New UK Cyber Security Laws: What They Mean for Your Business in 2026

On 12th November 2025, the UK Government announced “tough new laws to strengthen the UK’s defences against cyber attacks” across critical national infrastructure, including the NHS, transport, energy, and water sectors.

But the announcement goes far beyond the big national providers. Suppliers, partners, and service providers are now firmly in scope. This means your business may soon be expected to meet stricter cyber security requirements.

The Government’s proposals include:

• Clear security duties for suppliers working with critical national infrastructure
• Mandatory incident reporting for significant cyber events
• Turnover-based penalties for serious failures
• Recognition that cyber-attacks cost the UK nearly £15 billion annually

The message is simple: “Cyber Security is national security.”

Even if your organisation isn’t a utility provider, you may be in their supply chain, which means expectations are rising.

1. Cyber risk is now a leadership issue

This is no longer something an IT team quietly manages.
Boards will be expected to demonstrate responsibility, oversight, and preparation.

2. Baseline security controls are now the minimum

If you don’t already have Cyber Essentials in place, it’s increasingly seen as the benchmark.
It protects against up to 80% of common cyber threats and is fast becoming a prerequisite in supply chains, tenders, and insurance.

3. Higher-assurance standards are becoming the norm

For organisations handling sensitive data or operating in complex supply chains, ISO 27001 provides a structured and internationally recognised approach to information security.

4. Supply-chain visibility matters

The laws highlight that an organisation is only as strong as the suppliers it relies on.
Expect more procurement teams to request proof of cyber credentials.

5. Preparation beats reaction

Incident-response plans, documented controls, and regular reviews will be essential.

Step 1: Understand your risk profile

Many organisations review the systems, data, suppliers, and services they rely on to understand their cyber and information security exposure.

Step 2: Get Cyber Essentials as a baseline

Cyber Essentials is a cost-effective certification, endorsed by the UK Government, that can help protect an organisation from the most common attacks and can also help to reassure customers.

Step 3: Build a longer-term security structure with ISO 27001

Implementing an ISO 27001 Information Security Management System (ISMS) can demonstrate maturity, resilience and trustworthiness. Getting your ISMS independently certified verifies that implementation is robust – and businesses should be aware of the importance of UKAS-accreditation, as without this, certification may well get rejected.

Step 4: Strengthen staff awareness

Human error remains one of the biggest root causes of breaches. With ransomware on the increase and the number one source for breaches it’s important businesses consider training their teams how to spot phishing emails.

Step 5: Evaluate your supply chain

Businesses can check and ensure that their own suppliers meet minimum cyber security standards as they form part of the supply chain that could be under threat.

At British Assessment Bureau, we support thousands of businesses in strengthening their cyber security posture through the UK’s most popular cyber security certifications:

• Cyber Essentials
• Cyber Essentials Plus
• ISO 27001

Click here to understand the differences between Cyber Essentials and ISO 27001.