On 12th November 2025, the UK Government announced “tough new laws to strengthen the UK’s defences against cyber attacks” across critical national infrastructure, including the NHS, transport, energy, and water sectors.
But the announcement goes far beyond the big national providers. Suppliers, partners, and service providers are now firmly in scope. This means your business may soon be expected to meet stricter cyber security requirements.
Why These New Cyber Security Laws Matter
The Government’s proposals include:
- Clear security duties for suppliers working with critical national infrastructure
- Mandatory incident reporting for significant cyber events
- Turnover-based penalties for serious failures
- Recognition that cyber-attacks cost the UK nearly £15 billion annually
The message is simple: “Cyber Security is national security.”
Even if your organisation isn’t a utility provider, you may be in their supply chain, which means expectations are rising.
What This Will Mean for UK Businesses in 2026
- Cyber risk is now a leadership issue
This is no longer something an IT team quietly manages.
Boards will be expected to demonstrate responsibility, oversight, and preparation.
- Baseline security controls are now the minimum
If you don’t already have Cyber Essentials in place, it’s increasingly seen as the benchmark.
It protects against up to 80% of common cyber threats and is fast becoming a prerequisite in supply chains, tenders, and insurance.
- Higher-assurance standards are becoming the norm
For organisations handling sensitive data or operating in complex supply chains, ISO 27001 provides a structured and internationally recognised approach to information security.
- Supply-chain visibility matters
The laws highlight that an organisation is only as strong as the suppliers it relies on.
Expect more procurement teams to request proof of cyber credentials.
- Preparation beats reaction
Incident-response plans, documented controls, and regular reviews will be essential.
Key Considerations for Businesses
Step 1: Understand your risk profile
Many organisations review the systems, data, suppliers, and services they rely on to understand their cyber and information security exposure.
Step 2: Get Cyber Essentials as a baseline
Cyber Essentials is a cost-effective certification, endorsed by the UK Government, that can help protect an organisation from the most common attacks and can also help to reassure customers.
Step 3: Build a longer-term security structure with ISO 27001
Implementing an ISO 27001 Information Security Management System (ISMS) can demonstrate maturity, resilience and trustworthiness. Getting your ISMS independently certified verifies that implementation is robust – and businesses should be aware of the importance of UKAS-accreditation, as without this, certification may well get rejected.
Step 4: Strengthen staff awareness
Human error remains one of the biggest root causes of breaches. With ransomware on the increase and the number one source for breaches it’s important businesses consider training their teams how to spot phishing emails.
Step 5: Evaluate your supply chain
Businesses can check and ensure that their own suppliers meet minimum cyber security standards as they form part of the supply chain that could be under threat.
How We Can Help
At British Assessment Bureau, we support thousands of businesses in strengthening their cyber security posture through the UK’s most popular cyber security certifications:
Click here to understand the differences between Cyber Essentials and ISO 27001.
