Legislation Guide
A general overview of key cyber security legislation and regulatory frameworks affecting UK businesses.
We’ve put together this guide to help organisations understand their compliance obligations and implement best practices in data protection, system security, and operational resilience.
Covering some of the major legislation regulating cyber security, we highlight some of the common pitfalls, the legal consequences of being outside regulations, and a simple checklist of actions to help bring you back to compliance.
As cyber threats evolve, legislation continues to adapt, reinforcing the importance of robust data security practices across all sectors.
#1 GDPR & Data Protection Act 2018
Failure to comply with the UK GDPR and Data Protection Act 2018—including robust data protection, staff training, breach notification, and internal system security—can result in severe financial penalties.
The Information Commissioner’s Office (ICO) is the UK’s independent authority responsible for upholding information rights and enforcing data protection legislation, including the UK GDPR and the Data Protection Act 2018.
Scope
Came into effect 25th May 2018 and has been through amendment post Brexit. Applies to all personal data processing within the UK.
Key Failures
- Inadequate infrastructure protection
- Lack of staff training
- Delayed breach notification
- Poor internal system security
Consequences
- Tier 1: Up to €20 million (£17.5 million) or 4% of global turnover for breaches of core principles
- Tier 2: Up to €10 million (£8.7 million) or 2% of global turnover for procedural failures
- ICO Notification: Must be made within 72 hours of awareness of a breach; 24 hours for telecoms breaches under PECR
Compliance Checklist
- Implement technical and organisational measures to secure personal data
- Conduct regular staff training on data protection and breach response
- Ensure breach notification procedures meet the 72-hour ICO requirement
#2 Data (Use and Access Act) 2025 (DUAA)
Non-compliance with the Data (Use and Access) Act 2025 may lead to significant penalties of up to €20 million (£17.5 million) or 4% of global turnover for major breaches—particularly where AI, data transparency, or auditability requirements are not met.
Scope
Received Royal Assent on the 19th June 2025 and modernises and clarifies parts of the UK data protection law covering both personal and non-personal data.
Key Failures
- Unclear lawful basis for AI and automated decision-making
- Lack of transparency in data sharing
- Inadequate audit trails for data access
Consequences
- Tier 1: Up to €20 million (£17.5 million) or 4% of global turnover for breaches of core principles
- Tier 2: Up to €10 million (£8.7 million) or 2% of global turnover for procedural failures
Compliance Checklist
- Update privacy notices and Data Protection Impact Assessment (DPIA) to reflect DUAA requirements
- Maintain clear audit trails for all data access and sharing activities
- Review contracts with data intermediaries and digital ID providers
#3 EU Network and Information Systems (NIS2) Directive &
UK Cyber Security and Resilience Act (2025 Update)
The forthcoming UK Cyber Security and Resilience Act (2025), aligned with the EU NIS2 Directive, will significantly heighten compliance demands.
Organisations must promptly address cyber hygiene, supply chain risks, and resilience planning. Non-compliance may incur severe financial penalties.
Scope
Original EU NIS2 Directive came into force on the 16th January 2023 and EU member states were required to transpose into national law by 17th October 2024.
The expanded scope under NIS2 included more sectors and stricter reporting thresholds. The UK Cyber Security and Resilience Bill aims to strengthen the UK’s cybersecurity framework in response to evolving threats and align with the EU’s NIS2 directive.
The Bill has been issued as a policy statement and is due to be introduced to Parliament in 2025.
Key Failures
- Inadequate cyber hygiene (failure to patch)
- Inadequate supply chain management specifically for high-impact suppliers
- Poor resilience planning
Consequences
- Potential daily fines of £100,000 or 10% of turnover for each day the breach continues
Compliance Checklist
- Conduct regular cyber risk assessments and resilience testing
- Implement incident detection and reporting mechanisms
- Embed robust supply chain security requirements
- Ensure compliance with sector-specific NIS guidance
#4 Computer Misuse Act 1990
Organisations that fail to prevent unauthorised internal or external access, modification, or impairment of computer systems risk severe criminal penalties under the Computer Misuse Act 1990, including substantial fines and imprisonment—potentially up to life sentences for the gravest offences.
The Act is currently under review for reform, with proposals to modernise it for today’s threat landscape.
Scope
Commenced in August 1990. Criminalises unauthorised access or modification of data.
Key Failures
- Internal misuse of systems
- External breaches due to poor access controls
Consequences
- For unauthorised access to computer material (Section 1 of the Computer Misuse Act 1990), the maximum sentence is up to two years’ imprisonment and/or a fine For unauthorised access with the intent to commit or facilitate further offences (Section 2), the maximum penalty can increase up to five years’ imprisonment and/or a fine
- For unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of a computer (Section 3), the maximum sentence can go up to ten years’ imprisonment and/or a fine
- For unauthorised acts causing, or creating a significant risk of, serious damage under Section 3ZA, the maximum sentence is up to life imprisonment, although such severe penalties would typically only be reserved for extraordinarily grave circumstances involving substantial harm
Compliance Checklist
- Enforce strict access controls and user authentication
- Monitor system logs for unauthorised activity
- Educate staff on legal consequences of misuse
Read More
#5 Digital Operational Resilience Act (DORA)
Organisations that do not meet the requirements of the Digital Operational Resilience Act (DORA) from January 17th, 2025, may face regulatory sanctions, increased audit scrutiny, licence suspension, and fines.
Scope
EU regulation from the 17th January 2025. This legislation applies to UK financial services providers, UK companies supplying ICT services to financial institutions, and any company with a subsidiary operating in the EU.
Key Failures
- Lack of resilience testing
- Failure to report ICT-related incidents
- Inconsistent cross-border compliance
Consequences
- Institutions could see fines of up to 2% of their total annual worldwide turnover or up to 1% of the company’s average daily turnover worldwide
- Regulatory sanctions such as licence suspension or mandatory corrective actions
- Increased audit scrutiny
Compliance Checklist
- ICT risk management – evaluate ICT services and assess their impact
- Robust incident reporting
- Operational resilience testing
#6 Cyber Essentials, Cyber Essentials Plus & ISO/IEC 27001
Although non-statutory in nature, non-compliance with Cyber Essentials, Cyber Essentials Plus, or ISO/IEC 27001 can result in significant contractual repercussions, including loss of certification, and increased regulatory scrutiny.
Scope
Not statutory but often contractually required.
Key Failures
- Lack of patching and access controls
- No formal training or awareness programme
- Lack of internal auditing
Consequences
- Loss of certification
- Disqualification from public contracts
- Reputational damage
Compliance Checklist
- Maintain certification through regular audits and updates
- Implement a formal information security training programme
- Ensure compliance with ISO 27001 Annex A controls
This list is not exhaustive and does not constitute legal advice. Readers should seek independent legal counsel to ensure compliance with applicable laws and regulations specific to their circumstances.
Watch: E-Commerce Law & Security Explained
In this episode of Tales From the CyberLab, Adam Myers is joined by Bridget Green from LegalEdge to break down the legal and cyber security challenges facing e-commerce businesses today – and how to stay ahead of them. You’ll learn:
- Why PCI DSS compliance matters – and what non-compliance costs.
- How to manage third-party risk through contracts and due diligence.
- Legal, IT, and HR collaboration for effective incident response.
What's Your HackRisk Score?
Get started in minutes and receive your free report
HackRisk is an AI-powered cyber risk monitoring with secure dashboard and shareable reports, delivered by CyberLab’s security experts.
© 2026 HackRisk is a trading name of Cyberlab Consulting Limited (12392586) registered in England & Wales.
Registered Office: Bridgford House, Heyes Lane, Alderley Edge, SK9 7JP.