ARTICLE
16 July 2026

Data And Cyber School – The Latest Cyber Security And Data Protection Updates

GW
Gowling WLG

Contributor

Gowling WLG is an international law firm built on the belief that the best way to serve clients is to be in tune with their world, aligned with their opportunity and ambitious for their success. Our 1,400+ legal professionals and support teams apply in-depth sector expertise to understand and support our clients’ businesses.
The UK's data protection and cyber security landscape is undergoing significant transformation through three major developments: the Cyber Security and Resilience Bill expanding regulatory scope to managed service providers and data centres, the Data (Use and Access) Act 2025 modernising UK GDPR provisions, and the NCSC's voluntary Cyber Governance Code of Practice for boards.
United Kingdom Privacy
Gowling WLG are most popular:
  • within Compliance, Wealth Management and Consumer Protection topic(s)
  • with Inhouse Counsel
  • with readers working within the Business & Consumer Services industries

The data and cyber landscape never stands still. As new UK rules, guidance and case law reshape obligations - and threat actors evolve just as quickly - clarity and practical direction are essential.

Data and Cyber School brings together our Data Protection and Cyber Security team's latest thinking and guidance on data protection and cyber security, focusing on what you need to know now.

Built for in-house counsel, data protection officers and chief information security officers, be sure to bookmark this page for the latest insights and resources when new developments occur so that you can understand what's changing and are fully equipped to respond.

This page was last updated on 07 May 2026.

1. The UK Cyber Security and Resilience Bill – introduced to Parliament on 12 November

The Cyber Security and Resilience (Network and Information Systems) Bill (the Bill) was introduced to Parliament on 12 November 2025. Once it becomes law, it will bring significant change to the UK's cyber legislative framework. This landmark reform aims to strengthen national security, protect critical infrastructure and address the escalating threat of cyberattacks that cost the UK economy an estimated £14.7 billion annually.

The Bill seeks to modernise the UK's only cross-sector cyber regulations, the Network and Information Systems Regulations 2018 (NIS Regulations), aligning the UK's regulatory framework with the EU's NIS2 Directive while introducing tougher enforcement powers and a broader scope.

What are the key features?

1. Expanded regulatory scope

The Bill significantly widens the net of regulated entities. In addition to operators of essential services (OES) in the healthcare, energy, drinking water, transport and digital infrastructure sectors, as well as relevant digital service providers (RDSPs) (online marketplaces, online search engines, cloud computing services), the following will now fall under direct regulation:

  • Managed Service Providers (MSPs): Some medium and large MSPs, referred to as Relevant Managed Service Providers (RMSPs) in the Bill, will be brought into scope. The Information Commissioner's Office (ICO) (soon to be the Information Commission) will regulate.
  • Data centre infrastructure: UK data centres at or above 1MW capacity will be brought into scope. Data centre services provided on an enterprise basis (which serve its own undertaking only) will be brought into scope if they are at or above 10MW capacity. Whilst designated as OESs, there may be some differences in applicable duties (e.g. for incident reporting) compared to other OESs.
  • Large load controllers: Organisations that control 300MW of electrical load or more to remotely control consumer appliances will be designated as OESs. The Department for Energy Security and Net Zero and Ofgem will act as the joint regulator. This will bring large load controllers in line with other energy infrastructure.

This expansion reflects the growing recognition that supply chain vulnerabilities are a prime target for attackers.

2. Enabling critical suppliers to be designated and regulated

Regulators will be granted powers to designate and regulate organisations as "critical suppliers". Regulators will be able to designate a supplier of goods or services to OES, RDSPs or RMSPs as critical, if set criteria apply. This will address situations where an incident disrupts a supplier from delivering goods or services and that disruption is likely to have a significant impact on the economy or day-to-day functioning of society in all or part of the UK. Often this will be because the supplier's systems are used as a route for attackers to target an essential or digital service provider. Requirements for duties and incident reporting will be set through regulations.

3. Strengthening incident reporting

One of the most impactful changes is the introduction of stricter reporting timelines.

A two-stage reporting structure is introduced. For a significant incident, in-scope organisations must give:

  • Initial notification within 24 hours
  • Full report within 72 hours

In parallel with reporting to their regulator, a copy of the incident notifications and a full report must be sent to the National Cyber Security Centre (NCSC).

This requirement aims to give regulators and the NCSC a clearer picture of emerging threats. Failure to comply could result in daily fines of up to £100,000 or penalties linked to annual turnover (see 4).

The definition of a reportable incident is expanded to capture a broader range of incidents. Currently the threshold for reporting an incident is if it is causing significant disruption to an essential and digital service. This does not capture attacks that have compromised the integrity or security of a system in a way which could have significant impacts in the future, such as pre-positioning (where attackers gain access or presence within networks for future significant disruption) and ransomware incidents (where malicious software infects a victim's computer system, preventing or impairing access to IT systems, and facilitating the theft of personal or sensitive data – then demanding payment.) The Bill puts forward measures which will require those incidents to also be reported.

Transparency requirements will be enhanced. RDSPs, RMSPs and data centre operators will need to alert customers likely to be affected by a significant incident.

4. Tougher enforcement and penalties

Regulators will gain enhanced powers to investigate and enforce compliance.

There will be a new cost recovery framework which will allow regulators to recover the full costs associated with their NIS activities through a periodic fee.

Penalties for non-compliance will be linked to annual turnover, ensuring fines are proportionate to the size of the organisation. Detail on defining the calculation of turnover for penalties will be set out in secondary legislation.

The Bill sets out a revised penalty structure. The new maximum penalties proposed are:

  1. For more serious breaches, up to £17 million, or 4% of the regulated entity's worldwide turnover, whichever is higher.
  2. For less serious breaches, up to £10 million, or 2% of worldwide turnover, whichever is higher.
  3. For ongoing breaches, the Bill proposes fines of up to £100,000 per day (for entities that are not "undertakings" or for non turnover-based penalties) in specified circumstances.

The Bill also introduces information notice and non-disclosure penalties of up to £10 million, or for continuing non-compliance - up to £50,000 per day.

5. Enabling the Secretary of State to designate a statement of strategic priorities

The NIS Regulations apply across multiple sectors and are enforced by 12 regulators (13 when the new law comes into force). Regulators will have a duty to seek to achieve objectives which will be set out in a statement of strategic priorities.

6. Emergency powers

The Secretary of State will have authority to direct regulators and organisations to take specific, proportionate steps during major cyber incidents. This could include enhanced monitoring or temporary network isolation to protect national security. Proportionate safeguards will be implemented.

The Secretary of State will also have power to bring more sectors into scope of the NIS Regulations and update and introduce security and resilience requirements for organisations within scope including in relation to supply chain risk management, via secondary legislation.

What happens next?

The Bill continues to progress through Parliament, having been re-introduced in the 2026 session following its inclusion in the King's Speech on 13 May 2026.

It is currently at second reading stage in the House of Lords.

With final stages now underway, the Bill is expected to complete its passage in 2026, followed by secondary legislation and codes of practice providing detail on key requirements. Early preparation remains essential.

How should businesses prepare?

The Bill is not just a compliance exercise - it is a strategic wake-up call. Organisations should act now to:

  • Audit supply chains and identify critical dependencies, updating agreements to cascade cyber duty obligations, enhance incident-reporting triggers and include indemnities.
  • Update incident response plans to meet the 24-hour reporting requirement and regularly test the response plan.
  • Implement ransomware-specific protocols, including clear decision-making frameworks taking account of prospective payment disclosure obligations.
  • Continue to invest in monitoring and detection capabilities, such as Security Operations Centre (SOC) maturity and rapid triage processes.
  • Strengthen staff training on cyber vigilance, reporting duties and escalation procedures.

In-scope entities should expect increased scrutiny of security posture and contractual obligations, as organisations seek assurance that business partners meet industry standards.

2. UK Data (Use and Access) Act 2025 – in force in June 2025

The Data (Use and Access) Act 2025 (the Act) came into force in June 2025. It updated parts of the UK GDPR, the Data Protection Act 2018 and PECR, and introduces frameworks for smart data schemes, digital verification services and the National Underground Asset Register (NUAR). Many measures are being commenced in stages by secondary legislation.

What has already commenced?

  • 20 August 2025: Stage 1 commencement regulations brought various technical and enabling provisions into force, including powers to develop smart data schemes.
  • 30 September 2025: Section 124 (retention of information by providers of internet services in connection with the death of a child) commenced, amending the Online Safety Act 2023.
  • 1 December 2025: The majority of Part 2 on Digital Verification Services (DVS) commenced, putting the trust framework, supplementary codes and a statutory register onto a legal footing.

What is imminent?

The UK Government's timetable indicates that the main changes to data protection law (Part 5) are due around six months after Royal Assent (Stage 3). Measures that require more preparation are scheduled for early 2026, including the restructuring of the ICO into the Information Commission once the new Board is appointed, and technology‑dependent systems such as the electronic register of births and deaths and statutory NUAR operations.

What are the key changes and what do they mean?

  1. Automated decision‑making (ADM)
    The Act creates a more permissive framework for solely automated decisions with legal or similarly significant effects, provided organisations implement safeguards (clear information, right to contest, and meaningful human intervention). Restrictions for special category data remain unless an exemption applies.
  2. Subject access (DSARs)
    Clarifies "reasonable and proportionate" searches and introduces a stop‑the‑clock mechanism while you seek clarification.
  3. Recognised legitimate interests
    Lists specific public‑interest disclosures that do not require the usual Article 6(1)(f) balancing test, and codifies examples (network security, intra‑group admin and direct marketing) in statute.
  4. International transfers
    Recalibrates adequacy and transfer risk assessments via a new 'data protection test' (protection "not materially lower" than UK standards), supporting a more risk‑based approach.
  5. PECR enforcement and cookies
    Aligns the Privacy and Electronic Communication (EC Directive) Regulations 2003 (PECR) maximum penalty with UK GDPR (the higher of £17,500,000 or 4% of worldwide turnover) and expands consent exemptions for low‑risk storage/access (analytics/statistical, appearance/functionality, security and fraud, authentication, fault detection, maintaining user selections). Definitions of "call", "communication", "recipient" and who can "instigate" storage/access are updated, and breach reporting timing aligns to 72 hours. Note: advertising and cross‑site tracking still require consent.
  6. Smart data schemes
    Enables sector‑specific schemes (e.g., open finance and beyond) via secondary legislation; the government has consulted on opportunities in digital markets.
  7. National Underground Asset Register (NUAR)
    Moved to public beta in June 2025; statutory obligations to upload asset data will be introduced via regulations with phased lead‑times.

Actions for organisations now

  • Map where you use solely automated decisions; implement safeguards and prepare notices.
  • Update DSAR playbooks to reflect 'reasonable and proportionate' searches and stop‑the‑clock.
  • Review marketing governance: incorporate the new PECR definitions; plan for penalty alignment; ensure ad‑tech remains consent‑based.
  • Refresh international transfer templates and TRAs using the 'not materially lower' threshold.
  • Prepare for DVS: identify use cases; engage with trust framework and, if relevant, certification.
  • Track smart data consultations in your sector and plan for portability.
  • If you are an asset owner, begin NUAR data readiness (formats, completeness, governance) ahead of statutory upload obligations.

3. The NCSC Cyber Governance Code of Practice – published April 2025

On 8 April 2025, the UK Government, working with the National Cyber Security Centre (NCSC), launched the Cyber Governance Code of Practice (the Code). The Code is a voluntary framework for boards and directors that sets out the most critical governance actions for managing cyber risk, supported by NCSC's free Cyber Governance Training and the Cyber Security Toolkit for Boards.

Cyber incidents remain a board-level risk. The Department for Science, Innovation & Technology's 2025 Cyber Security Breaches Survey reports that 43% of UK businesses identified a breach or attack in the last 12 months (rising to 67% of medium and 74% of large businesses).

Who is the code for?

The Code is tailored for boards and directors of medium and large organisations across the public and private sectors. While not aimed at day-to-day security managers, it can help them brief and equip the board. Smaller organisations involved in critical supply chains are encouraged to adopt the principles proportionately.

What are the five governance principles?

  1. Risk management
    Boards should understand and oversee cyber risk, integrate it into enterprise risk frameworks, and review risks regularly—including supplier and third-party risks.
  2. Strategy
    Set the tone from the top. Establish and monitor a cyber strategy aligned to risk appetite and business objectives, with appropriate investment and clear outcomes.
  3. People
    Build a positive security culture. Ensure the board and workforce receive regular training to maintain cyber literacy, and measure the effectiveness of awareness activities.
  4. Incident planning, response and recovery
    Maintain a clear, exercised incident response and business recovery plan with defined legal, regulatory, communications and stakeholder responsibilities.
  5. Assurance and oversight
    Secure proportionate assurance. Use internal and independent reviews to evidence controls, understand gaps and track improvements. Ensure meaningful, regular board reporting.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More