Cyber security laws seek to improve the ability of organisations to resist and recover from cyber-attacks. In the UK, there is no single overarching cyber security law. Instead, the cyber security legal landscape in the UK (and in the EU) is made up of a multitude of laws and is supplemented by a plethora of guidance and codes of practice. At a high level, the UK's cyber security laws can be divided into three broad categories: (i) laws of general application; (ii) sector-specific laws; and (iii) product-specific laws. 

Laws regulating cyber security frequently contain common themes: they require organisations to adopt appropriate security measures. Often (but not always) this is a general principles-based obligation, rather than an obligation to implement specific measures. These laws also frequently contain security incident reporting obligations.

In this article, we will explore some of the key cyber security laws in the UK and what developments are on the horizon. While this article is focused on the position in the UK, it is worth noting that many of the laws in the UK are derived from, or similar to, those in the EU, so there is a degree of regulatory alignment.

Laws of general application

UK GDPR

The UK GDPR, together with the Data Protection Act 2018 (DPA 2018), applies to organisations that process personal data. The UK GDPR and the DPA 2018 apply regardless of the sector in which the organisation operates (although the regimes applicable to law enforcement and security service personal data processing differ to those applicable more generally).

The UK GDPR contains a number of (cyber) security obligations. These include:

• A general obligation to implement appropriate technical and organisational measures to ensure the security of personal data.¹ In determining what measures are appropriate, organisations must consider (among other things) the state of the art, cost and the risks to individuals. Whilst the UK GDPR does not mandate specific measures or standards, it does put the onus on organisations to determine what measures should be implemented in relation to their specific processing situation.

• Various personal data breach notification obligations.² For controllers, this comprises an obligation to notify the ICO of personal data breaches within 72 hours (unless the breach is unlikely to result in a risk to data subjects) and, if the breach is likely to result in a high risk to data subjects, an obligation to also notify data subjects without undue delay.

In addition to these "direct" security obligations, the UK GDPR contains a number of "indirect" security obligations (i.e., measures associated with good cyber hygiene). These include requirements to limit personal data that is processed to what is necessary,³ to keep personal data for no longer than is necessary⁴ and to implement data protection by design and by default.⁵

Computer Misuse Act 1990

The Computer Misuse Act 1990 (CMA) does not set out any specific cyber security requirements or obligations. Instead, it creates various cybercrime offences, which have evolved over time.⁶ This includes offences for causing a computer to perform any function with intent to secure unauthorised access to any program or data held in a computer, as well as making, supplying and obtaining articles for use in offences under the CMA. The former offence captures traditional cyber hacking activities, and the latter offence would include activities associated with developing and distributing malware (such as ransomware). Sanctions under the CMA can be severe, with some offences punishable by way of life imprisonment.

Sector-specific laws

Recognising the importance of particular sectors to the UK's economy and welfare of its population (and thus the even greater potential impact of a successful cyber-attack on those sectors), certain cyber security laws target particular industries and sectors. Some of the key laws in this regard are explained in this section.

Critical infrastructure and digital services

The Network and Information Systems Regulations 2018 (NIS Regulations) transpose into UK law the requirements of the EU Network and Information Systems Directive (EU) 2016/1148 (NIS Directive).⁷ The NIS Regulations impose cyber security and incident reporting obligations upon two specific categories of organisation:

• Relevant digital service providers (RDSPs), specifically providers of online marketplaces, online search engines, and cloud computing services; and

• Operators of essential services (OESs) in specific sectors that meet certain threshold operating requirements. The sectors are energy, transport, health, drinking water supply and distribution, and digital infrastructure.

These organisations fall within the NIS Regulations on the basis that they provide services which, if disrupted, have the potential to significantly damage the UK economy, society or the welfare of individuals.

Whilst the obligations of RDSPs and OESs differ slightly, the NIS Regulations essentially require both types of organisation to:

• Take appropriate and proportionate measures to manage risks posed to the security of their network and information systems, and prevent and minimise the impact of security incidents affecting those systems with a view to ensuring service continuity.⁸

• Notify the organisation's designated competent authority (see below) about any incident that significantly (or, in the case of RDSPs, substantially) impacts the continuity of its essential or digital services. Notification must occur without delay and in any event within 72 hours.⁹

The scope of the cyber security obligations under the NIS Regulations are different from those under the UK GDPR. Specifically, the NIS Regulations are concerned with the security of network and information systems and digital data processed thereon, whereas the UK GDPR is concerned with the security of personal data (which can, in some circumstances, extend to hardcopy personal data). The term "network and information system" is defined in the NIS Regulations¹⁰ and, in summary, covers computer systems and networks used to process ‘digital data’; digital data is information stored in digital form on a network and information system.

The NIS Regulations are not enforced by one body, but rather the relevant competent authority will be one of twelve sector specific bodies, such as Ofcom which is the designated competent authority for the digital infrastructure sector in the UK. The ICO also plays a key role, being designated as the competent authority for all RDSPs.

Financial services

While the NIS Directive extended to banking and financial market infrastructures, in enacting the NIS Regulations, the UK Government decided to omit the financial services sector. This was on the basis that this sector is already subject to rules and requirements that (essentially) oblige financial services organisations to maintain appropriate cyber security and notify regulators of significant security incidents.

For example, SYSC 3.2.6R in the FCA Handbook requires a firm to take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime. Similarly, Principle 11 in the FCA Handbook requires a firm to deal with its regulators in an open and cooperative way, and to disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice; this would include notifying the FCA of cyber security incidents.

Telecommunications

The telecommunications sector is also subject to specific cyber security legislation through the Communications Act 2003 (as amended by the Telecommunications (Security) Act 2021) (CA 2003) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). These laws apply to providers of "public electronic communications networks" (PECN) and "public electronic communications services" (PECS).

Both PECN and PECS are defined in section 151 of the CA 2003. In essence, a PECN is a transmission system (including the equipment, software and data that comprise that system) used to convey electronic signals (including sounds, images or data) and which is used by members of the public. A PECN would include, for example, a mobile phone network. A PECS is a communication service that the public can use to send or receive electronic signals (including sounds, images or data). For example, a mobile phone service or internet service.

Under the CA 2003, a provider of a PECN or a PECS must take appropriate and proportionate measures to (a) identify the risks of security compromises occurring, (b) reduce the risks of security compromises occurring and (c) to prepare for the occurrence of security compromises.¹¹ In the event of a security compromise, the provider of a PECN or a PECS must take appropriate and proportionate measures to prevent adverse effects arising, and to remedy or mitigate any adverse effects that do arise.¹² For these purposes, a security compromise is broadly defined in the CA 2003¹³ and essentially covers anything that compromises the availability, performance, authenticity, integrity or confidentiality of the PECN or PECS, or the data processed thereon.

The CA 2003 also provides for a power for Secretary of State to impose specific security measures on providers of a PECN or PECS.¹⁴ This is one area where the law does impose specific measures on organisations, rather than a general, principles-based obligation. Pursuant to this provision, the Electronic Communications (Security Measures) Regulations 2022 were introduced in October 2022 and set out various specific security measures, including in relation to patches and updates to software and equipment to address security vulnerabilities and supply chain risks. 

Under PECR, a provider of a PECS is also obliged to take appropriate technical and organisational measures to safeguard the security of that service, albeit PECR places a particular emphasis on the protection of personal data processed in the PECS.¹⁵ Similarly, under PECR, in the event of a personal data breach concerning the PECS, the provider of the PECS must notify the ICO and, if it is likely to adversely affect the personal data or privacy of a subscriber or user, the provider must also notify the subscriber or user concerned.¹⁶ The ICO must be notified within 24 hours.¹⁷ The Data (Use and Access) Bill that is (at the time of writing) going through the final stages of the UK legislative process contains a provision that, if passed, would amend this time period to align with the personal data breach notification period under the UK GDPR (i.e., without undue delay and, where feasible, within 72 hours).¹⁸

Product-specific laws

While sector-specific laws have been enacted to enhance the cyber security of particular industries that are critical to the UK economy and the welfare of its population, product-specific legislation has been enacted to improve the cyber security of products that are particularly vulnerable to cyber-attacks.

Internet connected devices, such as smart speakers, smart TVs and other connected appliances (including smart security devices) are now commonplace. In 2020, the average Briton had access to more than nine connected devices – this figure is almost certainly higher now. Thematically, connected devices are used extensively and may have weak security measures (e.g., basic default passwords). This makes them a particularly attractive target for threat actors. In response to this, the UK has enacted certain product-specific cyber security laws. We explore some of these regimes below.

Internet connected devices 

Section 1 of the Product Security and Telecommunications Infrastructure Act 2022 (PSTI) empowers the Secretary of State to specify requirements (by way of secondary legislation) for the purpose of protecting or enhancing the security of internet-connected devices and users of such products (note some products are exempt from this regime – e.g., if they are protected by other rules). Regulations¹⁹ issued under the PSTI require manufacturers of in-scope devices to implement the following specific security requirements: (a) universal default and easily guessable passwords must not be used; (b) the manufacturer must publish information on how to report security issues; and (c) the manufacturer must publish information on the period for which security updates will be provided.²⁰

Electric vehicle smart charge points

In a similar vein to internet connected, smart devices, the UK has enacted laws mandating specific security measures to be applied to electric vehicle charge points. In particular, Schedule 1 of the Electric Vehicles (Smart Charge Points) Regulations 2021 sets out the basic security standards to be met (e.g., charge points have to have unique passwords, charge point passwords cannot be reset to a default password applying to both that relevant charge point and other charge points, and the charge point must have an ability to automatically check for security updates).

AI products

Currently in the UK, we do not have a standalone AI-specific law. That said, the UK has introduced a non-statutory, principles-based framework for the responsible design, development and use of AI. One of these principles concerns security. Specifically, the principle requires that "AI systems should function in a robust, secure and safe way throughout the AI life cycle, and risks should be continually identified, assessed and managed.". Applying this principle, those developing and deploying AI systems will need to ensure appropriate (cyber) security. The National Cyber Security Centre (see below) has issued a range of guidance on AI and cyber security.

Guidance and Codes of Practice

The patchwork of UK cyber security laws is supplemented by a broad range of guidance issued by regulators (including the ICO) and the UK Government. Of particular note, is the guidance issued by the National Cyber Security Centre (NCSC). The NCSC is the UK's technical authority for cyber security and is part of GCHQ, a UK security service. Among other things, the NCSC provides advice and guidance on the Cyber Essentials scheme. Cyber Essentials is a Government-backed certification scheme which mandates five technical controls to guard against the most common forms of cyberattack.

Cyber security laws: change on the Horizon?

We are facing significant cyber threats, including from ever more sophisticated cybercriminals and hacktivists, and state and state sponsored actors. The results of the Department for Science, Innovation and Technology's 2024 cyber security breaches survey underline the significance of the threat. For example, that survey noted that half of business respondents reported having experienced a cyber security breach or attack in the preceding 12 months. This equates to approximately 718,000 businesses.

Perhaps unsurprisingly then, in the briefing notes accompanying the King's Speech in July 2024, the then newly elected Labour Government set out its plans to enhance UK cyber security laws through a new Cyber Security and Resilience Bill (CSR Bill). In April 2025, a policy statement was issued in relation to proposals for a CSR Bill. The policy statement notes that the CSR Bill will seek to make certain changes to the existing NIS Regulations, such as bringing more entities within its scope (including managed IT service providers), putting regulators on a stronger footing, creating powers for secondary legislation to be issued to set stronger duties on OESs and RDSPs to manage supply chain risk, and broaden the incident reporting requirements currently set out in the NIS Regulations. At the time of writing the text of the Bill has not been published, but this is expected in 2025.

In parallel, the UK Home Office is consulting on new laws regulating ransomware. Ransomware is a type of malware that infects a victim's computers and typically prevents the victim from accessing system(s) or data. A ransom is demanded to regain access to the system or data. In the UK, ransomware is considered the greatest of all serious and organised cybercrime threats. The Home Office proposals seek to undermine the ransomware business model for threat actors targeting the UK and increase the intelligence around ransomware attacks to better inform future approaches. 

The consultation puts forward three proposals to achieve this:

• Proposal 1: A ban on ransomware payments being made by the UK public sector and owners / operators of UK Critical National Infrastructure. This is intended to prevent ransomware attacks on these institutions by ensuring threat actors will make no money from such attacks.

• Proposal 2: The introduction of a ransomware payment prevention regime. Victims of ransomware (that are not prohibited from paying a ransom under proposal 1) would be required to engage with UK authorities and report their intention to make a ransomware payment (if they are minded to do so). The victim would then be provided with guidance and support, which would include non-ransom payment resolution options and also whether there is a reason for a payment to be blocked – e.g., due to sanctions or terrorism finance restrictions.

• Proposal 3: The creation of a ransomware incident reporting regime. Under this proposal, ransomware victims would be required to report ransomware attacks, regardless of whether they intend to pay the ransom. The Home Office consulted on whether this should be economy wide or only for certain organisations.

The consultation closed on 8 April 2025, and we await the output of the consultation and what form any legislative proposal may take.

What does this mean for your business?

The cyber security threat landscape is complex and dynamic. The increasing digitisation of society means that the impact of successful cyber security attacks can be severe. To add to this complexity, as this article has shown, there are a myriad of current and future laws, regulations and guidance that regulate and require cyber security. 

While it is important to understand the detail, for organisations grappling with the cyber security landscape, it may be helpful to take a step back and think about what the law generally requires – the application of appropriate security protection for systems and data.

Organisations can go a long way towards protecting themselves from cyber threats by implementing basic cyber hygiene (as advocated by the Government-backed Cyber Essentials scheme). Implementing measures such as strong password requirements, multi-factor authentication, robust security vulnerability patching, and staff information security training can all help organisations keep their systems and data secure and avoid becoming a victim.

[1] Article 5(1)(f) and Article 32, UK GDPR

[2] Articles 33 and 34, UK GDPR

[3] Article 5(1)(c), UK GDPR

[4] Article 5(1)(e), UK GDPR

[5] Article 25, UK GDPR

[6] Sections 1 to 3A, CMA

[7] The EU's NIS Directive has now been repealed and replaced with Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (the NIS 2 Directive); given the UK's departure from the EU, the NIS 2 Directive is not applicable to the UK

[8] Regulations 10 and 12, NIS Regulations

[9] Regulations 11 and 12, NIS Regulations

[10] Regulation 1(2), NIS Regulations

[11] Section 105A, CA 2003

[12] Section 105C, CA 2003

[13] Section 105A(2), CA 2003

[14] Section 105B, CA 2003

[15] Regulation 5, PECR

[16] Regulation 5A, PECR

[17] Article 2, Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications

[18] See section 111, Data (Use and Access) Bill (Bill 199 2024-25 (as amended in Public Bill Committee), published 13 March 2025)

[19] Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

[20] Schedule 1, Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023