BlogCompliance
September 2, 2025

Cybersecurity laws and regulations in the UK: Your guide for 2025

Written by
Vanta
Reviewed by
Jill Henriques
GRC Subject Matter Expert, GTM

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

The compliance environment in the UK is rapidly evolving as more organisations adopt cloud-based services and accelerate digitalisation efforts. According to Vanta’s 2025 UK State of Trust Report, about 54% of organisations in the UK increased their investment in automation and IT in the past year, outpacing countries like the United States and Australia.

This shift has also led to an increased awareness of risks as teams navigate evolving technologies to secure data and systems alongside a growing list of regulatory and legal requirements.

On top of that, organisations are still adapting to the post-Brexit compliance landscape that has prompted the UK to publish and enact its own laws and regulations, independent of the EU. This has created a dual compliance environment for companies operating in both jurisdictions.

This article will guide you through:

  • UK-specific laws and regulations
  • Cross-border regulations for UK-based companies
  • Potential future of the UK compliance landscape

Key cybersecurity laws and regulations in the UK

The UK has established a comprehensive framework of laws and regulations to support organisations across sectors with clear standards for managing and responding to cybersecurity risks. As with cross-border standards, they focus on strengthening national cyber resiliency, enhancing customer trust, and minimising the risk of operational disruptions.

Due to the UK’s unique regulatory position after its departure from the EU, its post-Brexit compliance landscape is split into two categories:

  1. UK-specific laws and regulations: Developed and enforced by UK authorities
  2. Cross-border laws and regulations: Broader compliance requirements for organisations operating in other jurisdictions

Brexit has introduced a persistent sense of ambiguity in the UK compliance space. This is more evident when evaluating the applicability of EU laws to UK-based organisations, given the geographical and economic proximity. With compliance frameworks often in a state of flux, companies are unsure whether—and to what extent—EU regulations continue to apply. Cross-border operations are also more complex now as organisations navigate scattered regulations without clear guidance.”

Marsel Fazilov
GRC Security Program Manager, Vanta
|
LinkedIn

It’s worth noting that several widely adopted global regulations and frameworks, such as HIPAA, NIST AI RMF, and SOC 2, don’t apply to the UK. However, many organisations still pursue them to strengthen security and gain a competitive edge.

6 essential UK-specific laws and regulations

Most UK-specific laws and regulations are either adapted versions of existing EU laws or entirely new standards designed to address local cybersecurity and privacy nuances.

Consult the table below for a brief overview of the six relevant frameworks and regulations, followed by brief overviews:

UK framework/regulation Type Applicability
UK-GDPR Regulation Organisations processing personal data of UK citizens
DPA 2018 Regulation Organisations that handle personal data within the UK
UK Operational Resilience Framework Framework Financial institutions in the UK
Computer Misuse Act 1990 Regulation Criminalises unauthorised access to systems and cyber-enabled crimes
Telecommunications (Security) Act 2021 Framework Providers of public electronic communications in the UK
PECR Regulation Organisations that handle personal data for marketing activities

1. UK-GDPR

The UK-GDPR is the UK's core data privacy law, designed to mirror the EU GDPR after Brexit with more localized context. Similar to the GDPR, the UK-GDPR aims to protect the fundamental rights of UK citizens when it comes to the processing of their data.

Compliance with the UK-GDPR is mandatory for organisations of all sizes that collect, maintain, or process UK citizens' personal information. This includes data businesses, public sector entities, and any organisation offering goods or services to UK residents.

Organisations subject to the regulation must implement specific security and privacy practices, such as:

  • Implementing data subject rights workflows
  • Designating a data protection officer (DPO)
  • Conducting data protection impact assessments (DPIAs)

In addition, the UK-GDPR grants:

  • Knowing if their personal data is being collected and stored
  • Requesting deletion of such data
  • Adding restrictions to data processing
  • Data portability

2. DPA 2018

The Data Protection Act 2018 (DPA 2018) is a UK primary legislation that makes provision about the processing of personal data and, alongside the UK GDPR, sets the UK’s data-protection framework.

Part 2 of the DPA 2018 supplements the UK GDPR. The UK GDPR (and, by extension, the relevant parts of the DPA 2018) applies to organisations established in the UK and to organisations outside the UK that target or monitor individuals in the UK.

To comply with DPA 2018 obligations under DPA 2018 (with UK GDPR), organisations need to follow many administrative, security, and privacy measures, including:

  • Embedding data protection by design and default
  • Maintaining records of processing activities (ROPA)
  • *Apply the six part-3 principles and, where automated processing is used, keep operational logs of specified actions

*Only applicable to competent authorities processing for law-enforcement purposes (Part 3)

3. UK Operational Resilience Framework

The Operational Resilience Framework is developed by the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA). It sets baseline security standards financial entities in the UK should implement to proactively prepare for and mitigate operational disruptions.

As of March 31, 2025, all financial entities regulated by the Bank of England, the PRA, and the FCA must comply with this framework. This includes:

  • Banks
  • Insurers
  • E-money firms
  • Payment institutions

Non-compliance with the framework can result in corrective action, financial penalties, or legal escalations, depending on the severity of the violation.

To meet the framework’s requirements, in-scope entities must implement defined administrative and technological measures. Examples include:

  • Conducting risk assessments for operational disruptions
  • Performing gap assessments
  • Identifying important staff, systems, and processes
  • Reviewing and updating policies and procedures regularly
  • Maintaining thorough documentation of compliance efforts

4. Computer Misuse Act 1990

The Computer Misuse Act, introduced in 1990, is the UK’s foundational cybercrime regulation. The act criminalises unauthorised access to computer systems, data theft, and other activities that may enable cyber crimes.

Compliance with the Computer Misuse Act is mandatory, and breaches may result in financial penalties or prison sentences, depending on the severity and intent behind the violation.

Ensuring compliance with the Computer Misuse Act requires organisations to:

5. Telecommunications (Security) Act 2021

The Telecommunications (Security) Act is a regulation introduced in 2021 with the goal of strengthening the security posture of the UK’s telecom networks. The act imposes new legal obligations on telecom companies, with severe financial penalties for non-compliance.

Compliance with the act is mandatory for all public telecommunication service providers, which can be classified into one of three tiers, depending on their size and the potential impact of a breach:

  1. Tier 1: Organisations with an annual turnover of £1 billion or more, whose disruption could have significant economic and social consequences
  2. Tier 2: Organisations with an annual turnover of £50 million—£1 billion, whose disruption could have potential social, security, and economic effects
  3. Tier 3: Organisations with an annual turnover of less than £50 million, whose disruption would affect customers, with minimal impact beyond that

To achieve compliance with the act, telecom providers must implement and regularly review internal and supply chain safeguards, and ensure their workforce understands the potential risks within network systems.

6. PECR

The Privacy and Electronic Communications Regulations (PECR) aims to give UK citizens greater rights regarding electronic marketing and communication activities, such as marketing calls, cookies, and securing communication services.

Compliance with the PECR is mandatory for all organisations that send electronic marketing materials or use cookies and similar technologies. Non-compliance can result in corrective action, audits, financial penalties, or criminal prosecution.

To achieve PECR compliance, organisations must implement policies, procedures, and safeguards, such as:

  • Obtaining consent where required
  • Implementing appropriate safeguards for private information
  • Securing communications 

5 cross-border laws and regulations applicable in the UK

Most cross-border laws and regulations relevant in the UK originate in the EU. These regulations apply to all organisations that operate within the EU, regardless of where they are located, so UK-based entities must comply only if they have operations, infrastructure, or customers within the EU.

Consult the table below for an overview of the five major cross-border laws and regulations applicable in the UK:

Non-UK regulation/framework Type Applicability
Network and Information Security Directive (NIS 2) Framework Applies to all organisations providing essential or important services within the EU.
Digital Operational Resilience Act (DORA) Framework Applies to financial entities and ICT third-party service providers within the EU.
EU Cybersecurity Act Regulation Applies to manufacturers, developers, and service providers for IT products within the EU.
EU Cyber Resilience Act Regulation Applies to products with digital elements in the EU market.
EU Artificial Intelligence Act Regulation Applies to providers and deployers of AI systems that operate within the EU.

{{cta_withimage3="/cta-blocks"}}

1. NIS 2

The NIS 2 directive introduces numerous controls intended to strengthen the security posture of organisations within EU Member States. It’s an update to the original NIS directive, which was designed with the same goal but lacked effective measures and prescriptive guidance.

NIS 2 applies to organisations within 15 sectors, including:

  • Energy
  • Transport
  • Finance
  • Health
  • Digital infrastructure
  • Postal services
  • Waste management
  • Food production
  • Digital providers

Organisations within these sectors are categorised either as essential or important entities, depending on their size and the criticality of the services they provide.

Compliance with NIS 2 is mandatory, and violations can result in corrective measures, financial penalties, and even sanctions against top management to add personal liability.

After Brexit, NIS 2 doesn’t directly apply to all UK-based entities. However, organisations can still fall under the scope if they provide services in EU Member States within the relevant sectors and meet the criteria for an essential or important entity.

If your organisation falls under the NIS 2 scope, you must implement a selection of security and business continuity requirements, such as:

  • Backup management policies
  • Incident response plans
  • Business continuity plans
  • Access point policies
  • Continuous authentication solutions
  • Cyber risk management evaluation procedures

Note: The UK is also preparing a Cyber Security and Resilience Bill, intended as an equivalent to the EU’s NIS 2. The bill is still in the early stages of development and is expected to be introduced to Parliament in 2025.

2. DORA

The Digital Operational Resilience Act (DORA) was introduced in January 2023 to enhance cybersecurity and operational resilience for financial entities in the EU.

This mandatory compliance framework aims to strengthen the resilience of organisations in the finance and insurance sectors against information and communications technology (ICT) threats and incidents. Non-compliance can result in penalties such as fines, cease and desist orders, or legal action.

DORA is location agnostic—all organisations operating within the EU must comply with it. Therefore, UK-based financial entities with ICT dependencies within the EU or those providing services in its Member States must assess whether they fall under DORA’s scope and ensure compliance.

DORA is structured around five pillars, each introducing an objective and a set of requirements that help meet it:

Pillar Objective Example requirements
ICT risk management Develop robust procedures for managing ICT risk
  • Implement measures to secure ICT systems
  • Develop mechanisms to identify and mitigate ICT risks
ICT third-party risk management Design and implement a TPRM framework into your risk management programme
  • Implement procedures for overseeing critical third-party providers
  • Establish contractual vendor responsibilities
Digital operational resilience testing Design, implement, and review digital operational resilience testing procedures
  • Test the effectiveness of ICT tools and systems
  • Regularly review and update systems
ICT-related incident management Develop a process that detects, mitigates, and communicates incidents
  • Classify incidents based on impact and severity
  • Report incidents to authoritative bodies
Information sharing Enhance transparency by sharing cyber threat information {Voluntary pillar with no mandatory requirements}

3. EU Cybersecurity Act

The EU Cybersecurity Act strengthens the authority of the EU Agency for cybersecurity (ENISA) and establishes a certifiable framework for ICT products and services. The act aims to enhance the overall level of cybersecurity, resilience, and trust within the EU by introducing harmonized requirements.

Unlike DORA and NIS 2, which impose mandatory requirements, the EU Cybersecurity Act is mostly voluntary. However, organisations may be required to achieve certification if other EU regulations, such as the Cyber Resilience Act, specify it.

Currently, UK-based entities are not automatically required to comply with the Cybersecurity Act. However, organisations offering ICT products, services, or processes in the EU market are expected to pursue certification. This includes meeting requirements outlined in schemes, such as:

  • Implementing adequate security measures
  • Conducting vulnerability impact analyses based on feedback
  • Generating reports based on those analyses and notifying relevant authorities
  • Maintaining documentation for five years

4. EU Cyber Resilience Act

The EU Cyber Resilience Act boosts the cybersecurity standards for products with digital components by requiring manufacturers and retailers to ensure cybersecurity throughout the product lifecycle. Its purpose is to safeguard consumers and businesses buying software and hardware in the EU.

Compliance with the act is mandatory and extends to all organisations that manufacture or distribute in-scope products in the EU, regardless of their location. The resulting Cyber Resilience Act requirements include: 

  • Conducting risk assessments for the product
  • Exercising due diligence when integrating third-party components
  • Implementing and regularly updating security measures
  • Establishing procedures to demonstrate compliance with the act

5. EU Artificial Intelligence Act

The EU AI Act was created by the European Commission to regulate AI systems based on risk levels. The regulation promotes safe, transparent, and responsible use of AI across the EU, while enabling innovation and protecting fundamental rights.

The act classifies AI systems into four categories based on the risks they pose, each dictating the specific requirements. The categories are:

  • Unacceptable: Systems that can endanger EU citizens via unfair, manipulative, or deceptive tactics, and are completely banned in the EU.
  • High risk: Systems that can cause harm when used incorrectly, such as self-driving vehicles and medical classification systems. These systems require demonstrating adherence to the act throughout their lifecycle.
  • Limited risk: These systems can cause limited risk to individuals, but they still have to meet certain requirements. Compliance focuses on transparency and maintaining necessary documentation.
  • Minimal risk: These systems are traditional or general AI programs that pose no danger and don’t fall under the scope of the act.

UK-based entities are only considered in-scope for the EU AI Act if they use or release AI systems or models within the EU.

{{cta_withimage22="/cta-blocks"}}

What will the UK compliance space look like in the future?

The current UK compliance space remains fluid. Local data protection laws have been under review since October 2024 and may be subject to further amendments in the future. A key point to revisit would be December 27, 2025, when the UK’s adequacy decisions with the EU are set to expire.

Adequacy decisions ensure free flow of data between EU and non-EU countries by providing data protection equivalent to that offered in the EU. If not renewed, UK organizations would have to meet additional compliance requirements while transferring data across borders. 

One way to prepare for such shifts is to create fewer silos in company departments. Teams should work toward more fluid communication flows that minimize interdepartmental silos and facilitate regulatory adjustments.

Organisations can gain further competitive edge by leveraging public trust centers to demonstrate compliance with broader, widely accepted frameworks, such as ISO 27001 and SOC 2.

Ensure continuous compliance with Vanta

According to the UK State of Trust Report, 77% of IT decision-makers in the UK believe they can save their company time and money by investing in automation. If you’re looking for similar outcomes, Vanta’s global trust management platform can be what your team needs.

Vanta supports compliance through automation, reducing manual effort and speeding up compliance for 35+ frameworks and attestations, including SOC 2, HIPAA, and GDPR. It enables real-time monitoring, helps teams be proactive with continuous monitoring, and speeds up reaction times.

The platform offers a dedicated compliance automation product that comes with features designed for productivity, such as:

  • 1200+ automated, hourly tests
  • Automated evidence collection through [integrations_count] integrations
  • Risk remediation powered by AI-generated code snippets
  • Pre-built policy templates with a built-in customization tool
  • End-to-end audit support
  • Public trust centers for one-click demonstrability

In complex compliance environments, Vanta can leverage the cross-mapping feature to map overlapping controls across relevant security frameworks, reducing duplicate effort.

Schedule a custom demo to explore how Vanta can support the compliance requirements for your region.

{{cta_simple29="/cta-blocks"}}

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

GRC
Events

Unlocking the ROI of GRC: The Business Value of Vanta

Discover how Vanta empowers organizations to achieve exceptional results in their Governance, Risk, and Compliance (GRC) programs.

A clock with the word iso on it.
ISO 27001
Blog

How long does it take to get ISO certified?

If you're in need of ISO 27001 certification, it helps to understand how long that process will take and what the work will entail. Our experts have put together a timeline for ISO 27001 compliance certification.

DORA compliance checklist
Compliance
Blog

An actionable DORA compliance checklist for financial entities

Learn what DORA's main requirements are and if you need to comply with them.

Vanta earns ISO 42001 certification
Company news
Blog

Vanta earns ISO 42001 certification to demonstrate trustworthy AI practices

We’re excited to announce that Vanta is one of the first companies to earn ISO 42001 certification.

Related Resources

Compliance
Blog
CJIS Security Policy compliance: An extensive guide

Find out who needs to comply, the policy’s 20 control areas, and the best practices to approach it.

eBook: How AI startups prove trust and scale securely with Vanta cover image
Compliance
Guide / Report
How AI startups prove trust and scale securely with Vanta

Discover how leading AI startups like Granola, Clay, and Factory scale securely, shorten sales cycles, and build customer confidence with Vanta.

Compliance
Blog
The FFIEC retired CAT—here’s why financial institutions are turning to CRI

With the FFIEC retiring CAT, financial institutions must adopt the CRI Profile to stay compliant and resilient.

Compliance
Blog
Don’t fall for these first-time compliance myths

Hear from a crew of certified experts and startup operators on first-time compliance best practices.

Compliance
Blog
How to choose compliance audit software: A buyer’s guide

Dive into our actionable guide for selecting compliance audit software. Read about key benefits, essential features, and ways to implement it efficiently.

A book with the word FedRAMP on it.
Compliance
Guide / Report
The ultimate guide to FedRAMP: A requirements guide for authorization

Learn about FedRAMP authorization, from impact levels to compliance steps, to unlock opportunities with U.S. federal agencies.

Compliance
Blog
IT compliance audit checklist: 7 steps to follow

Discover the frameworks relevant for IT audits, the main compliance areas, and a checklist to support your team.

Compliance
Blog
4 ways to scale compliance with AI

Discover how Vanta AI helps modern GRC teams scale compliance efficiently while staying audit-ready.

Compliance
Events
Secure from the Start: How Founders Build Compliance Into Early-Stage Growth

Hear from the Head of Information Security at Robin AI and the Co-Founder & CEO of Pavlov as they share how they embedded security and compliance into their startup journey, without slowing down innovation.

Compliance
Events
Building Trust in the AI Boom: Security, Capital, and Credibility from Day One

Join the CFOs of Vanta and Mercury for a tactical conversation on how early-stage teams can build trust with investors and buyers, without slowing down.

Compliance
Events
Demo: Accelerate security and compliance workflows with AI

Watch on-demand to see the AI functionality within the Vanta platform and how it can simplify your compliance process.

Compliance
Blog
5 healthcare cybersecurity regulations and frameworks to follow in 2025

Discover five key healthcare cybersecurity regulations and frameworks that protect patient data. Get insights into their requirements, benefits, and overlaps.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products