2025 Cybersecurity Compliance Guide: UK and EU Regulatory Landscape
UK and EU cybersecurity regulations are evolving rapidly in 2025. This guide covers the key frameworks — NIS2, DORA, the UK Cyber Security and Resilience Bill, Cyber Essentials and UK GDPR — explaining what each requires, which businesses are in scope and the practical steps needed to achieve compliance.
Matt Cannon
Managing Director
Why the Regulatory Landscape Is Changing
Cybersecurity regulation is no longer solely the concern of critical national infrastructure operators. The escalating frequency and severity of cyber incidents — including supply chain attacks, ransomware against healthcare and education, and state-sponsored intrusions — has driven legislators in both the UK and EU to expand mandatory cybersecurity requirements to a wider set of organisations.
For UK businesses, particularly those that trade with the EU, serve public sector clients or operate in regulated sectors, understanding which frameworks apply and what they require has become a board-level compliance matter, not just an IT concern.
UK GDPR and the Data Protection Act 2018
UK GDPR's Article 32 security requirement remains foundational for any organisation processing personal data. The requirement to implement appropriate technical and organisational measures — including encryption, access controls, incident detection and response — applies to virtually every UK business.
The ICO's enforcement activity in 2024–2025 has increasingly focused on inadequate security measures leading to breaches: organisations using shared passwords, lacking MFA, failing to patch known vulnerabilities or storing personal data on unencrypted devices. The average UK data breach cost reached £3.4 million in 2024, with regulatory penalties and reputational damage compounding recovery costs.
Cyber Essentials and Cyber Essentials Plus
The NCSC's Cyber Essentials scheme defines five technical controls that address the most common cyber attack vectors:
- Firewalls and internet gateways configured to block unnecessary inbound connections
- Secure configuration — removing default accounts, disabling unnecessary services
- User access control — least privilege, MFA for privileged and remote accounts
- Malware protection — anti-malware software or application allowlisting
- Patch management — critical and high-severity patches applied within 14 days
Cyber Essentials certification is mandatory for suppliers bidding on UK government contracts involving handling of personal information or certain technical services. Cyber Essentials Plus includes independent technical verification testing, providing a higher assurance level. Certification costs typically range from £300–£500 for Cyber Essentials and £1,500–£3,000 for Cyber Essentials Plus, depending on organisation size and certification body.
NIS2 (EU Network and Information Security Directive 2)
NIS2 replaced the original NIS Directive in EU member states, significantly expanding the scope of organisations subject to mandatory cybersecurity requirements. The scope expansion is notable: NIS2 now covers 18 sectors including manufacturing, food production, postal services and digital infrastructure, in addition to the original critical sectors.
Does NIS2 apply to UK businesses? UK-only businesses are not directly subject to NIS2. However, UK businesses that:
- Have EU-based subsidiaries or operations
- Supply services to EU organisations in scope of NIS2
- Are required by EU-based clients to comply with NIS2 requirements contractually
...may face practical NIS2 requirements through contractual flow-down. Understanding your supply chain position relative to NIS2 is worth assessing if you have material EU client or partner relationships.
NIS2 requirements include: governance accountability (board-level responsibility), risk management measures, supply chain security, incident reporting to competent authority within 24 hours (initial notification) and 72 hours (detailed report), and business continuity measures.
DORA (Digital Operational Resilience Act)
DORA is EU legislation that came into force in January 2025, applying to financial services entities and their ICT (information and communications technology) service providers operating in the EU. It establishes mandatory requirements for ICT risk management, incident reporting, digital resilience testing and third-party ICT provider oversight.
Impact for UK businesses: UK financial services firms and ICT providers that supply EU financial entities are subject to DORA's requirements through their EU client relationships. UK MSPs and IT service providers supplying EU banks, insurers or investment firms must ensure their services meet DORA's technical and contractual requirements.
UK Cyber Security and Resilience Bill
The UK government's Cyber Security and Resilience Bill, progressing through Parliament in 2025, is the UK's equivalent response to the expanded scope of NIS2. It extends mandatory cybersecurity requirements to a wider set of digital service providers and regulated sectors, introduces new incident reporting obligations and strengthens the NCSC's powers.
Key anticipated provisions include expanded sector coverage, mandatory incident reporting within defined timeframes, and new supply chain security requirements. UK businesses in digital services, managed services and regulated sectors should monitor the Bill's progress and begin preparing for its requirements — the compliance timeline following Royal Assent is likely to be 12–18 months.
Practical Compliance Roadmap for UK SMEs
For most UK SMEs, a practical compliance approach addresses the most impactful requirements first:
- Cyber Essentials certification: Provides foundational evidence of technical hygiene, satisfies government procurement requirements and demonstrates baseline compliance for client audits.
- UK GDPR Article 32 technical controls: MFA, encryption, patch management, access control review and incident detection — many of these overlap with Cyber Essentials.
- Incident response plan: Document a process for detecting, responding to and reporting cyber incidents — required under UK GDPR, NIS2 (for in-scope organisations) and anticipated under the Resilience Bill.
- Supply chain security review: Assess the security posture of your IT and software suppliers — required under NIS2 and anticipated under the Resilience Bill.
- Board engagement: Cybersecurity governance requires board-level accountability under NIS2 and the anticipated Resilience Bill. Board-level risk awareness and regular security reporting should be established.
Where Do You Stand on Cybersecurity Compliance?
AMVIA provides a compliance gap assessment covering Cyber Essentials, UK GDPR and relevant sector regulations — giving you a clear picture of your current position and a prioritised remediation plan.
Frequently Asked Questions
UK-only businesses are not directly subject to NIS2. However, UK businesses with EU subsidiaries, operations or clients in NIS2-regulated sectors may face NIS2 requirements through contractual obligations or by virtue of being a critical supplier to an EU entity in scope. UK businesses should assess their EU supply chain exposure and consider whether NIS2-equivalent controls are appropriate.
Cyber Essentials is mandatory for UK government contract suppliers handling personal information or delivering certain technical services. It is not a general legal requirement. However, the Cyber Essentials framework represents a practical baseline for the technical controls expected under UK GDPR Article 32 and is increasingly requested by large private sector clients and cyber insurance underwriters. <strong>Cyber Essentials Plus (CE+):</strong> Same 5 controls but with independent technical testing/audit <em>(Computer Weekly)</em>
Both certifications verify the same five technical controls, but through different methods. Cyber Essentials is self-assessed via a questionnaire reviewed by a certification body. Cyber Essentials Plus includes independent technical testing — an external assessor verifies the controls are correctly implemented through vulnerability scans, configuration checks and endpoint testing. CE Plus provides higher assurance and is required by some government procurement frameworks. <strong>55,995 Cyber Essentials certificates</strong> were awarded in the year January–December 2025; 42,288 at CE level and 13,707 at CE+. <em>(UK Government)</em>
The Resilience Bill's final provisions are subject to the parliamentary process, but its stated objectives include expanding the scope of mandatory cybersecurity requirements beyond current NIS Regulations, introducing mandatory incident reporting within defined timeframes, extending requirements to digital service providers and managed IT service providers, and strengthening supply chain security obligations. Businesses should monitor the Bill's progress and treat its anticipated requirements as a planning framework.
DORA applies directly to financial services entities operating in the EU and their third-party ICT providers. UK-based MSPs, cloud providers or IT service companies that supply EU financial entities are likely to be classified as Critical ICT Third-Party Service Providers (CTPPs) under DORA, subject to contractual and technical requirements including resilience testing, audit rights and incident notification obligations to their EU clients.
Related Reading
UK Cyber Security and Resilience Bill | Business Guide
A complete guide to what the UK Cyber Security and Resilience Bill means for businesses and how to prepare.
UK Cybersecurity Guide for SMEs | Practical Steps
Practical cybersecurity steps for UK SMEs that address the most common compliance requirements.
Data Protection & Privacy | UK GDPR Guide for Businesses
UK GDPR requirements in detail — the foundational data protection compliance framework for UK businesses.