UK government gets tough on security obligations with new cyber ‘code of practice’
A new cyber 'code of practice' will ensure businesses across the UK prioritize security threats and implement measures to reduce risk

The UK government has launched a draft code of practice on cyber security governance in a bid to encourage firms to prioritize cyber threats as a key business risk.
Officials have called for feedback on the proposed Cyber Governance Code of Practice, which is aimed at executive and non-executive directors and other senior leaders.
The code recommends treating cyber security issues as just as much of a key focus as financial and legal pitfalls, urging leaders to set out clear roles and responsibilities across their organizations, boosting protections for customers and safeguarding their ability to operate safely and securely.
"Cyber attacks are as damaging to organizations as financial and legal pitfalls, so it’s crucial that bosses and directors take a firm grip of their organization’s cyber security regimes - protecting their customers, workforce, business operations and our wider economy," said minister for AI and intellectual property, Viscount Camrose.
"This new code will help them take the lead in safely navigating potential cyber threats, ensuring businesses across the country can take full advantage of the emerging technologies which are revolutionizing how we work."
Inside the NCSC’s plan to create a national threat tracking A-TeamCyber attacks more than doubled in 2023, so why are so many firms still not taking security seriously?Four-in-ten employees sacked over email security breaches as firms tackle “truly staggering” increase in attacks
A major focus of the code is the ability to respond to and recover from any potential cyber incidents, with plans regularly tested so they're as robust as possible, and with a formal system for reporting incidents also in place.
It also urges organizations to give employees the skills and awareness of cyber issues they need to work with new technologies in confidence.
Get the ITPro. daily newsletter
Sign up today and you will receive a free copy of our Focus Report 2025 - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The government is calling on businesses of all sizes from all sectors to share their opinions on the draft code.
"It is vital the people at the heart of this issue take the lead in shaping how we can improve cyber security in every part of our economy, which is why we want to see industry and business professionals from all walks coming forward to share their views," Camrose said.
Discover a verification framework for DORA
DOWNLOAD NOW
The draft code is a response to the fact that almost one-in-three UK firms have suffered a cyber breach or attack in the past year, with a sharp rise in ransomware attacks recorded against businesses.
Kevin Curran, IEEE senior member and professor of cyber security at Ulster university, welcomed the move as a positive step to ensure organizations across the country focus their efforts on mitigating growing cyber threats.
"The threat landscape is constantly evolving, so organizations need to keep pace and ensure that they regularly reviewing and upgrading their defenses,” he said.
“Some approaches that worked just a few years ago are now obsolete and attackers change their profile far quicker now, so it is incredibly difficult to identify which packet requests are nefarious.
"Moving forwards, senior management must have a more holistic understanding and approach to cybersecurity and IT departments must be able to maintain proficient security protocols or policies for years to come. Inevitably, this means increasing the amount of IT security staff and ensuring all staff are sufficiently trained, even if just basic cyber skills."
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

UK firms are pulling ahead of EU competitors in the AI race – here's why

The CMA just dropped its probe into the Microsoft–OpenAI deal