Jocelyn S Paulley
Partner
Co-leader of Data Protection and Cyber Security sector (UK)
Article
10
The data and cyber landscape never stands still. As new UK rules, guidance and case law reshape obligations - and threat actors evolve just as quickly - clarity and practical direction are essential.
Data and Cyber School brings together our Data Protection and Cyber Security team's latest thinking and guidance on data protection and cyber security, focusing on what you need to know now.
Built for in-house counsel, data protection officers and chief information security officers, be sure to bookmark this page for the latest insights and resources when new developments occur so that you can understand what's changing and are fully equipped to respond.
This page was last updated on 07 May 2026.
The Cyber Security and Resilience (Network and Information Systems) Bill (the Bill) was introduced to Parliament on 12 November 2025. Once it becomes law, it will bring significant change to the UK's cyber legislative framework. This landmark reform aims to strengthen national security, protect critical infrastructure and address the escalating threat of cyberattacks that cost the UK economy an estimated £14.7 billion annually.
The Bill seeks to modernise the UK's only cross-sector cyber regulations, the Network and Information Systems Regulations 2018 (NIS Regulations), aligning the UK's regulatory framework with the EU's NIS2 Directive while introducing tougher enforcement powers and a broader scope.
The Bill significantly widens the net of regulated entities. In addition to operators of essential services (OES) in the healthcare, energy, drinking water, transport and digital infrastructure sectors, as well as relevant digital service providers (RDSPs) (online marketplaces, online search engines, cloud computing services), the following will now fall under direct regulation:
This expansion reflects the growing recognition that supply chain vulnerabilities are a prime target for attackers.
The Bill continues to progress through Parliament, having been re-introduced in the 2026 session following its inclusion in the King's Speech on 13 May 2026.
It is currently at second reading stage in the House of Lords.
With final stages now underway, the Bill is expected to complete its passage in 2026, followed by secondary legislation and codes of practice providing detail on key requirements. Early preparation remains essential.
The Bill is not just a compliance exercise - it is a strategic wake-up call. Organisations should act now to:
In-scope entities should expect increased scrutiny of security posture and contractual obligations, as organisations seek assurance that business partners meet industry standards.
The Data (Use and Access) Act 2025 (the Act) came into force in June 2025. It updated parts of the UK GDPR, the Data Protection Act 2018 and PECR, and introduces frameworks for smart data schemes, digital verification services and the National Underground Asset Register (NUAR). Many measures are being commenced in stages by secondary legislation.
The UK Government's timetable indicates that the main changes to data protection law (Part 5) are due around six months after Royal Assent (Stage 3). Measures that require more preparation are scheduled for early 2026, including the restructuring of the ICO into the Information Commission once the new Board is appointed, and technology‑dependent systems such as the electronic register of births and deaths and statutory NUAR operations.
The Act creates a more permissive framework for solely automated decisions with legal or similarly significant effects, provided organisations implement safeguards (clear information, right to contest, and meaningful human intervention). Restrictions for special category data remain unless an exemption applies.
On 8 April 2025, the UK Government, working with the National Cyber Security Centre (NCSC), launched the Cyber Governance Code of Practice (the Code). The Code is a voluntary framework for boards and directors that sets out the most critical governance actions for managing cyber risk, supported by NCSC's free Cyber Governance Training and the Cyber Security Toolkit for Boards.
Cyber incidents remain a board-level risk. The Department for Science, Innovation & Technology's 2025 Cyber Security Breaches Survey reports that 43% of UK businesses identified a breach or attack in the last 12 months (rising to 67% of medium and 74% of large businesses).
The Code is tailored for boards and directors of medium and large organisations across the public and private sectors. While not aimed at day-to-day security managers, it can help them brief and equip the board. Smaller organisations involved in critical supply chains are encouraged to adopt the principles proportionately.
Boards should understand and oversee cyber risk, integrate it into enterprise risk frameworks, and review risks regularly—including supplier and third-party risks.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.
Explore our Data Protection and Cyber Security & Resilience teams' recent insight articles.
Expect further developments in the coming months as new policies, guidance and enforcement take shape.
Gowling WLG is an international law firm comprising the members of Gowling WLG International Limited, an English Company Limited by Guarantee, and their respective affiliates. Each member and affiliate is an autonomous and independent entity. Gowling WLG International Limited promotes, facilitates and co-ordinates the activities of its members but does not itself provide services to clients. Our structure is explained in more detail on our Legal Information page.
© 2026 Gowling WLG All rights reserved.