Mills & Reeve logo in purple text with a purple tagline: Achieve more. Together.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Client extranet portal

Staff

Mills & Reeve system for employees.

Staff Login
10 Nov 2025
4 minutes read

The latest governmental and regulatory cyber security advice

During September and October 2025, the UK government, National Cyber Security Centre and Information Commissioner’s Office all issued new guidance on how to guard against cyber attacks.

This article summarises that guidance and explains who it is most relevant to.

The government’s advice to large companies (including all the FTSE250)

FTSE250 CEOs (and a selection of leaders at other large UK companies) received a letter from the government on 13 October entitled “Making cyber security a board responsibility”. The letter makes three specific requests, which it says will have an immediate positive effect on resilience to cyber attacks:

1. Make cyber risk a board-level priority using the Cyber Governance Code of Practice

  1. The Code of Practice sets out 22 actions that company Boards and directors should take to govern cyber-risk effectively.
  2. The Code is supported by free cyber governance training, which board members are encouraged to complete.

The government’s letter stresses that not all cyber attacks can be prevented, and so it’s incumbent on boards and directors to have a plan for how to continue operations and rebuild following a destructive cyber incident.

2. Sign up to the National Cyber Security Centre (NCSC) Early Warning service 

Early Warning does what is says on the tin – it alerts organisations of potential cyber attacks on their networks. You can sign up by providing some basic details about your company and nominating a person/people to receive the alerts.

This service is something akin to a cyber security weather forecast. It will alert you to a hurricane coming your way – buying you valuable time to take steps to mitigate any damage. It will also alert you to more low-grade problems, allowing you to fix the roof while the sun is shining.

Early Warning is relevant both to large companies and their suppliers both of whom are “strongly advise[d]… to register for this free and simply service”.

3. Require Cyber Essentials in your supply chain

Cyber Essentials is a government-backed certification scheme that helps keep your data safe from cyber-attacks. The letter claims that organisations with Cyber Essentials are 92% less likely to make a claim on their cyber insurance that organisations without. This is a striking statistic which – if even close to true – justifies the government’s request that large companies embed the Cyber Essentials requirements across their supply chain. A bit like exercise, if it were a pill, all doctors would prescribe it.

The National Cyber Security Centre’s Cyber Action Toolkit

The NCSC Cyber Action Toolkit, published on 14 October, says that it “turns cyber security protection into simple, achievable steps for businesses, with straightforward actions tailored to business size and needs... focusing on high-impact, low-effort actions first.”.

The Toolkit is aimed primarily at small businesses of no more than 50 people. Businesses larger than that are signposted in the first instance towards the Cyber Essentials certification.

The Information Commissioner’s Office guidance

In September, the ICO offered up 11 tips on cyber security, which are aimed at small businesses, but broadly relevant as a reminder of the basics:

  1. Back up your data regularly.
  2. Use strong passwords and multi-factor authentication.
  3. Be aware of your surroundings (be conscious of what you say and what documents are open on your screen when in public).
  4. Be wary of suspicious emails.
  5. Install anti-virus and malware protection and keep it up to date.
  6. Protect your device when it’s unattended.
  7. Use a secure Wi-Fi connection (and consider using a VPN on a public network).
  8. Put access controls in place for different types of information within your organisation.
  9. Ensure that tabs are closed before sharing your screen in a virtual meeting.
  10. Don’t keep data for longer than you need it.
  11. Dispose of old IT equipment and records securely.

After a year of high-profile headlines involving some household name brands, most businesses now perceive cyber attacks as a serious problem. The next step after that is working out specifically what your business needs to do about it. We all have limited time and attention in the day. In that context, the spate of official guidance on how to defend against and respond to a cyber attack is welcome, particularly the Cyber Action Toolkit, which offers up specific, actionable recommendations that meet businesses where they are at in their cyber security maturity journey.

How can we help?

Mills & Reeve’s information technology and data lawyers can help you assess data and cyber security risks in your business and build appropriate provisions into your contracts. Our data and cyber, insurance disputes and reputation management teams can help to fight your corner when a cyber hurricane makes landfall.

You can also read our cyber security report, Defensive lines, which serves as a powerful reminder of the scale of the threat and the serious impact cyber attacks can have on businesses.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.