Cyber security requirements for UK businesses

Cyber security is no longer optional for UK businesses. With cyber attacks at record levels and significant regulatory requirements in place, all organisations must take steps to protect themselves, their customers, and their data.

The National Cyber Security Centre (NCSC) states: "The question is no longer if your organisation will face a cyber incident, but when." Understanding the threat landscape and your obligations is the first step to building resilience.

The current threat landscape

The UK is experiencing unprecedented levels of cyber attacks. Understanding the scale of the threat helps you prioritise cyber security investment and preparedness.

NCSC cyber threat statistics 2025

Current statistics on cyber attacks targeting UK organisations from NCSC Annual Review 2025.

The UK is experiencing record cyber threats. The National Cyber Security Centre (NCSC) states: "The question is no longer if your organisation will face a cyber incident, but when."

NCSC CEO Richard Horne's warning: "Cyber criminals will target organisations of all sizes, operating in any sector."

Nationally significant attacks (year to September 2025): 204 attacks (up from 89 previous year)
Nationally significant attacks per week: 4 per week
Increase in highly significant incidents: 50% increase
Proportion of attacks classified as nationally significant: 48% (record high)
Ransomware incidents per week: 35-40 incidents per week (up from 20-25 in 2024)
Ransomware classification: Most acute cyber threat to UK organisations (NCSC)
Small businesses targeted by ransomware: 71% of ransomware attacks
Average ransomware downtime: 21 days
Average ransom demand: £100,000-£500,000 (varies widely)
Suspicious emails reported to SERS: 10.9 million in past year
Successful attacks beginning with phishing: Over 90%
People using easy-to-guess credentials: 19%
Businesses reviewing supplier cyber risk: Only 14% in last 12 months

These statistics underscore why cyber security must be a business priority, not just an IT concern. Small businesses are particularly vulnerable - they're targeted in 71% of ransomware attacks because criminals assume they have weaker defences.

Cyber Essentials certification

Cyber Essentials is the UK government's baseline cyber security standard. It's designed to protect against approximately 80% of common cyber attacks and is mandatory for certain government contracts.

Even if not required, certification demonstrates to customers and insurers that you take security seriously. Many cyber insurance policies now require or offer premium discounts for Cyber Essentials certification.

Cyber Essentials certification levels and costs

Two certification levels (basic and Plus), costs, validity period, and what's included in each level.

Cyber Essentials is a government-backed, industry-supported scheme to help organisations protect against common online threats. It protects against approximately 80% of common cyber security threats and is administered by the National Cyber Security Centre (NCSC).

Over 215,000 certificates have been awarded, with 49,248 issued in the past 12 months. Organisations implementing the controls see a 92% reduction in insurance claims.

Basic Cyber Essentials cost: £300-£600 + VAT (tiered by organisation size)
Micro businesses (0-9 employees): £320 + VAT
Average cost (basic): £500 + VAT
Cyber Essentials Plus cost: £999-£3,000 + VAT
Typical range (Plus): £1,500-£3,000 + VAT
Certificate validity: 12 months (annual renewal required)
Basic level process: Self-assessment questionnaire reviewed by Certification Body (1-3 business days)
Plus level process: First obtain basic certification, then technical audit with authenticated vulnerability scanning
Plus includes: Authenticated vulnerability scanning, configuration checks, validation of all five controls
Effective date of 2025 updates: 28 April 2025 (Willow Question Set)
Accreditation body: IASME (sole accreditation body since April 2020)
Number of Certification Bodies: Over 350 across UK and Crown Dependencies
Government contract requirement: Mandatory for suppliers bidding on certain public sector contracts involving personal data or ICT services

Which level is right for your business?

Basic Cyber Essentials - Good for most small businesses, required for many government contracts, affordable entry point (£320-£600 depending on size)
Cyber Essentials Plus - For businesses handling sensitive data, required for higher-risk government contracts, includes technical verification of your controls (£1,500-£3,000)

Key changes from April 2025: The new "Willow Question Set" includes strengthened requirements for multi-factor authentication (now mandatory for administrator accounts, remote access, and cloud services handling sensitive data) and updated security patch timescales (within 14 days for critical vulnerabilities).

The five technical controls

Cyber Essentials certification addresses five core areas of cyber security. Implementing these controls significantly reduces your attack surface.

Cyber Essentials five technical controls

The five baseline security controls required for Cyber Essentials certification.

Cyber Essentials certification requires implementing five baseline security controls that protect against common cyber attacks:

Control 1: Firewalls: Secure configuration of internet gateways and boundary devices
Control 2: Secure configuration: Change default settings, remove unnecessary software, disable unused features
Control 3: User access control: Control who can access data and services, limit admin privileges
Control 4: Malware protection: Use anti-malware software, keep signatures up to date
Control 5: Patch management: Keep software up to date, apply security patches within 14 days

Cyber Essentials cost: Typically £300-£500 for basic certification
Cyber Essentials Plus cost: Typically £1,500+ (includes hands-on technical assessment)
Certificate validity: 12 months (annual renewal required)
Required for: UK government contracts involving sensitive data or ICT services

Get Cyber Essentials certified

Getting started: If you're not ready for certification, implementing these five controls yourself is an excellent first step. The NCSC provides free guidance on each control area.

Common gaps: The most frequent failures in Cyber Essentials assessments are:

Not enabling multi-factor authentication on administrator accounts
Missing security updates on older devices or software
Using default passwords on routers or network equipment
No malware protection on some devices (especially Macs or mobile devices)

Data breach notification requirements

If you process personal data (which almost all businesses do), you must comply with UK GDPR breach notification rules. This includes a strict 72-hour deadline for reporting certain breaches.

Why this matters: Failure to report a breach within 72 hours is itself a UK GDPR violation, with potential fines of up to £8.7 million or 2% of global turnover. Beyond the fine, late reporting damages trust and can escalate regulatory scrutiny.

ICO data breach notification requirements (72-hour rule)

Two-tier notification requirements under UK GDPR, including the 72-hour rule for reporting to ICO and requirements for notifying affected individuals.

Under UK GDPR, organisations must report personal data breaches to the Information Commissioner's Office (ICO) within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms. A two-tier system applies:

Risk to individuals: Report to ICO within 72 hours
High risk to individuals: Report to ICO within 72 hours AND notify affected individuals without undue delay

The clock starts when you become aware of the breach, not when it originally happened or when you complete full investigation.

ICO reporting timeline: Within 72 hours of becoming aware of the breach
Threshold for ICO reporting: Breach likely to result in risk to rights and freedoms of individuals
Threshold for individual notification: Breach likely to result in high risk to rights and freedoms of individuals
Individual notification timeline: Without undue delay
When clock starts: When you become aware of the breach (sufficient evidence to believe incident occurred and meets threshold)
How to count 72 hours: Count hours, not working days (weekends and bank holidays count)
If you miss 72 hours: Still must report, must provide reasons for delay
Phased reporting permitted: Yes - initial report within 72 hours with available information, updates without undue delay
ICO reporting method: Online tool at ico.org.uk/for-organisations/report-a-breach
Exceptions to individual notification: Data encrypted/unintelligible, measures taken to eliminate high risk, or disproportionate effort (use public communication instead)
Record keeping requirement: Document all breaches whether or not reported to ICO (UK GDPR Article 33(5))
Recommended record retention: At least 3 years (aligns with ICO investigation timeframes)

Practical steps for breach preparedness

Don't wait for a breach to understand your obligations. Prepare now:

Designate a response lead - Who makes the decision whether to report?
Document the process - Create a one-page breach response plan
Save the ICO reporting link - ico.org.uk/for-organisations/report-a-breach
Understand your data - What personal data do you hold? Where is it? Who has access?
Practice scenario planning - "What if our customer database was accessed by an attacker?"

Common myth: "We need to finish investigating before reporting." False. The clock starts when you become aware of the breach. Report within 72 hours with available information, then update the ICO as your investigation progresses.

UK GDPR penalties and enforcement

Understanding the penalty framework helps you grasp the seriousness of cyber security and data protection obligations. However, the ICO's approach is proportionate and focused on improvement, not punishment.

UK GDPR penalty framework and maximum fines

Two-tier penalty system under UK GDPR, including maximum fines for different types of infringements and ICO enforcement approach.

UK GDPR establishes a two-tier penalty system. The ICO states: "Fines are discretionary rather than mandatory. The ICO will impose them proportionately, on a case-by-case basis, and typically as a last resort."

The ICO prefers to work with organisations to find resolution. Organisations that recognise shortcomings, take ownership, and develop performance improvement plans can often avoid formal enforcement action.

Tier 1 maximum fine (higher level): £17.5 million OR 4% of annual global turnover (whichever is greater)
Tier 1 applies to infringement of: Data protection principles (Article 5), rights of individuals (Articles 12-22), international transfer provisions (Articles 44-49)
Tier 2 maximum fine (lower level): £8.7 million OR 2% of annual global turnover (whichever is greater)
Tier 2 applies to infringement of: Administrative requirements (including breach notification), processor obligations, certification body requirements
Failure to report breach penalty tier: Tier 2 (£8.7m or 2% global turnover)
Notable 2025 fine: Capita plc: £14 million (October 2025) for breach affecting 6,656,037 individuals
Capita violations: Failed to implement appropriate technical and organisational measures, could not prevent unauthorised movement within network
Notable 2025 fine: Advanced Computer Software: £6.1 million (reduced via settlement) - first penalty on data processor
Advanced Computer violations: No multi-factor authentication, inadequate vulnerability scanning, poor patch management
ICO enforcement philosophy: Proportionate, case-by-case, typically last resort
Factors ICO considers: Nature of infringement (intentional vs negligent), gravity, organisation's actions, cooperation, remedial steps, previous infringements, financial position
Individual compensation claims: Separate from ICO fines - individuals can claim for material and non-material damage under Article 82

What this means in practice: The ICO prefers to work with organisations that demonstrate genuine efforts to comply. If you:

Recognise shortcomings when they're identified
Take ownership of the issue
Develop and implement performance improvement plans
Cooperate with ICO investigations

...you'll often avoid formal enforcement action. Fines are typically reserved for serious, persistent, or intentional breaches by organisations that ignore warnings.

Recent enforcement trends (2025): The ICO has increased focus on technical and organisational measures following cyber incidents. Both the Capita plc (£14m) and Advanced Computer Software (£6.1m) fines involved failures to implement basic security controls like multi-factor authentication and patch management.

Reporting cyber incidents

When a cyber incident occurs, you may need to report it to multiple authorities depending on the nature of the incident and your sector. Having these contacts readily available saves critical time.

Cyber incident reporting contacts and procedures

Who to report cyber incidents to, including Action Fraud, ICO, NCSC, and geographic variations for Scotland.

Different cyber incidents require reporting to different authorities. All UK organisations should know their reporting obligations and have key contacts readily available.

Cyber crime reporting (England, Wales, NI): Report Fraud (formerly Action Fraud) - reportfraud.police.uk or 0300 123 2040
Cyber crime reporting (Scotland): Police Scotland via 101 (Scotland has not signed up to Report Fraud process)
Report Fraud phone hours: Monday-Friday 8am-8pm (24/7 for organisations under live attack)
Report Fraud from abroad: +44 300 123 2040
Data breach reporting (all UK): ICO at ico.org.uk/for-organisations/report-a-breach (within 72 hours if risk to individuals)
ICO helpline: 0303 123 1113 (Monday-Friday 9am-5pm)
Phishing email reporting: NCSC Suspicious Email Reporting Service (SERS) - forward to report@phishing.gov.uk
NCSC Cyber Incident Response (CIR) Scheme: Industry assurance scheme - all UK organisations should use CIR Assured Service Provider when dealing with cyber incidents
NHS organisations (NIS OES in England): Report to NHS England within 72 hours for incidents with adverse effect on security or significant impact on service continuity
Financial services firms: Report to FCA/PRA as per firm's notification procedures
Operators of Essential Services: Report to sector regulator within 72 hours
Digital service providers: Report to ICO within 72 hours if substantial impact
Under active cyber attack (need help): NCSC at ncsc.gov.uk and CIR provider immediately
What Report Fraud cannot do: Not investigative body, cannot guarantee police investigation or advise on report contents
Why report even if not investigated: Builds intelligence picture, identifies patterns, informs national policing priorities

Who to report to:

Crime (fraud, extortion, ransomware): Report Fraud (0300 123 2040) or Police Scotland 101 if in Scotland
Data breach: ICO within 72 hours if risk to individuals
Phishing emails: Forward to report@phishing.gov.uk (NCSC)
Under active attack: Contact NCSC and use a CIR Assured Service Provider

Why report even if police can't investigate: Every report builds the national intelligence picture. Your report might be the piece that connects multiple attacks and leads to identifying criminal infrastructure or patterns.

PROFESSIONAL & FINANCIAL… Requirement

If your firm is regulated by the FCA or PRA (banks, insurers, electronic money institutions, payment institutions, investment firms), you must comply with operational resilience requirements by 31 March 2025.

These requirements go significantly beyond Cyber Essentials and UK GDPR:

FCA/PRA operational resilience requirements for financial services

Key deadline (31 March 2025) and core requirements for financial services firms including IBS mapping, impact tolerances, scenario testing, and third-party risk.

All in-scope financial services firms must comply with operational resilience requirements by 31 March 2025. This includes banks, insurers, electronic money institutions, payment institutions, investment firms, and certain other authorised firms.

The FCA has identified unregulated third-party issues as the primary source of operational incidents in 2022-2023.

Compliance deadline: 31 March 2025
In-scope firms: Banks, insurers, electronic money institutions (EMIs), payment institutions (PIs), investment firms, certain other authorised firms
Regulatory bodies: Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), Bank of England
Requirement 1: Important Business Services (IBS) mapping: Identify and map all services that if failed would cause intolerable harm to consumers, threaten firm's viability, or threaten market integrity/financial stability
IBS mapping requirements: Complete mapping exercise, identify all components (people, processes, technology, facilities, information, third parties), understand dependencies, document end-to-end service delivery
Requirement 2: Impact tolerances: Set maximum tolerable level of disruption for each IBS (hours/days downtime, regulatory metrics, financial metrics, customer impact)
Requirement 3: Scenario testing: Test whether you can stay within impact tolerances during severe but plausible scenarios
Scenarios must include: Cyber attack, loss of key supplier, loss of critical staff, technology failure, third-party failure
Testing methods: Desktop exercises, simulation exercises, live testing (where safe)
Testing frequency: Regular testing (at least annually for critical scenarios)
Requirement 4: Third-party risk management: Due diligence before engagement, contractual security requirements, ongoing monitoring, exit plans, cyber security standards for third parties
FCA recommended practice: TLPT: Threat-Led Penetration Testing - extremely effective tool for identifying unknown vulnerabilities
FCA baseline expectation: Implement NCSC 10 Steps to Cyber Security as foundational cyber security
Future consultation (H2 2025): FCA and PRA intend to consult on ICT and cyber risk management policy (likely DORA-style requirements)
PRA 2025 focus: Insurers' cyber resilience under spotlight (hold significant customer data, critical role in financial system)

What this means for your firm:

By 31 March 2025, you must have:

Completed mapping of all Important Business Services (IBS) and their dependencies
Set impact tolerances (maximum acceptable downtime) for each IBS
Conducted scenario testing proving you can stay within impact tolerances
Implemented robust third-party risk management with contractual security requirements
Documented all of the above with evidence of board-level oversight

Common gaps FCA has identified: Many firms struggle with comprehensive third-party mapping (including sub-contractors and cloud dependencies) and realistic scenario testing. Don't rely on desktop exercises alone - test with live simulation where safe to do so.

Baseline expectation: The FCA expects all regulated firms to implement the NCSC's "10 Steps to Cyber Security" as a foundational minimum. Cyber Essentials Plus is recommended but not mandatory for all firms (sector-specific requirements may apply).

HEALTHCARE & SOCIAL CARE Requirement

If your organisation provides NHS services or has access to NHS patient data (including GPs, pharmacies, social care providers, and IT suppliers), you must complete the Data Security and Protection Toolkit (DSPT) annually.

DSPT is more comprehensive than Cyber Essentials and includes both information governance and cyber security requirements:

NHS Data Security and Protection Toolkit (DSPT) requirements

Mandatory annual self-assessment for NHS organisations and partners, including Version 7 updates adopting NCSC Cyber Assessment Framework and NIS Regulations compliance.

The Data Security and Protection Toolkit (DSPT) is NHS England's online self-assessment tool covering data security and protection requirements, including NIS Regulations compliance. It is mandatory for all NHS organisations and partner organisations with access to NHS patient data.

Version 7 (September 2024) represents a major update adopting the NCSC Cyber Assessment Framework (CAF) as its foundation, with more rigorous cyber security requirements aligned with national standards.

Who must complete DSPT: All NHS organisations and partner organisations handling NHS patient data (e.g., GPs, pharmacies, social care providers)
Submission frequency: Annual submission required
Current version: Version 7 (September 2024)
Major Version 7 change: Adoption of NCSC Cyber Assessment Framework (CAF) as foundation
Version 7 enhanced focus areas: Network security, access control, vulnerability management, incident management
DSPT scope: Broad information governance + cyber security + NIS Regulations compliance (single assessment)
How to complete: Online toolkit at dsptoolkit.nhs.uk with evidence upload and senior management sign-off
Assurance levels: Standards Met or Standards Not Met (requires improvement plan)
Consequences of not meeting standards: May lose access to NHS systems, contractual breach for suppliers, reputational damage, may affect commissioning decisions
Relationship to Cyber Essentials: Not universally mandatory for NHS but increasingly required, some contracts specify it, NHS Digital recommends it
NIS Regulations coverage (healthcare): NHS trusts, foundation trusts, Integrated Care Boards (ICBs), certain independent providers
NIS incident reporting (healthcare OES): Report to NHS England within 72 hours for incidents with adverse effect on security or significant impact on continuity
NIS enforcement powers (healthcare): Secretary of State for Health & Social Care can issue enforcement notice or penalty notice up to £17 million
Geographic variations (NIS OES): Scotland: NHS Scotland health boards; Wales: Local Health Boards; NI: Health and Social Care Trusts

What changed in Version 7 (September 2024):

The adoption of the NCSC Cyber Assessment Framework (CAF) as DSPT's foundation represents a significant uplift in cyber security expectations. Key changes include:

Network security: More rigorous requirements for network segmentation and monitoring
Access control: Strengthened requirements for identity verification and least-privilege access
Vulnerability management: Enhanced expectations for vulnerability scanning and patch management
Incident management: Clearer requirements for incident response plans and testing

If you're an NHS supplier: Your contract likely requires "Standards Met" status on DSPT. Failure to achieve this can result in contract termination or loss of access to NHS systems.

NIS Regulations coverage: If you're a designated Operator of Essential Services (OES) in the health sector (NHS trusts, ICBs, certain independent providers), you must also comply with Network and Information Systems (NIS) Regulations, including incident reporting to NHS England within 72 hours for incidents affecting security or service continuity.

Building a cyber security programme

Compliance with formal requirements is essential, but effective cyber security requires embedding security into your business operations. Here's a practical roadmap:

Foundation (0-3 months)

Complete NCSC's free "Cyber Action Plan" tool to assess your current posture
Register with ICO and understand your breach notification obligations
Implement basic hygiene: unique passwords, anti-malware, firewalls, software updates
Designate someone responsible for cyber security (can be external advisor)
Create a simple incident response plan (one page is fine to start)

Intermediate (3-12 months)

Achieve Cyber Essentials (basic) certification
Deploy multi-factor authentication for all cloud services and remote access
Conduct cyber security awareness training for all staff
Review and document your data inventory (what personal data, where stored, who accesses)
Implement regular backup testing (can you actually restore from backups?)
Review cyber insurance options

Advanced (12+ months)

Consider Cyber Essentials Plus if handling sensitive data
Implement security monitoring and logging
Conduct penetration testing or vulnerability scanning
Review and test incident response plan with realistic scenarios
Assess third-party and supply chain cyber risk
Benchmark against NCSC "10 Steps to Cyber Security" or CAF

Common myths about cyber security

Myth 1: "We're too small to be targeted"
Reality: 71% of ransomware attacks target small businesses. Criminals use automated tools that scan for vulnerabilities regardless of business size.

Myth 2: "We don't have anything worth stealing"
Reality: You have customer data, employee records, banking details, and access to business systems. Even if you don't store payment cards, your data has value to criminals.

Myth 3: "Cyber security is too expensive for us"
Reality: Basic cyber security costs very little. Free tools and built-in security features (Windows Defender, router firewalls, automatic updates) provide significant protection. Cyber Essentials costs £320 for micro businesses.

Myth 4: "We've never been attacked so we're doing fine"
Reality: Most organisations don't know they've been attacked until months later. Attackers often gain access and lurk silently, stealing data or preparing ransomware deployment.

Myth 5: "Cyber security is just an IT problem"
Reality: 90% of successful attacks begin with phishing - a human problem, not a technical one. Cyber security requires business-wide awareness and leadership commitment.

Business Context Testing

Content Graph

Guvnor

Cyber security requirements for UK businesses

The current threat landscape

Cyber Essentials certification

Which level is right for your business?

The five technical controls

Data breach notification requirements

Practical steps for breach preparedness

UK GDPR penalties and enforcement

Reporting cyber incidents

Financial services firms face enhanced operational resilience requirements

NHS and healthcare organisations must complete Data Security and Protection Toolkit

Building a cyber security programme

Foundation (0-3 months)

Intermediate (3-12 months)

Advanced (12+ months)

Common myths about cyber security

Compliance Assistant

🧪 Business Context Testing

◉ Content Graph

The current threat landscape

Cyber Essentials certification

Which level is right for your business?

The five technical controls

Data breach notification requirements

Practical steps for breach preparedness

UK GDPR penalties and enforcement

Reporting cyber incidents

Financial services firms face enhanced operational resilience requirements

NHS and healthcare organisations must complete Data Security and Protection Toolkit

Building a cyber security programme

Foundation (0-3 months)

Intermediate (3-12 months)

Advanced (12+ months)

Common myths about cyber security

Related guides in Digital & Technology

Business Context Testing

Content Graph