As security leaders in the UK, we often feel squeezed between an increasingly aggressive threat landscape and a sprawling legislative framework. A new assessment of the UK’s cyber security legislative framework confirms what many of us discuss over drinks at industry conferences: we are drowning in compliance obligations, yet the nation’s cyber resilience remains alarmingly fragile. For my peers across the UK, this report offers five critical takeaways that should shape our future strategies.
While the UK General Data Protection Regulation (GDPR) theoretically threatens UK businesses with massive penalties, the Information Commissioner’s Office (ICO) issued only three fines in 2024, often favouring reprimands instead. Even more striking is the enforcement void regarding the Network and Information Systems (NIS) Regulations.
Despite a significant rise in incident notifications, freedom of information data indicates a near-total absence of formal sanctions by key competent authorities between 2021 and 2024 (see “Situation Snapshot” table below). While this might sound like a reprieve, it undermines our internal business cases for security investment. If the regulator won’t bite, the board won’t listen.
This leads to the second – and perhaps most worrying – trend: the disengagement of the board. The UK has seen a measurable decline in executive ownership. The percentage of businesses with a board member holding explicit responsibility for cyber security has dropped from 38% in 2021 to just 27% in 2025. This knowledge will significantly impact how seriously our executives treat privacy and security moving forward.
As chief information security officers (CISO), we cannot allow cyber risk responsibilities to be relegated to the IT department. The Cyber Security and Resilience Bill (CSRB) missed a key opportunity to place accountability with boards and executives as a statutory duty. This would not include making the CISO into the “chief information scapegoat officer” by assigning liability without the resources or authority to address the risks.
|
Decline in businesses with a board member holding explicit cyber responsibility (2021 vs 2025) |
High Risk: Executive ownership is shrinking just as liability is increasing. |
||
|
Percentage of large businesses that continue to suffer breaches |
Ineffectiveness: Current compliance spending is not lowering the success rate of attacks for large firms. |
||
|
Increase in ransomware attack numbers between 2024 and 2025 |
Escalating Threat: Attackers are outpacing defensive controls despite passing audits. |
||
|
Total fines issued by the ICO in 2024, with a preference for reprimands |
Enforcement Void: The regulator is currently ineffective, undermining the business case for security investment based solely on fines. |
||
|
Lack of formal sanctions by competent authorities under NIS Regulations (2021-2025) |
False Security: Reliance on regulatory pressure to drive improvements is a failed strategy. |
||
Third, we must recognise that compliance does not equal resilience. The UK’s cybersecurity and privacy legislative framework: Effectiveness, enforcement and complexity report highlights a “tick-box mentality” where resources are diverted toward navigating complex legal requirements rather than effective security controls. The result is a sobering statistic: cyber security breach rates for large businesses persist at 74%.
Companies are passing audits, yet are still falling victim to phishing and increasingly sophisticated ransomware attacks, the latter of which saw numbers double between 2024 and 2025. Our focus must shift from generating documentation to validating operational resilience through rigorous testing of incident response plans.
Fourth, the complexity of the legislative landscape has reached a point of diminishing returns. We are navigating a patchwork of the UK GDPR, NIS Regulations, the Computer Misuse Act and the Online Safety Act, with the new CSRB. This cumulative volume creates a “compliance tax” that drains our finite resources.
For those of us managing supply chains, this is critical. The burden on our small to medium-sized enterprise (SME) partners is crushing, potentially stifling the very innovation we rely on. We must audit our supply chains not just for security, but for their ability to survive this regulatory attrition.
Finally, we must prepare for the expanded scope of the CSRB. The employed strategy is shifting towards a “whole of society” approach, bringing managed service providers (MSPs) and datacentres directly into the regulatory fold. If you rely on third parties, as many of us do, the regulatory spotlight is about to widen.
Ultimately, this report serves as a wake-up call. We cannot rely on legislation to solve the problem, nor can we rely on regulators to enforce it consistently. We must move beyond the “compliance trap” and build cultures and controls that survive contact with our adversaries.
A response to The UK’s cybersecurity and privacy legislative framework report, from William Dutton, Oxford Martin Fellow, Global Cyber Security Capacity Centre, Oxford University:
“Debate on governmental policy on information technologies too often hovers around broad generalities, such as whether to regulate. This insightful report digs deeper. The WCIT [Worshipful Company of Information Technologists] Security Panel addresses issues such as the regulatory paradox across key aspects of major governmental, legislative and regulatory choices, providing valuable insights for policymakers, regulators, and a range of business organisations, including small enterprises. This report is a concise and valuable reference for those with a serious interest in issues tied to cyber security and privacy.”
