The New NCSC Cyber Governance Code of Practice for UK Boards
What The Guidance Means for UK Boards
On 8 April 2025, the UK Government released a draft Cyber Governance Code of Practice – designed to help boards and directors better understand and manage their cyber security responsibilities.
Developed jointly by the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC), the Code offers a clear and accessible framework for leadership teams to embed cyber resilience at the heart of their organisations.
What is the Cyber Governance Code of Practice?
The Code outlines five key principles for cyber governance:
-
Risk Management – Integrating cyber risk into overall business risk management.
-
Cyber Strategy – Setting direction and allocating appropriate resources.
-
People – Defining roles and responsibilities across the business.
-
Incident Planning – Being ready to respond and recover effectively.
-
Assurance & Oversight – Regularly reviewing controls and seeking external assurance.
In essence, the Code encourages boards to approach cyber risk with the same level of leadership and accountability as financial, legal, or operational risks.
These outcomes are intended to support informed decision-making, reduce risk, and ensure that cyber security is considered across business planning, operations, and investment.
Rather than being a checklist or compliance task, this is about building a resilient culture where cyber security becomes part of everyday governance.
Supporting Directors in an Evolving Threat Landscape
Cyber security is no longer just a technical concern — it’s a business-critical issue that boards need to lead from the top. This new Code encourages decision-makers to take a strategic, long-term view of cyber risk.
It’s especially aimed at non-cyber specialists, providing guidance in plain language to help directors ask the right questions, set priorities, and ensure the right structures are in place.
Why Adopting the Code is Beneficial for Boards
With cyber threats constantly evolving, adopting the Cyber Governance Code helps boards stay ahead by integrating cyber resilience into their organisation’s culture.
By following the Code, businesses not only prepare for emerging regulatory changes but also show a clear commitment to safeguarding their operations. This proactive approach can help build trust with stakeholders, enhance organisational resilience, and support long-term success.
Embracing the Code encourages boards to take a confident, informed stance on cyber risk, fostering a culture where cyber security is seen as a shared responsibility across the organisation.
How CyberLab Can Help
One of the clearest starting points for aligning with the Code is Cyber Essentials.
This government-backed certification helps organisations put in place key technical defences and prove they take cyber seriously. It’s also a powerful way to demonstrate board-level commitment to cyber risk, particularly under the Code’s principles of assurance and oversight. At CyberLab, we guide organisations through both Cyber Essentials and Cyber Essentials Plus certifications with expert support every step of the way.
Beyond Cyber Essentials, we also offer a range of services that support the broader aims of the Code:
- Penetration Testing & Assurance
Test the real-world resilience of your organisation. We deliver regular, detailed assessments to meet both internal and regulatory requirements. - Policy, Strategy & Board-Level Support
Need help aligning with the Code? Our consultants support with governance frameworks, risk registers, incident planning, and more. - Supply Chain & Third-Party Risk Reviews
Understand the risks introduced by suppliers and service providers – a growing concern under the new guidance.
Our team at CyberLab is here to help your organisation build a robust cyber governance framework, ensuring you’re not only compliant but also resilient against the evolving cyber threat landscape.
Aligning with NCSC Guidance: Our Posture Assessment
To help organisations effectively assess and improve their cyber governance, CyberLab offers a Posture Assessment service grounded in the NCSC’s Top 10 Cyber Security guidance. This assessment is designed to evaluate your organisation’s current cyber security practices, identifying areas of strength and opportunities for improvement.
By aligning with the NCSC’s recognised framework, our Posture Assessment provides clear, actionable recommendations that enable organisations to adopt best practices for risk management, incident response, and overall cyber resilience.
It’s a strategic tool that empowers boards to take proactive steps in securing their organisation while supporting compliance with emerging cyber governance standards.
Final Thoughts
The new Cyber Governance Code of Practice marks a significant step forward, emphasising that cyber governance is an essential responsibility for boards.
Rather than simply delegating cyber security, senior leaders are encouraged to actively engage, understand the risks, allocate resources, and foster a culture of resilience across the organisation.
If you need guidance on aligning with the new Code, CyberLab is here to support you.
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.
Understanding the Digital Operational Resilience Act (DORA)
A Guide for UK Businesses
The Digital Operational Resilience Act (DORA) is a landmark regulation introduced by the European Union (EU) to bolster the cyber security and operational resilience of the financial sector.
Despite DORA coming into effect as of 17th January 2025, little is still known about the new regulation and who it applies to. In this blog we cover what UK businesses and organisations need to know about DORA, its implications, and how to prepare.
What is DORA?
DORA is an EU regulation that aims to ensure financial institutions, and their critical ICT (Information and Communications Technology) providers can withstand, respond to, and recover from ICT-related disruptions.
It establishes uniform requirements for managing ICT risks, operational resilience, and incident reporting across the EU financial sector.
Key components of DORA include:
- ICT risk management frameworks
- Comprehensive incident reporting mechanisms
- Regular operational resilience testing
Oversight of third-party ICT providers For more details, visit the European Insurance and Occupational Pensions Authority (EIOPA) for an overview of DORA.
Who Does DORA Apply to?
DORA applies to a wide range of financial entities and their critical third-party ICT service providers operating in the EU. These include:
- Banks, payment service providers, and investment firms.
- Insurance and reinsurance companies.
- Cryptocurrency service providers.
- Critical third-party ICT providers offering services like cloud computing, data analytics, and cyber security solutions.
For UK-based businesses, DORA applies if:
- You provide financial services or ICT solutions to EU-based clients.
- You are a critical ICT service provider for EU financial institutions.
What Does DORA Mean for UK Businesses and Organisations?
Even post-Brexit, UK companies working with EU clients must comply with DORA to maintain business relationships. Here’s how it affects your organisation:
Enhanced Cyber Security Requirements
- Implement robust ICT risk management frameworks to safeguard against disruptions and cyber threats.
- Ensure the confidentiality, integrity, and availability of critical data and systems.
Incident Reporting Obligations
- Develop mechanisms to detect, report, and manage ICT-related incidents that could impact EU clients.
- Timely reporting to EU financial institutions and, in some cases, EU regulatory authorities is mandatory.
Operational Resilience Testing
- Conduct regular testing, including advanced techniques like threat-led penetration testing (TLPT), to assess your resilience.
Third-Party Risk Management
- Ensure contracts with EU clients align with DORA’s requirements for security and operational resilience.
- Prepare for audits and performance reviews by EU financial entities.
Governance and Accountability
- Designate roles or teams responsible for ICT risk management and resilience.
- Maintain clear documentation and transparency to demonstrate compliance.
To better understand how DORA might impact ICT service providers, consider the CSO Online analysis on DORA and the cyber security skills gap.
DORA Penalties for Non-Compliance
Non-compliance with DORA can lead to severe consequences, including:
Fines and Financial Penalties
EU regulators may impose significant fines on organisations failing to meet DORA’s requirements. For financial entities, fines can reach up to 2% of their total annual worldwide turnover, and individuals may face fines up to €1,000,000. Critical third-party ICT providers could face fines as high as €5,000,000 or €500,000 for individuals. [Source: Grant Thornton]
Operational Restrictions
Critical ICT providers may face restrictions on their activities or lose contracts with EU clients if found non-compliant.
Reputational Damage
Publicised non-compliance can harm an organisation’s reputation, impacting client trust and future business opportunities.
Compliance is not only a regulatory requirement but also essential for maintaining trust and resilience in an interconnected financial ecosystem.
Guidance and Recommendations for Businesses and Organisations Affected by DORA
To stay compliant and competitive in the EU market, consider these steps:
1) Evaluate Your Exposure to DORA
Assess whether your organisation provides services to EU financial institutions or acts as a critical third-party ICT provider.
2) Strengthen ICT Risk Management
- Review and update your cyber security policies, incident response plans, and resilience testing protocols.
- Utilise a Managed Detection and Response solution, such as Sophos MDR, to monitor and protect your systems 24/7.
- Leverage tools like encryption, access controls, and threat detection systems.
3) Engage in Regular Testing
- Schedule operational resilience testing, including penetration testing, to identify vulnerabilities and improve response strategies.
- Utilise threat detection systems for continuous threat and attack surface monitoring between scheduled penetration tests.
4) Update Contracts and Agreements
Align your service agreements with EU clients to reflect DORA-specific terms, including transparency on risk management and incident handling.
5) Monitor Regulatory Developments
Stay informed about DORA’s implementation timelines and guidance issued by EU authorities.
6) Seek Expert Advice
Collaborate with legal, regulatory, and cyber security experts to ensure compliance and address potential gaps.
Conclusion
DORA presents both challenges and opportunities for UK businesses serving EU clients. By proactively adopting its principles, organisations can enhance their cyber security posture, demonstrate operational resilience, and build stronger relationships with EU-based partners. Compliance with DORA is not just a regulatory necessity – it’s a competitive advantage in today’s interconnected financial ecosystem.
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.
Cyber Essentials Funded Programme: Government Support for UK SME's
Helping UK SMEs Strengthen Cyber Defences with Government Support
In today’s digital-first world, cyber threats are no longer a distant concern – they’re a daily reality. The UK government’s Cyber Essentials scheme offers a practical, affordable way for organisations to defend against the most common attacks.
Whether you’re a small business or a growing tech innovator, this funded programme helps you build a strong security foundation, earn customer trust, and unlock new opportunities – including eligibility for government contracts. And with CyberLab’s expert guidance, getting certified is simpler than ever.
What is Cyber Essentials?
Cyber Essentials is a government-backed initiative to help businesses protect against the most common cyber threats. Originally launched in 2014, over 120,000 certificates have since been awarded to businesses of all sizes across the country.
According to the UK government, obtaining Cyber Essentials certification protects your organisation from approximately 80% of cyber-attacks, demonstrating a strong commitment to cyber security and data protection to customers and stakeholders. This certification enhances your organisation’s reputation, increases the likelihood of securing new business, and enables you to bid for and win UK government contracts. By ensuring that robust cyber security measures are in place, Cyber Essentials provides the peace of mind needed to focus on your core business objectives.
Cyber Essentials Plus
Cyber Essentials Plus is the next step in your cyber security journey – an advanced government-backed initiative for businesses looking to take extra measures to protect against common cyber threats.
Around a quarter of businesses who take the Cyber Essentials certification go on to achieve Cyber Essentials Plus.
What is the funded Cyber Essentials Programme?
Every business today faces the risk of a cyber attack, but some organisations are particularly vulnerable. This could be because they handle sensitive information about the people they work with or are seen as easier targets by cyber criminals.
To help those most at risk, the NCSC is rolling out a Funded Cyber Essentials Programme. This programme is aimed at supporting vulnerable organisations by helping them implement basic security measures to protect against the most common types of cyber attacks.
How Does it Work?
The programme offers practical support from an Advisor to help your organisation achieve Cyber Essentials Plus, at no cost to the organisation. However, if the Advisor recommends any extra software or hardware, those costs won’t be covered.
If you qualify, you’ll get around 20 hours of remote support with an Advisor. They’ll spend this time working with you to identify and implement improvements that suit your organisation’s size and needs, guiding you through the five Cyber Essentials technical controls. After that, there will be a hands-on technical check to make sure everything is in place.
If it turns out that achieving Cyber Essentials Plus isn’t possible, the Advisor will help you implement as many of the controls as you can and provide a clear list of what else needs to be done to get compliant. This scheme is designed to walk you through the technical controls required for Cyber Essentials certification, leading up to the Cyber Essentials Plus audit. No previous cybersecurity certification or experience is needed.
Who is Eligible for Support?
To qualify for this scheme, companies must be a micro or small business (1 to 49 employees) registered in the UK and working on:
- The development of fundamental Artificial Intelligence (AI) technologies, OR the innovative application of Artificial Intelligence technologies in the following sectors: Public safety and health, Defence and security.
- The development of novel Quantum technologies.
- The design, development or manufacturing of semiconductors / semiconductor IP blocks.
- The development of Engineering Biology or Synthetic Biology.
AND meet the following criteria:
- Has not previously participated in the NCSC Funded Cyber Essentials Programme
- Does not currently hold Cyber Essentials Plus (CE+) certification, has not been awarded CE+ certification since January 2023 and is not currently in the process of applying for CE+ certification
How CyberLab Can Help
As an IASME approved assessor, CyberLab is not only authorised to assess against the scheme, but also able to support your organisation to achieve certification.
Not only are we authorised Cyber Essentials assessors, we are also able to provide bespoke consultancy services to assist your team in meeting and maintaining the high standard of security required.
With our expert advice, you’ll pass first time.
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.