UK introduces Cyber Governance Code of Practice for board-level cyber risk oversight

UK government has released a new cybersecurity code for medium and large businesses. (Photo: Shutterstock)

The UK government has issued a new Cyber Governance Code of Practice aimed at formalising how medium and large organisations govern cybersecurity risks. The Department for Science, Innovation and Technology (DSIT) launched the code with support from the National Cyber Security Centre (NCSC), and industry associations including the Institute of Directors.

The new code establishes a framework for boards and directors to oversee cyber risk across five domains, which include risk management, strategy, people, incident response and recovery, and assurance. It outlines clear responsibilities for board-level oversight and is accompanied by training modules and a cybersecurity toolkit provided by the NCSC. While the framework targets medium and large enterprises, small businesses are also encouraged to consult related guidance through the NCSC and Cyber Local programmes.

“If we want to drive the economic growth which is fundamental to our Plan for Change, then we need to stand side-by-side with British business leaders as they face down that threat,” said Cyber Security Minister Feryal Clark. “Our new Cyber Governance Code of Practice does exactly that – setting out in clear terms steps organisations should take to safeguard their day-to-day operations, while also securing the livelihoods of their workers and protecting their customers.”

Data highlights rising threat to UK businesses

According to the DSIT, 74% of large businesses and 70% of medium-sized organisations experienced cyber incidents in the past 12 months, based on data from the 2024 Cyber Security Breaches Survey. The department reported that a third of large firms currently operate without a formal cyber strategy and nearly half of medium-sized organisations lack an incident response plan. Between 2015 and 2019, cyber threats were estimated to have cost the UK economy nearly £22bn.

The Code forms part of DSIT’s modular cybersecurity framework and is positioned alongside other standards such as Cyber Essentials, which provides baseline controls for cyber risk management. DSIT stated that the governance code provides the minimum level of board accountability expected within the broader national strategy to secure digital operations.

The initiative also precedes the planned introduction of the Cyber Security and Resilience Bill, set to be tabled in Parliament later this year. Secretary of State for Science, Innovation and Technology Peter Kyle said the bill will aim to “boost the protection of supply chains and critical national services, including IT service providers and suppliers.” The proposed legislation will expand regulatory coverage to include data centres, managed service providers and high-risk vendors, and introduce new incident reporting mandates to build a broader view of systemic vulnerabilities.

DSIT confirmed the new regulatory framework would allow for updates to adapt to evolving threats and technological shifts. Organisations implementing additional DSIT codes, such as the Software Security Code of Practice or the AI Cyber Security Code of Practice, are expected to integrate the governance code into their compliance activities.

The Cyber Governance Code of Practice is available on the NCSC website and includes online training, board engagement resources, and an implementation toolkit.

Read more: UK government details scope of upcoming Cyber Security and Resilience Bill