Insights

On 12 November, the highly anticipated Cyber Security and Resilience (Network and Information Systems) Bill (“Bill”) was introduced to Parliament, representing a significant expansion and modernisation of the UK’s cyber security rules. Building on the foundation set by the Network & Information Systems Regulations 2018 (“NIS”), the Bill aims to enhance national security and safeguard essential services. The Department for Science, Innovation and Technology (“DSIT”) has published a policy paper detailing the Bill’s objectives.

The UK’s cyber threat landscape continues to evolve, with the rapid emergence of new technologies introducing novel risks across all sectors and attacks escalating in frequency and sophistication. Regulatory bodies and the UK Government have intensified their focus on cyber security and resilience, as evidenced by the latest National Cyber Security Centre (NCSC) 2025 annual review (Review) and the proposed UK Cyber Security and Resilience Bill (Bill), alongside recent developments in ransomware regulation.

Researchers have identified a new wave of cybersecurity attacks against European drone makers by the Lazarus Group, a well-known and sophisticated threat actor group, allegedly sponsored by the North Korean government.

The states of the Persian Gulf are moving rapidly to establish themselves as global centers of investment and innovation in artificial intelligence (AI). The Kingdom of Saudi Arabia, the United Arab Emirates (UAE), and the State of Qatar are making substantial outlays in technology and infrastructure as they seek to diversify their economies away from oil. As important, their governments are implementing digital regulations and AI strategies in a bid to attract foreign investment and develop technology companies that can go toe-to-toe with American and European competitors. 

On 18 September, during the anticipated state visit, the leaders of the UK and the US signed the Technology Prosperity Deal, which promises to boost investment and cooperation to foster innovation, security, and economic prosperity. This is being lauded in the UK as a hugely significant milestone in transatlantic cooperation. The governments of both countries have released a Memorandum of Understanding (“Memo”) which covers a number of ambitious plans in strategic science and technology fields, including artificial intelligence (“AI”), nuclear energy, fusion, and quantum technologies.

On 8 August, the UK Department for Science, Innovation & Technology (“DSIT”) published a report titled “Emerging technologies and their effect on cyber security” (the “Report”). It examines how the convergence of AI, IoT, Quantum, Edge Computing, Blockchain and other emerging technologies is transforming the cyber threat landscape. We’ve summarised below some of their key findings and takeaways. In the pursuit of growth and efficiencies many companies are considering how to adopt emerging technology into their operational processes, and the Report provides a useful guide as to emerging cyber risks and where the UK Government’s attention is focused as it launches the Cyber Resilience Bill later this year.

On 11 July 2025, the European Data Protection Supervisor, (“EDPS”), the independent supervisory authority, which oversees the processing of personal data by EU institutions, bodies, offices and agencies, (“EUIs”) confirmed that the European Commission, (“Commission”) has succeeded in bringing its use of Microsoft 365 within the requirements of applicable European data protection rules thanks to additional measures adopted by both the Commission and Microsoft.

Ofcom, the UK’s communications and appointed online safety regulator, is following through on its commitment to protect children online. From 25 July 2025, Ofcom will enforce its Protection of Children Codes of Practice (the “Code”) under the Online Safety Act 2023 - a significant milestone for digital safety in the UK.

On 2 June 2025, the UK Government unveiled its 2025 Strategic Defence Review titled the “Plan for Change for Defence” (the “2025 SDR”), heralding it as the dawn of a new era in British defence and security. Hailed as a landmark by the Prime Minister, the 2025 SDR underscores the urgent need to address daily cyber threats and embrace the rapid evolution of technology that is reshaping the battlefield. It also emphasises both the necessity of and the opportunities that this approach affords to create a new partnership with industry and radically reform procurement, leading to the creation of a “defence dividend” of jobs, wealth and opportunity throughout the UK.

Ransomware attacks have escalated in frequency and sophistication, posing a significant threat to national security and critical national infrastructure (“CNI”). Cybersecurity has emerged as a core pillar of the UK’s national defence strategy, as set out in the recent Strategic Defence Review. The Government has recognised cyber as a crucial area for modern conflict. Ransomware attacks are a significant method of attack, as a form of cybercrime which involves malicious software encrypting data and a ransom demand for its restoration or to prevent its publication. The UK has experienced a notable rise in such incidents, including attacks on Synnovis (an NHS diagnostics service provider) and Southern Water (a water company providing water to a region of the UK), both in 2024.

Earlier this month the National Cyber Security Centre (“NCSC”) hosted CYBERUK, the UK government’s flagship cybersecurity event. On 7 May the NCSC launched their report “Impact of AI on cyber threat from now to 2027” (“Report”), whilst the Department for Science, Innovation and Technology (“DSIT”) published a new voluntary Software Security Code of Practice, (“Code”). Cybersecurity and AI are under the spotlight in the UK. Eyes are also on the recently unveiled US/UK trade agreement and the possibility of a further transatlantic tech-focused agreement to cement prior Technology and Data Partnership discussions to create a US/UK “digital bridge.”