Jocelyn S Paulley
Partner
Co-leader of Data Protection and Cyber Security sector (UK)
Article
10
The data and cyber landscape never stands still. As new UK rules, guidance and case law reshape obligations - and threat actors evolve just as quickly - clarity and practical direction are essential.
Data and Cyber School brings together our Data Protection and Cyber Security team's latest thinking and guidance on data protection and cyber security, focusing on what you need to know now.
Built for in-house counsel, data protection officers and chief information security officers, be sure to bookmark this page for the latest insights and resources when new developments occur so that you can understand what's changing and are fully equipped to respond.
This page was last updated on 07 May 2026.
The Cyber Security and Resilience (Network and Information Systems) Bill (the Bill) was introduced to Parliament on 12 November 2025. Once it becomes law, it will bring significant change to the UK's cyber legislative framework. This landmark reform aims to strengthen national security, protect critical infrastructure and address the escalating threat of cyberattacks that cost the UK economy an estimated £14.7 billion annually.
The Bill seeks to modernise the UK's only cross-sector cyber regulations, the Network and Information Systems Regulations 2018 (NIS Regulations), aligning the UK's regulatory framework with the EU's NIS2 Directive while introducing tougher enforcement powers and a broader scope.
The Bill significantly widens the net of regulated entities. In addition to operators of essential services (OES) in the healthcare, energy, drinking water, transport and digital infrastructure sectors, as well as relevant digital service providers (RDSPs) (online marketplaces, online search engines, cloud computing services), the following will now fall under direct regulation:
This expansion reflects the growing recognition that supply chain vulnerabilities are a prime target for attackers.
The Bill continues to progress through Parliament, having been re-introduced in the 2026 session following its inclusion in the King's Speech on 13 May 2026.
It is currently at second reading stage in the House of Lords.
With final stages now underway, the Bill is expected to complete its passage in 2026, followed by secondary legislation and codes of practice providing detail on key requirements. Early preparation remains essential.
The Bill is not just a compliance exercise - it is a strategic wake-up call. Organisations should act now to:
In-scope entities should expect increased scrutiny of security posture and contractual obligations, as organisations seek assurance that business partners meet industry standards.
The Data (Use and Access) Act 2025 (the Act) came into force in June 2025. It updated parts of the UK GDPR, the Data Protection Act 2018 and PECR, and introduces frameworks for smart data schemes, digital verification services and the National Underground Asset Register (NUAR). Many measures are being commenced in stages by secondary legislation.
The UK Government's timetable indicates that the main changes to data protection law (Part 5) are due around six months after Royal Assent (Stage 3). Measures that require more preparation are scheduled for early 2026, including the restructuring of the ICO into the Information Commission once the new Board is appointed, and technology‑dependent systems such as the electronic register of births and deaths and statutory NUAR operations.
The Act creates a more permissive framework for solely automated decisions with legal or similarly significant effects, provided organisations implement safeguards (clear information, right to contest, and meaningful human intervention). Restrictions for special category data remain unless an exemption applies.
On 8 April 2025, the UK Government, working with the National Cyber Security Centre (NCSC), launched the Cyber Governance Code of Practice (the Code). The Code is a voluntary framework for boards and directors that sets out the most critical governance actions for managing cyber risk, supported by NCSC's free Cyber Governance Training and the Cyber Security Toolkit for Boards.
Cyber incidents remain a board-level risk. The Department for Science, Innovation & Technology's 2025 Cyber Security Breaches Survey reports that 43% of UK businesses identified a breach or attack in the last 12 months (rising to 67% of medium and 74% of large businesses).
The Code is tailored for boards and directors of medium and large organisations across the public and private sectors. While not aimed at day-to-day security managers, it can help them brief and equip the board. Smaller organisations involved in critical supply chains are encouraged to adopt the principles proportionately.
Boards should understand and oversee cyber risk, integrate it into enterprise risk frameworks, and review risks regularly—including supplier and third-party risks.
Veuillez vous inscrire pour recevoir des nouvelles au sujet des plus récents changements et développements juridiques.
S'abonnerCECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.
Explore our Data Protection and Cyber Security & Resilience teams' recent insight articles.
Expect further developments in the coming months as new policies, guidance and enforcement take shape.
Gowling WLG est un cabinet juridique international constitué des membres de Gowling WLG International Limited, une société à responsabilité limitée par garanties enregistrée en Angleterre, ainsi que leurs affiliés respectifs. Les membres et affiliés constituent des entités autonomes et indépendantes. Gowling WLG International Limited promeut, facilite et coordonne les activités de ses membres, mais ne fournit pas elle-même de services aux clients. Pour en savoir davantage sur notre structure, consultez notre page Avis juridique.
© 2026 Gowling WLG Tous droits réservés