Cybersecurity regulation is changing, driven by a need to be more robust in the face of increasingly sophisticated attacks. As 2026 kicks off, what are the key regulatory changes that will impact UK businesses?

Cyber Resilience Will Be Essential

One major legislation expected in the coming year is the Cyber Security and Resilience Bill, which brings with it a new set of resilience requirements. As the Bill enters Parliament, cyber resilience will “stop being a compliance checkbox “and “become a board-level operational performance test that recognises people, ways of working and the technology needed to succeed,” says Dan Jones, senior security advisor at Tanium.

“The UK government is making it clear that ‘reasonable steps’ and after-the-fact reporting won’t fly in a world where one weak supplier can knock out hospitals, councils or entire supply chains effecting the livelihoods of families and whole communities,” he says.

Over the next year, organisations that can’t prove continuous control of their environments will be “exposed to regulators, customers, and to reality,” he warns.

A key shift, which will not feature as one bill or regulation, is “the incorporation of demonstrable operational resilience into existing legal and regulatory frameworks,” adds Martin Davies, senior audit alliance manager at Drata. “Beyond having security policies in place, firms need systems and suppliers that can withstand disruption and recover within defined tolerances. This already exists as part of the Financial Services regulatory outlook (FCA's Operational Resilience PS21/3) and is likely to become a facet of regulatory requirements in broader sectors.”

More Companies Will Find Themselves In Scope Of Key Regulation 

As the Cyber Security and Resilience Bill comes into force, it brings with it mandatory adoption of the Cyber Assessment Framework across critical sectors. The scope of regulation expands as the definition of Relevant Managed Service Providers (MSPs) is broadened, placing more of these firms “directly in the regulatory spotlight,” says Jamie Akhtar, CEO and co-founder of CyberSmart. “This change introduces new duties around incident reporting, baseline security controls and formal assurance, meaning that both service providers and their customers must operate with far greater transparency and discipline.”

Supply Chain Risk in The Spotlight

In 2026, regulation will put supply chain risk under the spotlight, experts predict. Supply chain risk has become “hard to ignore,” says Akhtar. High-profile interventions such as the FTSE 350 cyber letter and the latest CSM v4 requirements for defence suppliers have “pushed the issue into the mainstream,” he says.

Large organisations now expect their upstream suppliers, including SMEs, to show that they have implemented basic controls and can maintain resilience in a “consistent and certifiable way,” according to Akhtar. “The bottom line is that we will see the emergence of a market that values demonstrable, continuous cyber competence over declarations of intent.”

The Cyber Security and Resilience Bill will introduce “tougher scrutiny of supply-chain security,” adds Sam Peters, chief product officer at IO. “It will require organisations to standardise supplier due diligence, risk scoring and ongoing monitoring across departments to avoid fragmented processes. Businesses will also need to link supplier controls directly to the organisation’s risk register and resilience expectations, and maintain continuous assurance evidence for high-risk suppliers rather than relying on one-off questionnaires.”

In 2026, third and fourth-party cybersecurity will come under even greater scrutiny, says Mike Smith, partner – security at TXP. “Companies that fail to meet required security levels risk losing business over the coming months as the risk for their customers is simply too high.”

Security initiatives, such as red teaming and penetration testing, and developing robust processes around reporting, “will be crucial for suppliers, ensuring their security standards stand up to external scrutiny,” he adds.

Accountability Requirements Put CISOs “In The Firing Line”

In 2026, legislation such as the UK’s Cyber Security and Resilience Bill will “radically reshape accountability for cyber breaches,” by expanding the definition of critical infrastructure and introducing mandatory 24-hour breach reporting, with escalating fines for non-compliance, says Mark Jow, technical evangelist EMEA at Gigamon.

This legal shift puts CISOs “directly in the firing line,” says Jow.

Ultimately, the legislation moves cyber resilience “decisively into the boardroom,” says Nigel Wilkinson, COO at Cyberfort. “It will no longer be credible for senior leaders to say cyber is ‘owned by IT.’ Regulators will expect clear accountability, informed oversight and proof that cyber resilience is treated like any other critical business risk.”

High-Profile Attacks Will Give The Cyber Security And Resilience Bill A Political Boost

The attacks of 2025 -- and the downtime as a result -- will inevitably make the Cyber Security and Resilience Bill a key focus in 2026, says Mike Upton, director of partnerships and ecosystem, e2e-assure. “Historically the attitude among critical organisations has been to hold back budget and deal with issues post-breach, with little understanding of how harmful or expensive an approach that can be.”

The Bill promises to change this by making critical organisations implement risk management and improve their cyber posture, he says. “While there’s still aspects of to be finalised, the requirements as they currently stand could still see some stakeholders baulk at the spend required to ensure compliance. If that happens, there will inevitably be a few sacrificial scapegoats to encourage other entities to fall into line.”

UK Government Could Introduce Regulatory Sandboxes for AI

In 2026, it is likely there will be developments in the UK government’s plans to introduce regulatory sandboxes for AI, says Kate Densiton, tech regulation lawyer at Bird & Bird. “In its consultation document on the sandboxes, it said evidence from pilots could lead to regulatory reforms, enabling UK businesses to adopt trusted AI. Having launched a consultation in late 2025, some legislation will be needed over the coming year to give the mandate, budget and scope for the conduct of the AI sandboxes.”

In the UK, it is still unclear what specific regulation will be implemented by the government covering AI. With so many aspects unresolved, there’s “a clear risk that AI usage by UK industry will be impacted by uncertainty,” says Densiton.

In-house lawyers must keep up to date on developments and decide how best to advise the business within the current environment, she says. “We expect the UK government to implement an incremental, narrow regulatory framework for AI in the UK, but clarity might not come until late 2026.”

Kate O'Flaherty Cybersecurity and privacy journalist