Are we mistaking regulation for resilience?
As safety leaders within the UK, we frequently really feel squeezed between an more and more aggressive risk panorama and a sprawling legislative framework. A brand new evaluation of the UK’s cyber safety legislative framework confirms what many people talk about over drinks at trade conferences: we’re drowning in compliance obligations, but the nation’s cyber resilience stays alarmingly fragile. For my friends throughout the UK, this report provides 5 crucial takeaways that ought to form our future methods.
Whereas the UK Basic Information Safety Regulation (GDPR) theoretically threatens UK companies with large penalties, the Info Commissioner’s Workplace (ICO) issued solely three fines in 2024, typically favouring reprimands as a substitute. Much more hanging is the enforcement void concerning the Community and Info Programs (NIS) Rules.
Regardless of a big rise in incident notifications, freedom of data knowledge signifies a near-total absence of formal sanctions by key competent authorities between 2021 and 2024 (see “State of affairs Snapshot” desk beneath). Whereas this may sound like a reprieve, it undermines our inside enterprise instances for safety funding. If the regulator received’t chunk, the board received’t pay attention.
This results in the second – and maybe most worrying – development: the disengagement of the board. The UK has seen a measurable decline in government possession. The proportion of companies with a board member holding express accountability for cyber safety has dropped from 38% in 2021 to simply 27% in 2025. This information will considerably impression how significantly our executives deal with privateness and safety shifting ahead.
As chief info safety officers (CISO), we can’t permit cyber danger duties to be relegated to the IT division. The Cyber Safety and Resilience Invoice (CSRB) missed a key alternative to put accountability with boards and executives as a statutory responsibility. This may not embrace making the CISO into the “chief info scapegoat officer” by assigning legal responsibility with out the sources or authority to deal with the dangers.
|
Decline in companies with a board member holding express cyber accountability (2021 vs 2025) |
Excessive Danger: Govt possession is shrinking simply as legal responsibility is rising. |
||
|
Proportion of enormous companies that proceed to endure breaches |
Ineffectiveness: Present compliance spending isn’t decreasing the success fee of assaults for big corporations. |
||
|
Improve in ransomware assault numbers between 2024 and 2025 |
Escalating Menace: Attackers are outpacing defensive controls regardless of passing audits. |
||
|
Whole fines issued by the ICO in 2024, with a choice for reprimands |
Enforcement Void: The regulator is at the moment ineffective, undermining the enterprise case for safety funding based mostly solely on fines. |
||
|
Lack of formal sanctions by competent authorities below NIS Rules (2021-2025) |
False Safety: Reliance on regulatory stress to drive enhancements is a failed technique. |
||
Third, we should recognise that compliance doesn’t equal resilience. The UK’s cybersecurity and privateness legislative framework: Effectiveness, enforcement and complexity report highlights a “tick-box mentality” the place sources are diverted towards navigating complicated authorized necessities moderately than efficient safety controls. The result’s a sobering statistic: cyber safety breach charges for big companies persist at 74%.
Firms are passing audits, but are nonetheless falling sufferer to phishing and more and more subtle ransomware assaults, the latter of which noticed numbers double between 2024 and 2025. Our focus should shift from producing documentation to validating operational resilience via rigorous testing of incident response plans.
Fourth, the complexity of the legislative panorama has reached a degree of diminishing returns. We’re navigating a patchwork of the UK GDPR, NIS Rules, the Pc Misuse Act and the On-line Security Act, with the brand new CSRB. This cumulative quantity creates a “compliance tax” that drains our finite sources.
For these of us managing provide chains, that is crucial. The burden on our small to medium-sized enterprise (SME) companions is crushing, doubtlessly stifling the very innovation we depend on. We should audit our provide chains not only for safety, however for his or her means to outlive this regulatory attrition.
Lastly, we should put together for the expanded scope of the CSRB. The employed technique is shifting in the direction of a “complete of society” method, bringing managed service suppliers (MSPs) and datacentres immediately into the regulatory fold. Should you depend on third events, as many people do, the regulatory highlight is about to widen.
In the end, this report serves as a wake-up name. We can’t depend on laws to resolve the issue, nor can we depend on regulators to implement it constantly. We should transfer past the “compliance lure” and construct cultures and controls that survive contact with our adversaries.
A response to The UK’s cybersecurity and privateness legislative framework report, from William Dutton, Oxford Martin Fellow, International Cyber Safety Capability Centre, Oxford College:
“Debate on governmental coverage on info applied sciences too typically hovers round broad generalities, similar to whether or not to control. This insightful report digs deeper. The WCIT [Worshipful Company of Information Technologists] Safety Panel addresses points such because the regulatory paradox throughout key facets of main governmental, legislative and regulatory decisions, offering invaluable insights for policymakers, regulators, and a variety of enterprise organisations, together with small enterprises. This report is a concise and invaluable reference for these with a critical curiosity in points tied to cyber safety and privateness.”
