The cyber regulatory laws and regulations UK business owners need to be aware of

The UK Government’s Cyber Security Breaches Survey 2025 estimates there were 283,000 UK businesses affected by cybercrime in the past year - and for small businesses, navigating the complex landscape of cyber threats can be daunting and confusing. It’s never been more important for business owners to understand the laws and regulations, and how to mitigate potential risks.

There are currently four main laws and regulations that businesses need to be aware of when it comes to cyber security, which are detailed below.

The Data Protection Act 2018

The Data Protection Act 2018 (DPA) governs the processing of personal data in the UK, ensuring that organisations handle personal data lawfully and protect individuals' privacy rights. This act places significant responsibilities on businesses, with key requirements including:

• Businesses must have a lawful basis for processing personal data, which can include consent, contract, legal obligation, vital interests, public task, or legitimate interests.
• Individuals have enhanced rights under the DPA 2018, including the right to access, change, delete, restrict processing, and data portability.
• Data breaches must be reported to the Information Commissioner's Office (ICO) within 72 hours if they pose a risk to individuals' rights and freedoms.
• Data Protection Impact Assessments (DPIAs) are required for any processing that is likely to result in high risks to the individuals' rights.

Network and Information Systems Regulations 2018

The Network and Information Systems (NIS) Regulations require operators of essential services and digital service providers to ensure the security of their network and information systems, reducing the risks of cyber threats and disruptions to critical services. These regulations apply to operators of essential services (OES) and digital service providers (DSPs), which include:

• OES and DSPs must put appropriate security measures in place to manage the security risks of their networks and systems.
• OES and DSPs must report incidents that have a significant impact on any essential services to the relevant authorities.
• Capable authorities have the power to supervise and enforce NIS, including issuing penalties for non-compliance.

UK GDPR and EU GDPR

The UK GDPR and EU GDPR are comprehensive data protection regulations that set out rules and principles for the processing of personal data, aiming to safeguard individuals' rights and freedoms across the United Kingdom and the European Union. Prior to Brexit in 2020 the UK followed the EU GDPR regulations, but a UK version has since been created. Businesses that serve EU customers, however, will still need to comply with both. The requirements include:

• Businesses must demonstrate that they are compliant with data protection guidelines and are accountable for their processing activities.
• Certain businesses, such as those who process sensitive data on a large scale as a core function, are required to appoint a Data Protection Officer to oversee data protection activities and ensure compliance with the GDPR.
• The GDPR includes provisions for the transfer of personal data outside the European Economic Area (EEA), requiring appropriate safeguards to be in place.

Computer Misuse Act 1990

The Computer Misuse Act 1990 is legislation in the UK that criminalises unauthorised access to computer systems, unauthorised access with intent to commit further offences, and unauthorised modification of computer material. Key offenses under the act include:

• Gaining unauthorized access to computer materials, such as hacking into systems.
• Unauthorized access with the intent to commit further offenses, such as fraud or theft.
• Conducting unauthorized acts with the intent to impair the operation of computer systems or data, such as distributing malware.

To learn more about cybercrime, read our article the true extent of cybercrime on UK's small businesses.

Please note: This article provides guidance for information purposes only. It should not be relied upon wholly when making or taking important business decisions – always seek the services of an appropriately qualified professional. The views expressed by websites referenced to are limited to those of the websites, and do not necessarily reflect the views of Markel Direct.