Skip to main content
close search
site logo

UK authorities propose law to set minimum cyber standards for critical sectors

The legislation follows a wave of social engineering attacks that rocked the nation’s retail and automotive supply chains.

Published Nov. 13, 2025
David Jones's headshot
Reporter
A person in business attire speaks while holding a card, with a blue background displaying the words "Billington Cybersecurity" in a tiled pattern.
Richard Horne, CEO of the National Cyber Security Centre in the UK, speaks during the Billington Cybersecurity Summit on Sept. 10, 2025. The UK in November proposed legislation to create minimum standards for key industries. Courtesy of Billington

U.K. authorities on Wednesday introduced highly anticipated legislation that would create minimum cybersecurity standards for critical industries, set incident reporting deadlines and regulate certain IT services that have been the nexus of a recent wave of social engineering attacks. 

The Cyber Security and Resilience Bill would allow for suppliers to critical sectors such as healthcare, water, transportation or energy to be designated as essential. They would then have to meet minimum cybersecurity standards to help prevent larger supply chain disruptions. 

The plan would also regulate companies providing IT services, cybersecurity and IT help desk support to have robust security plans and to promptly report significant security incidents to the government. 

If enacted, the law would create tougher penalties, including penalties based on turnover, in cases of major cyber breaches. The bill would allow penalties of up to $22.4 million (17 million pounds), or 4% of a regulated organization’s worldwide turnover. Less significant attacks would result in a lesser penalty of 2% of annual turnover.

The U.K. Technology Secretary would be given new powers to force regulators to take specific steps to boost cyber preparedness in cases of national security.

The legislation comes a month after U.K. authorities issued a grim analysis of the nation’s cyber posture. The country experienced a record 204 nationally significant attacks and 18 that were deemed highly significant incidents.

A wave of attacks have led to catastrophic impacts on the U.K. economy. A late summer cyberattack against Jaguar Land Rover cost the nation’s economy about $2.5 billion, and the government agreed to a massive loan package that would help protect the automaker’s extensive supply chain from collapsing. 

“The new U.K. Cybersecurity and Resilience Bill introduces significantly tougher, turnover-based penalties and emergency government powers compared to existing NIS2 and GDPR frameworks, setting a precedent for stricter cybersecurity enforcement,” Madelein van der Hout, senior analyst at Forrester, told Cybersecurity Dive. 

In September, Richard Horne, the CEO of the National Cyber Security Centre, called for a shift in focus toward business continuity, during a speech at the Billington Cybersecurity Summit in Washington, D.C. 

The U.K. has seen major companies go through weeks of disruption linked to cyberattacks, including department store chain Marks & Spencer, which took at $400 million hit from an April social engineering attack. 

The chairman of M&S called on UK authorities to develop a mandatory reporting requirement in the case of significant attacks.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
CyberFOX Recognized as a CRN® 2025 Stellar Startup
From CyberFOX
November 10, 2025
CyberFOX logo
How Miggo and Sentra Are Transforming Cybersecurity with the First ADR DSPM Integration
From Jake Smiths
October 28, 2025
360 Privacy Strengthens Board of Directors with Industry Veterans Wendy Bahr and Brian Murphy,…
From 360 Privacy
October 28, 2025
360 Privacy logo
Lynx Shield Technologies Promoted to Gold Partner by Genians
From Genians
October 30, 2025
Genians logo
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.