engineering recommendations emphasise techniques ranging from infrastructure as code for rapid system recovery and segmentation for containment, to principles of least privilege and advanced monitoring. Ultimately, the Review sets out that effective cyber defence and resilience stem from engaged leadership, integrated response planning, and a commitment at every level of the organisation.

Key takeaways for businesses

• Boards and organisation-wide: Cyber security is a governance and legal risk issue demanding active engagement from senior leadership for it to be embedded across the organisation. It is a priority to embed resilience into corporate governance and for leadership to oversee cyber resilience and understand how cyber risks translate into business, legal, and financial impacts.
• Multi-disciplinary response: Develop and regularly test incident response plans with input from legal, technical, communications, and leadership teams. Schedule routine audits and simulated breach exercises to identify vulnerabilities and improve readiness.
• Emerging technologies: Rapid developments in AI, cloud computing, and other tech heighten exposure to complex cyber threats.  Have a read of our previous alerts on the (i) UK Department for Science, Innovation & Technology (DSIT) report on emerging technologies, and (ii) NCSC report on the impact of AI on cyber threats and the DSIT Software Security Code of Practice.
• Regulatory scrutiny: The NCSC Review, upcoming Bill and ransomware rules, signal increased regulatory expectations. Organisations should closely track updates around ransomware regulation to ensure compliance and strengthen incident response plans, as well as any sector specific guidance. Prepare for expanded incident reporting and supply chain obligation.
• Resilience: Robust cyber resilience strategies, including recovery plans, regular testing, and stakeholder engagement, are mandatory. Assess contracts throughout your supply chain to confirm cyber security requirements are robust, and the extent of your reliance on one particular supplier.  
• Review governance: Proactive review of your organisation’s governance, risk management, and incident response capabilities is critical to stay ahead of both threats and regulators. Ensure clear assignment of cyber risk oversight, with defined responsibilities at Board and senior management levels.

Crowell & Moring has a team of global data protection, incident and cyber resilience experts who support clients across all aspects of cyber risk management, including regulatory compliance, incident response planning and strategy, helping organisations navigate complex challenges and build effective strategies for resilience.