Data protection and cybersecurity laws in the United Kingdom

• The Data Protection Act 2018 (“DPA”) sets out the UK’s domestic framework for data protection. Its core purpose is to give effect to modern data protection standards in UK law, complementing and tailoring the UK GDPR. The DPA supplements the UK GDPR by providing UK‑specific data protection rules (for example, implementing certain exemptions, and introducing conditions for the processing of special category data). The DPA also creates dedicated regimes for law enforcement processing (Part 3) and for intelligence services processing (Part 4).
• The UK GDPR is the United Kingdom’s version of the EU GDPR. The EU GDPR came into force on 25 May 2018 and was designed to unify and strengthen data protection across EU member states. After the UK left the EU (Brexit), EU law (including the EU GDPR) ceased to directly apply domestically, so the UK took steps to retain EU GDPR concepts in its own law. The result is the UK GDPR, effective from 1 January 2021, which mirrors the core principles and rules of the EU GDPR, whilst also making certain adaptions for the UK context.
• The Data Protection (Charges and Information) Regulations 2018 (as amended in 2025) set out the circumstances in which controllers are required to pay a charge and provide certain information about their processing of personal data to the UK data protection regulator the Information Commissioner’s Office.
• The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) focus on privacy in the context of electronic communications. PECR implemented the EU’s “e-Privacy Directive” (2002/58/EC) into UK law. PECR must be read alongside the UK GDPR and the DPA when addressing privacy issues in connection with electronic communication services, direct marketing and cookies/tracking technologies.
• The Data (Use and Access) Act 2025 (the “DUA Act”)  was passed on 19 June 2025 and covers personal and non-personal data. It does not replace the UK GDPR, PECR or the DPA, rather it supplements, modifies and/or extends these existing laws. The DUA Act is being implemented in phases with many of the key data protection requirements expected to take effect in January 2026.

The Information Commissioner’s Office ("ICO"): www.ico.org.uk

Data (Use and Access) Act 2025 ("DUA Act")

Amongst other things, the DUA Act will impact the following areas:

New obligations

• Children and online services: the DUA Act will explicitly require providers of online services likely to be accessed by children, to take their needs into account when deciding how to use their personal information. In practice, organisations that comply with the ICO’s Age Appropriate Design Code are likely to already be adhering to these obligations.
• Data protection complaints: The DUA Act will require organisations to assist people who want to make complaints in relation to the use of their personal data, for example, by providing an electronic complaints form. There will also be a requirement to acknowledge complaints within 30 days and respond to them "without undue delay".  

Relaxation/clarification of existing obligations

• Direct marketing: charities will no longer be prevented from relying on the soft opt-in exemption when sending email marketing to individuals (i.e. they will be able to send direct marketing by electronic means on an opt-out basis, provided that certain conditions are met).
• Cookies/tracking technologies:  organisations will not be required to obtain consent to serve cookies for certain low-risk activities, such as collecting statistical information in order to improve a service, adapting the appearance of a service, and/or identifying the geographical position of the subscriber’s or user’s device to provide emergency assistance.
• Penalty levels for breaches of PECR : maximum fine levels for a breach of e-privacy rules under PECR  will increase from £500,000 to the UK GDPR levels, i.e. up to £17.5 million or 4% of global turnover.
• Data subject rights: rules around subject access requests will be clarified. This includes provisions confirming the applicable time limits for responding to data subject requests, and the codification of existing case law around reasonable and proportionate searches.
• Automated decision-making : The DUA Act will simplify the requirements for solely automated decision-making, and enable organisations to carry this out in wider circumstances (including potentially on the "legitimate interests" lawful basis) as long as they implement measures to provide relevant safeguards, and subject to stricter rules that will apply in respect of special categories of personal data.
• Lawful bases : The DUA Act will introduce a new "recognised  legitimate interests" lawful basis for processing personal data in the context of certain activities, such crime prevention, safeguarding vulnerable people, responding to emergencies, safeguarding national security or assisting other bodies deliver public interest tasks that are sanctioned by law. No legitimate interest assessment will be required where this lawful basis applies.
• Purpose limitation : The UK GDPR requires that an individual’s personal data only be re-used only in ways that are compatible with the original purpose for processing. The DUA Act will allow organisations to assume certain re-uses of personal data are compatible with the original purpose of processing, without having to do a compatibility test. This includes disclosing personal data for the purpose of archiving in the public interest. 
• Disclosures to assist organisations perform public tasks: The DUA Act will permit organisations to share personal information with certain other organisations, such as the police, without having to decide whether the recipient needs the information to perform its public tasks or functions. Instead, the organisation making the request is responsible for this decision.
• International transfers of personal data : The DUA Act will introduce a new data protection test for data exporters when using overseas transfer mechanisms such as standard contractual clauses or other appropriate safeguards. The data protection test is met if, after an international transfer, the level of protection for a data subject will be “not materially lower” than under UK law. This represents a relaxation of the current rules, which set an "essentially equivalent" threshold in respect of the level of protection that must be afforded to data subjects following an overseas transfer of personal data. Alongside this, there is a power for the UK Secretary of State to approve transfers to a third country or international organisation (e.g. by issuing adequacy regulations) provided that, after the transfer, the level of protection for data subjects  is "not materially lower" than the UK's.
• Scientific research: The DUA Act will clarify the circumstances in which organisations can use personal data for scientific research (including commercial scientific research) purposes. It will also clarify that individuals can give a broad consent to an area of scientific research. In addition, the DUA Act will allow organisations to re-use personal data for scientific research purposes without providing a privacy notice, if this would involve a disproportionate effort (subject to certain conditions).

Fines:

The ICO has powers to impose fines/penalties as follows:

Under the UK GDPR and the DPA:

• GBP 17.5m or 4% of the undertaking’s total annual worldwide turnover in the preceding financial year; or
• GBP 8.7m or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.

Under PECR:

GBP 500,000, although once the relevant provisions of the DUA Act are in force (expected January 2026) these will increase to the same level as under the UK GDPR/DPA.

For failure to register with the ICO:

A monetary penalty of up to £4,000 on top of the fee that the organisation is required to pay.

There are various criminal offences under the DPA including relating to:

• the unlawful obtaining of personal data;
• the re-identification of de-identified personal data;
• the alteration of personal data to prevent disclosure;
• obstruction offences;
• making false statements in response to an information notice;
• making a false statement in response to an interview notice ; and
• destroying or falsifying information and documents.

In addition to the organisation, individual company directors can face criminal liability and unlimited fines (although custodial sentences cannot be imposed).

The enforcement powers of the ICO’s office also include imposition of the following:

• assessment notices;
• enforcement notices, which can require the organisation to take or not take certain actions (including deleting or stopping processing data); and
• warnings and reprimands.

A data subject may (in addition to making a complaint to the ICO) also make a claim to the courts for compensation for material or non-material damage (which may include distress). There is the potential for class actions to be brought.

Under the Data Protection (Charges and Information) Regulations 2018 (as amended in 2025), controllers must pay a data protection fee to the Information Commissioner’s office unless exempt. This is set on a sliding scale depending on the size and turnover of the organisation, and there are some exemptions. Organisations can be fined for not paying the fee where required.

For the most part, the UK GDPR is materially aligned with the EU GDPR. Specifically it sets out the same core data protection principles that apply to controllers:

• Lawfulness, fairness and transparency : Personal data must be processed on a valid lawful basis, in ways that are fair to individuals and explained clearly through concise and accessible privacy information.
• Purpose limitation : Personal data must be collected for specific, explicit and legitimate purposes and not further processed in ways incompatible with those purposes.
• Data minimisation : Only personal data that is adequate, relevant and limited to what is necessary for the stated purpose/purposes can be processed.
• Accuracy : Personal data must be accurate and, where necessary, kept up to date; and reasonable steps should be taken to correct or delete inaccuracies without delay.
• Storage limitation : Personal data must be kept only for as long as necessary for the purposes for which it is processed.
• Integrity and confidentiality (security) : Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
• Accountability : Controllers are responsible for, and must be able to demonstrate, compliance with all of the above principles through appropriate policies, records, and governance.

However, the following UK-specific requirements exist:

The DUA Act will amend certain UK GDPR requirements. See above for more detail.

• In the context of information society services, the EU GDPR sets a minimum age of 16 for the age that a data subject must be in order to give valid consent to the processing of their personal data. However, Member States are permitted to choose a lower age, as long as this is not lower than age 13. The UK (although now not an EU Member State following Brexit) chose the threshold to be 13 years old.
• The ICO has published the Age appropriate design: a code of practice for online services | ICO. This statutory code is designed to help organisations  providing online services that are likely to be accessed by children in the UK take into account the best interests of the child. It contains provisions to help organisations develop online services that recognise and are tailored for the fact that children warrant special protection in how their personal data is used. Under with section 127 of the DPA, the ICO must take the code into account when considering whether an online service has complied with its data protection obligations under the UK GDPR/ PECR. The code can also be used in evidence in court proceedings, and the courts are required to take its provisions into account wherever relevant.

• Where special categories of personal data are processed, a lawful basis under Article 6, UK GDPR must be met plus one of a further list of more stringent conditions specified in Article 9, UK GDPR, or Schedule 1 of the DPA. “Special categories of personal data” refers to information about an individual’s race; ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetics or biometrics (where used for identification purposes); health; sex life or sexual orientation. Under the DUA Act there is also a new power for the UK government to expand the definition of special categories of personal data.
• Where personal data relating to criminal offences or convictions (or related security measures) is processed, a lawful basis under Article 6, UK GDPR must be met plus the processing must either be carried out under the control of official authority or be authorised by domestic law. In the UK, the requirement for the processing to be authorised by domestic law requires that the controller must meet one of the relevant conditions set out in Schedule 1 of the DPA.
• The Schedule 1 conditions are subject to various requirements and in some cases an “appropriate policy document” may be required.

Organisations without an establishment in the UK, but offering goods or services to, and/or monitoring the behaviour of, individuals located in the UK, may need to appoint a UK representative under the UK GDPR.

Individuals have substantively the same core data protection rights as are set out under the EU GDPR :

• Right to be informed: Controllers must provide certain transparency information to individuals, including in respect of what personal data they collect, why, the applicable lawful basis, who they share that data with, what overseas transfers will take place, how long they keep it, and the rights available. This information is usually delivered via a privacy notice.
• Right of access: Individuals can get confirmation their data is processed and receive a copy, plus information about the processing.
• Right to rectification: Individuals can have inaccurate personal data corrected and incomplete data completed.
• Right to erasure (“right to be forgotten”): Individuals can ask for deletion of their personal data in specific situations.
• Right to restrict processing: Individuals can restrict  processing in certain cases.
• Right to data portability: Individuals can, in certain cases, receive certain personal data they provided, in a structured, commonly used, machine‑readable format, and have it transmitted to another controller.
• Right to object: Individuals can object to processing based on legitimate interests or public task. There is also an absolute right to object to direct marketing (including related profiling).
• Rights in relation to automated decision‑making, including profiling: Individuals have protections against decisions based solely on automated processing that produce legal or similarly significant effects. Generally, they can obtain human intervention, express their view, and contest the decision.
• Consent withdrawal: Where processing relies on consent, individuals can withdraw the consent at any time, without detriment to prior processing.
• Complaints and remedies: Individuals can lodge a complaint with the ICO and also seek a judicial remedy (including compensation) for infringements.

The position is substantively the same as under the EU GDPR, as follows:

Controllers must select processors on the basis of documented assurances that the processor will provide sufficient guarantees to implement appropriate technical and organisational measures so as to meet the requirements of the UK GDPR and ensure the protection of data subject rights.

• Set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, categories of data subjects, and the controller’s obligations and rights.
• Require the processor to:
  • process only on documented instructions of the controller (including in relation to international transfers), unless required by law, and inform the controller if an instruction infringes UK GDPR or other UK law;
  • ensure persons authorised to process the data are under an appropriate duty of confidentiality;
  • implement appropriate security measures (Article 32) ;
  • obtain the controller’s prior written authorisation for the appointment of any sub‑processor (specific or general), and impose on each sub‑processor the same data protection obligations as in the controller–processor contract;
  • remain fully liable to the controller for its sub‑processors;
  • take appropriate measures to assist the controller in responding to requests from data subjects to exercise their rights;
  • assist the controller, taking into account the nature of processing, with: (ii) compliance with security requirements ; (iii) personal data breach notification/communications ; (iv) data protection impact assessments; and (v) obligations relating to consultation with the ICO in respect of high-risk processing (Articles 32–36) ;
  • at the controller’s choice, delete or return all personal data after the end of services and delete existing copies, unless retention is required by law; and
  • make available all information necessary to demonstrate compliance and allow for and contribute to audits/inspections by the controller or an auditor mandated by the controller.

Joint controllers must have a transparent arrangement between them, which sets out agreed roles and responsibilities for complying with the UK GDPR. This can be documented in a contract, or separately.

There are some substantive differences from the EU GDPR.

Key provisions allow:

• the transfer of personal data from the UK to the EEA and to any other countries which, as at 31 December 2020, were covered by a European Commission adequacy decision;
• the transfer of personal data to other countries under adequacy regulations issued by the UK Government;
• the use of standard contractual clauses as a transfer mechanism (such clauses currently being either:  (i) EU SCCs and the UK addendum;  or (ii) the International Data Transfer Agreement published by the ICO) provided that (in each case) a written transfer risk assessment, carried out in advance, indicates that the personal data will be protected to standards required by the UK GDPR following the transfer. In some cases supplementary practical and/or technical measures may have to be implemented first, in order to ensure that the requisite level of protection is in place;
• intra-group transfers outside of the UK on the basis of binding corporate rules (BCRs) subject to the same requirements above regarding putting in place a transfer risk assessment (and implementing supplementary measures are necessary); and
• transfers of personal data outside of the UK on the basis of certain derogations, which are applicable only in limited circumstances.

See also “ Changes to local laws” above.

There are no substantive derogations from the EU GDPR. The rules can be summarised as follows:

Circumstances when a Data Protection Officer (“DPO”) is mandatory (for both controllers and processors (Article 37 UK GDPR)):

• Public authorities/bodies: All public authorities or bodies must appoint a DPO (courts acting in a judicial capacity are excluded).
• Large‑scale monitoring: A DPO is required where an organisation’s core activities require the regular and systematic monitoring of individuals on a large scale.
• Large‑scale special category/criminal data: A DPO is required where an organisation’s core activities consist of the large‑scale processing of special category data or data relating to criminal convictions/offences.

If none of the above factors apply, appointment of a DPO is not mandatory, but voluntary appointment is permitted.

• Internal or external: The DPO may be an employee or an external provider. A single DPO can serve a group of undertakings as long as they have sufficient resources to do so.
• Expertise: The DPO must have expert knowledge and experience of data protection law and practices, as proportionate to the nature of the organisation’s processing of personal data.
• No conflicts of interest: The DPO’s other roles within the organisation (if any) must not lead them to determine the purposes or means of processing.

• Involvement and access: The DPO must be involved “in a timely manner” in all data protection issues and have necessary resources, access to personal data/processing operations, and ongoing training.
• Reporting line: The DPO must report to the highest management level i.e. board level.
• Independence: The DPO must be able to work independently and must not be dismissed or penalised for performing DPO duties.
• Availability: Contact details for the DPO must be published and provided to the ICO.

The DPO’s tasks are to:

• Inform and advise the organisation and employees of their data protection obligations.
• Monitor compliance with the UK GDPR and internal policies, including assigning responsibilities, awareness‑raising, training, and audits.
• Advise on data protection impact assessments (“DPIAs”), and monitor their performance.
• Co‑operate with the ICO and act as the contact point on issues relating to the processing of personal data.

There are no substantive derogations from the EU GDPR. The rules can be summarised as follows:

Integrity and confidentiality principle (Article 5(1)(f)): Controllers must ensure that personal data is processed in a manner ensuring appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures.

Security of processing (Article 32): Controllers and processors must implement appropriate technical and organisational measures, taking into account the state of the art, costs of implementation, the nature, scope, context and purposes of processing, and the risk to individuals.

Measures may include (as appropriate):

• Pseudonymisation and encryption of personal data.
• Ensuring ongoing confidentiality, integrity, availability and resilience of systems and services.
• Timely restoration of availability and access to personal data after an incident.
• Regular testing, assessment and evaluation of the effectiveness of security measures.

When determining the appropriateness of measures, organisations are required to consider:

• State of the art security practices and technologies.
• Cost of implementation relative to risk.
• Nature of data (e.g., special category, children’s data), processing context and volume.
• Likelihood and severity of risks for data subjects.

Accountability (Article 5(2)): Controllers must be able to demonstrate compliance with the integrity and confidentiality principle and UK GDPR requirements concerning the security of processing.

There are no substantive derogations from the EU GDPR. The rules can be summarised as follows:

• A personal data breach is defined in the UK GDPR as any security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
• The controller must notify the ICO of a personal data breach unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
• Notification must be “without undue delay” and, where feasible, within 72 hours of the controller becoming aware of it. If notification is outside of the 72-hour period, the controller must provide reasons for the delay.
• The notification should cover:
  • Nature of the breach: including categories and approximate number of data subjects and personal data records concerned.
  • Contact point: the name and contact details of the data protection officer or other contact for further information.
  • Likely consequences: of the personal data breach.
  • Measures taken/proposed: to address the breach and mitigate adverse effects.
• If all of the above information is unavailable at the time of notification, it can be provided in phases without undue further delay.
• The controller must also communicate the personal data breach to affected individuals without undue delay if it is likely to result in a high risk to their rights and freedoms.
• However, exceptions are provided in respect of each of the following:
  • The controller implemented technical and organisational measures that render the data unintelligible to unauthorised persons (e.g., strong encryption).
  • The controller took subsequent measures which ensure that the high risk is no longer likely to materialise.
  • It would involve disproportionate effort. In this case the controller must instead issue a public communication (or similar measure) whereby data subjects are informed in an equally effective way.
• Processors must inform the controller without undue delay after becoming aware of a personal data breach.
• Controllers must document all personal data breaches, whether or not notification is required.
• If processing also falls under the EU GDPR, separate notifications to relevant EU data protection supervisory authorities may be required in parallel.
• In addition to the UK GDPR:
  • PECR: Certain electronic communications service providers have specific breach notification duties to the ICO and (in some cases) to subscribers/users.
  • NIS Regulations (UK): Operators of essential services and relevant digital service providers may have separate incident reporting duties to competent authorities.
  • Regulated sectors: Financial services, healthcare, charities, and others may face additional regulatory or contractual incident reporting obligations.

For business to consumer (i.e. individual) (“B2C”) direct marketing, PECR prohibits unsolicited electronic communications for direct marketing purposes without prior consent (obtained in accordance with the requirements of the UK GDPR) from the individual, unless:

• the individual has provided their relevant contact details in the course of purchasing a product or service from the person proposing to undertake the marketing;
• the marketing relates to that same organisation’s similar product(s) or service(s); and
• the individual was given a means to readily opt out of the use of their details for direct marketing purposes, both when their details were collected and in each subsequent marketing communication.

For business to business (“B2B”) direct marketing, the requirements generally are less stringent and such marketing can typically be done on an “opt out” basis, except for in relation to automated calls, and subject to stricter rules when marketing claims management services and in the context of pension schemes (these stricter rules also apply in a B2C context).

Direct marketing calls must be screened against preference services (TPS or CTPS, as applicable). Organisations must also screen against their own internal opt-out lists.

The rules in each case, also require that the sender must identify itself/not conceal its identity and provide contact details. 

Sole traders and some partnerships are treated as individuals (see above).

Where direct marketing involves the processing of personal data (e.g. individual contact details) the processing must be compliant with the UK GDPR. In particular, the processing must be lawful, fair and transparent, and individuals always have an absolute right to object at any time (Article 21(3), UK GDPR).

The ICO has published specific guidance on direct marketing.

See also “Changes to local laws” above. 

Cookies and similar technologies like tracking pixels, link decoration and navigational tracking, web storage, fingerprinting techniques and scripts and tags (“Cookies”) are regulated by PECR. The basic rule is that organisations must:

• provide clear and comprehensive information about Cookies; and
• obtain the user/subscriber’s consent to the Cookie except where it is:
  • used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • strictly necessary for the provision of a service requested by the user.

Further exemptions to the requirement to obtain consent for Cookies are set out in the DUA Act. These will apply (from early 2026) in respect of Cookies used only for : (i) statistical purposes; or (ii) certain purposes linked to customising the appearance of websites/services in line with the user/subscriber’s preferences; or (iii) to identify the geographical position of the subscriber’s/user’s device to provide emergency assistance.

Cookie consent under PECR means consent to the same standard as is required under the UK GDPR. (See Article 4(11), UK GDPR)

These rules apply to adtech and online marketing that is Cookies-based (whether or not personal data is used).

The ICO has published specific guidance on use of Cookies. 

Severe

• Information Commissioner’s Office (ICO)
• Information Commissioner guide to the UK GDPR
• Information Commissioner’s Office guide to PECR
• Factsheets on DUA

The key cybersecurity laws that apply in the UK include the following:

• Network and Information Systems Regulations 2018 (“UK NIS Regulations”)
• Communications Act 2003
• Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”)
• Data Protection Act 2018 (“DPA”) and and the UK GDPR – see “Data Protection” section above for full details of data protection laws
• Computer Misuse Act 1990
• Product Security and Telecommunications Infrastructure Act 2022 (“PSTIA”)

Financial services providers including banks, insurance companies, credit unions and financial advisers are regulated by either the Financial Conduct Authority (“FCA”) and the Prudential Regulation Authority (“PRA”) jointly, or by the FCA only, and are subject to additional security and governance obligations, which can directly or indirectly relate to cybersecurity.

The UK Government  has announced a new Cyber Security and Resilience Bill (the “CSRB”), which is expected to be published during 2025.

The CSRB is expected to address UK- specific cyber security issues whilst also aligning, where considered appropriate, with the approach taken in the EU NIS 2 directive.

Broadly, CSBR is expected to:

• Make updates to the UK NIS Regulations, including by bringing more organisations in scope.
• Empower regulators and enhance oversight.
• Ensure the regulatory framework can keep up with the developments in the cyber landscape.

The UK Government is also considering new rules in relation to ransomware, including a ban on ransomware payments for certain organisations operating with the public sector and/or as part of the UK’s critical national infrastructure.

The EU NIS Directive (Directive (EU) 2016/1148) was implemented into UK law on 10 May 2018 by the UK NIS Regulations. The UK NIS Regulations apply to Operators of Essential Services (“OESs”), and Relevant Digital Service Providers (“RDSPs”).

OESs

• An OES is an organisation (public or private) within certain vital sectors, that provides services essential to the economy where:
  • the service is dependent on network and information systems; and
  • an incident would have “significant disruptive effects” on that service.
• This includes organisations that operate within critical national infrastructure (e.g. water, transport, energy) or which provide services such as healthcare and digital infrastructure, provided that they meet certain thresholds.
• Banking and financial markets infrastructure are omitted as they are already subject to separate regulatory requirements.

RDSPs

• A RDSP is an organisation that:
  • provides a digital service in the UK that constitutes a search engine, an online marketplace or a cloud computing service; and
  • has a head office in the UK, or a nominated representative in the UK; and
  • is not considered to be a micro or small enterprise (i.e. with fewer than 50 staff and an annual turnover or balance sheet of below €10 million).

The CA imposes security and incident notification obligations on Public Electronic Communications Network (PECN) providers and Public Electronic Communications Services (PECS) providers.

The ePrivacy Directive was implemented in the UK on 11 December 2003 by PECR, and has been amended several times. PECR contains security and incident notification obligations that apply to PECS providers.

The DPA / UK GDPR applies when personal data is being processed, and imposes obligations in relation to security and personal data breach notification on controllers and processors.

The CMA does not impose security obligations on businesses or individuals but rather creates various cybercrime offences, criminalising acts such as unauthorised access or interference with a computer and DDoS attacks.

The Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) gained Royal Assent on 6 November 2022. Part 1 of the PSTIA has created a new regulatory scheme to help ensure that consumer connectable products are more secure against cyberattacks. This aspect came into force on 29 April 2024.

A number of different authorities may have competent jurisdiction depending on the relevant laws or regulations that apply:

NIS

OESs and DSPs will be regulated by their relevant Competent Authority. Schedule 1 of the NIS Regulations lists the Competent Authorities in respect of the OESs, which are sector specific, for example:

• the Secretary of State for Health (supported by NHS Digital) is the Competent Authority for the healthcare sector; and
• Ofcom is the Competent Authority for the telecoms sector.
• The ICO is the Competent Authority in respect of the RDSPs.

The Information Commissioner will be the Competent Authority in respect of the DSPs. 

CA

Ofcom regulates PECN providers and PECS providers.

PECR/DPA/UK GDPR

The ICO is the regulator responsible for the administration of these laws.

CMA

The ICO can bring prosecutions under the CMA

UK NIS Regulations

Both OESs and RDSPs must comply with obligations relating to:

• Adopting a minimum level of security standards to protect the network and information systems on which these essential services rely.
• The timely reporting of any incident which has a significant impact on the continuity of those essential services.

The obligations imposed by the UK NIS Regulations on OESs and RDSPs are similar to the security provisions set out in Article 32 of the UK GDPR and the personal data breach reporting obligations set out under Article 33 of the UK GDPR.

However, there are also some differences. These include that:

• OESs and RDSPs are not permitted to consider the cost of the implementation of those measures when determining what security measures are appropriate and proportionate in the circumstances (although they are entitled to consider what is the state of the art – i.e. the type of security measures available to them).
• The 72-hour deadline for notifications is not limited to "where feasible" (as under the GDPR).
• For RDSPs, the notification requirement only applies to the extent the RDSP has access to information which enables it to assess whether the impact of an incident is substantial.
• For OESs, the information to be provided is limited to information which may reasonably be expected to be within the knowledge of that OES.

CA

PECN and PECS providers must take measures that are appropriate and proportionate to:

• Identify the risks of security compromises occurring.
• Reduce the risks of security compromises occurring.
• Prepare for the occurrence of security compromises.

Ofcom, as the relevant regulator, has published guidance in relation to in-scope "security compromises".

PECN providers and PECS providers are under duties to notify users and Ofcom about any security breaches.

The CA also allows the UK Secretary of State to make a “designated vendor direction” requiring public communications providers to remove equipment supplied by a specified vendor from their networks for security reasons.

PECR

PECR compels PECS providers to take technical and organisational measures to ensure the security of its services by restricting who can access personal data and protecting personal data stored or transmitted against:

• accidental or unlawful destruction;
• accidental loss or alteration; and
• unauthorised or unlawful storage, processing, access or disclosure.

In the case of a personal data breach, the PECS provider must notify the ICO of the breach. On 20 August 2025, section 111 of the DUA Act came into force. This amends PECR, extending the time limit in which the provider must report a personal data breach from 24 hours to “without undue delay and where feasible, not later than 72 hours after having become aware of it”. This now mirrors the UK GDPR.

No notification is required where the relevant PECS provider has demonstrated to the ICO’s satisfaction that it has implemented appropriate technological protection measures which render the data unintelligible to any person who is not authorised to access it, and that those measures were applied to the data concerned in the breach.

PECS providers must notify the individuals concerned of the breach without undue delay after its detection, if the breach is likely to adversely affect the personal data or privacy of a subscriber/user. However, as above, such notification is not required where the provider has demonstrated to the ICO’s satisfaction that it has implemented appropriate technological protection measures which render the data unintelligible to any person who is not authorised to access it, and that those measures were applied to the data concerned in that breach.

PECS providers must maintain a log of personal data breaches to enable the ICO to verify compliance with PECR.

DPA/ UK GDPR

The UK GDPR imposes obligations:

• On controllers to process personal data in a manner that ensures appropriate security of the data (‘integrity and confidentiality’) (Article 5(1)(f), UK GDPR).
• On controllers to observe data protection by design and default principles when building systems and processes (Article 25, UK GDPR).
• On both controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32, UK GDPR).
• On processors to inform the controller without undue delay if they become aware of a personal data breach (Article 33(2), UK GDPR).
• On controllers, where there is a personal data breach, to make a notification to the ICO without undue delay and (where feasible) within 72 hours from when they become aware of the breach (unless the breach is unlikely to result in a risk to the rights and freedoms of individuals) (Article 33, UK GDPR).
• On controllers to keep records of personal data breaches. (Article 33, UK GDPR).
• On controllers to communicate a personal data breach to the relevant data subjects without undue delay when this is likely to result in a high risk to the rights and freedoms of natural persons (Article 34 UK GDPR).

CMA

The offences set out in the CMA include:

• Unauthorised access to computer material (section 1(1), CMA).
• Unauthorised access to computer materials with intent to commit or facilitate commission of further offences (section 2(1), CMA).
• Unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of a computer (section 3, CMA). This section also criminalises the circulation of viruses and other malware.
• Making, supplying or obtaining articles for use in offences under section 1 or section 3 of the CMA (section 3A, CMA, as amended by the Police and Justice Act 2006).

In addition, the CMA has been amended by the Serious Crime Act 2015 (SCA), which implements the EU Cybercrime Directive (2013/40/EU). A new offence of impairing a computer such as to cause serious damage was created (section 3ZA, CMA).

eIDAS

• eIDAS sets out rules for UK trust services and establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication.
• Trust service providers are obliged to take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide, in particular measures to prevent and minimise the impact of security incidents.
• Where an electronic identification scheme is breached or partly compromised and there is a “significant impact”, there is an obligation on the trust service provider to notify the ICO within 24 hours.
• If users are likely to be affected, they must also be notified.
• In some circumstances, the ICO may decide to inform the wider public about a breach or require the trust service provider to do so.

PSTIA

• PSTIA includes a power for ministers to specify security requirements for relevant connectable products and imposes obligations on manufacturers, importers and distributors to comply with these security requirements, and publish statements of compliance.
• The relevant security requirements are set out in the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (SI 2023/1007)) (the “Security Regulations”), which came into force on 29 April 2024.
• The Security Regulations require that manufacturers must : ban universal default passwords; implement a way to manage reports of vulnerabilities; and provide transparency on for how long, the product will receive security updates.

UK NIS Regulations

Organisations that contravene the UK NIS Regulations are subject to a maximum financial penalty of GBP 17m for a material contravention, which the relevant enforcement authority determines has caused, or could cause, an incident resulting in an immediate threat to life or significant adverse impact on the UK economy.

It is possible to be fined under both the UK NIS Regulations and the UK GDPR for the same incident (so-called ‘double jeopardy’) provided there are distinct bases for doing so (i.e. there is a breach of data protection law, and a separate breach of the UK NIS Regulations).

Designated Competent Authorities monitor OESs’ compliance through an auditing process to prevent non-compliance.  RDSPs are not audited, with enforcement being applied to RDSPs after an incident has occurred, or if a RDSP is reported to the Competent Authority as being non-compliant.

CA

Ofcom can impose fines of up to 10% of turnover or £100,000 a day, for non-compliance.

PECR

The ICO can:

• impose enforcement notices, information notices and monetary penalty notices of up to GBP 500,000 on PECS providers (although this is to be increased under the DUA Act to GBP 17.5m or 4% of annual global turnover);
• audit PECS providers;
• prosecute PECS providers for failure to comply with a notice; and
• carry out 'dawn raid' search and seizure investigations with a warrant.

A PECS provider that fails to comply with the breach notification requirement may be subject to a fixed monetary penalty notice of GBP 1,000 which will be reduced to £800 if paid within 21 days of receipt of a notice of intent from the ICO.

Individuals who suffer damage as a result of a PECS provider's breach of the PECR may bring compensation claims.

DPA/UK GDPR

See “Data Protection” section above.

CMA

Offences under section 3ZA will be tried on indictment and are punishable by life imprisonment if the damage is in respect to life, loss of life or national security, or to 14 years for damage to the economy. This also extends to making articles intended for use in such offence. Otherwise offences are punishable by maximum prison sentences ranging between 2 and 10 years, depending on the offence.

The ICO can bring prosecutions under the CMA.

eIDAS

The ICO has powers to:

• issue a monetary penalty notice requiring payment of GBP 1,000;
• carry out audits, and make recommendations;
• serve an enforcement notice order if there has been a breach, requiring specified steps to be taken to comply with the law;
• prosecute organisations that fail to comply with an enforcement notice (excluding in Scotland); and
• make reports to Parliament on issues of concern.

If an organisation fails to comply with an enforcement notice, assessment notice (for a compulsory audit) or information notice, the Information Commissioner can also invoke its powers to impose fines up to the higher of GBP 17.5m, or 4% of total worldwide annual turnover.

PSTIA 

• The UK Secretary of State has powers to enforce the PSTIA. It is able to issue compliance notices, stop notices and recall notices.
• Failure to comply with an enforcement notice is an offence. 
• The UK Secretary of State also has the power to issue monetary penalties up to the greater of £10 million and 4% of an organisation's qualifying worldwide revenue, in respect of a single, relevant breach.
• Further enforcement powers include the power to inform the public about compliance failures and to publish details about enforcement action.
• The UK Secretary of State has delegated its enforcement functions to the Office for Product Safety and Standards (“OPSS”). OPSS is the national enforcement authority for all consumer products.

The National Cyber Security Centre (which is part of GCHQ) does not regulate the UK NIS Regulations but does fulfil the following roles.

• A Single Point of Contact (SPOC) – for engagement with EU partners, consulting and cooperating with law enforcement authorities, and submitting reports on incident notifications.
• a Computer Security Incident Response Team (CSIRT). Its role in this respect involves :
  • monitoring incidents;
  • providing early warning, alerts, announcements and dissemination of information about risks and incidents;
  • responding to incidents notified to it by Competent Authorities;
  • providing dynamic risk and incident analysis and situational awareness;
  • participating in the ‘CSIRTs network’ at European level;
  • establishing relationships with the private sector;
  • promoting the adoption and use of common or standard practices for incident and risk handling procedures, and incident, risk and information classification schemes; and
  • co-operating with the competent authorities when they undertake enforcement action.

Competent Authorities can share information with the NCSC where this is necessary for the requirements of the UK NIS Regulations. This must be limited to information that is relevant and proportionate to the purpose for the sharing.

The ICO is also required to share incident notifications with the NCSC as soon as reasonably practicable.

Yes, see above.

The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time to increase awareness with the aim of reducing the impact of cybersecurity breaches on UK business.

Cyber Essentials is a government scheme aimed at highlighting security controls that will help organisations mitigate the risk to their IT systems from online threats. The scheme focuses on five essential mitigations within the context of the 10 Steps to Cyber Security. It provides organisations with guidance on implementation, as well as offering independent certification.

The NCSC has developed the Cyber Assessment Framework (“CAF”). This is intended to be used by organisations that operate within UK critical national infrastructure/OESs.

The CAF is composed of 14 cybersecurity and resilience principles set out alongside guidance in respect of each principle. The principles are designed to help organisations achieve and demonstrate an appropriate level of cyber resilience.

• Information Commissioner’s Office (ICO)
• The National Cyber Security Centre
• UK’s current Cyber Security Strategy 2022 to 2030
• Cyber Essentials Scheme overview
• Cyber Security Breaches Survey 2025
• Cyber Security Sectoral Analysis 2025
• ICO guide to the NIS