essential to strengthen readiness and improve response effectiveness under pressure.
Educate key leaders on compliance
Cybersecurity oversight must come from the top. Yet, board-level responsibility for cyber has been steadily declining from 38 % in 2021 to just 27 % in 2025. This downward trend is at odds with the direction of the new legislation which places significantly greater accountability on senior leadership.
To meet these expectations, key decision-makers must be fully informed by the regulatory landscape, the organisation’ s exposure and their roles in ensuring cyber resilience. Re-engaging leadership is essential to build a culture of accountability, readiness and proactive risk management.
Review supplier contracts
The bill makes supply chain vigilance a board-level issue. Failure to comply with its two-stage incident reporting can expose organisations financially, so prime contractors need watertight language that obligates third parties to raise the alarm and co-operate with any subsequent investigation. Yet, most UK firms are starting from a low base, with only 14 % of businesses formally assessing the cyber-risk posed by their immediate suppliers.
Contracts therefore need to move beyond generic‘ reasonable endeavours’ wording. In practice, that means inserting a mandatory 24 – 72-hour breach notification clause that extends to all subcontractors and mandating evidence of control maturity through certifications such as ISO 27001 or Cyber Essentials Plus.
Contractors should also be required to have an upto-date Software Bill of Materials( SBOM), clear timelines for applying patches and businesses should hold the contractual right to carry out annual security audits and forensic investigations at no additional cost.
Together, these measures give regulated organisations meaningful oversight of third-party resilience, along with the documentation regulators are likely to demand after a breach.
Finally, international firms should also align their contract language with NIS2-style obligations already live in the EU. This ensures that a breach at a single supplier triggers a unified incident response across jurisdictions. Framing these updates as commercial value-adds rather than compliance hurdles often help reduce pushback and speeds up contract execution – particularly with managed service providers, who now sit firmly within the scope of the new rules.
Develop resilience and recovery plans
The bill mandates that businesses develop and maintain comprehensive resilience and recovery plans. These plans should detail how businesses will respond to and recover from cyber incidents, ensuring minimal disruption to operations and swift restoration of services.
Invest in training for all employees
Staff training is the most common preventative measure adopted following a cyber breach in 2025, employed by 32 % of businesses. While this is a positive sign, businesses need to be more proactive in providing employees with the skills to navigate a cyber breach earlier.
IT professionals should be up to date on security certifications and practice with hands-on training. For example, hands-on labs and sandboxes are vital to ensure real-time experience identifying and protecting against simulated attacks.
Businesses should not underestimate the importance of non-technical employees having a basic understanding of their role in preventing phishing, social engineering and other cyber threats. In fact, phishing attacks are the most prevalent and disruptive cyber breach – and these attacks target individuals regardless of their role or seniority. Building a strong first line of defence starts with empowering every employee to spot and stop threats before they escalate.
Final words
The new regulations mark a shift from optional to mandatory when it comes to cybersecurity standards. But they also offer a strategic opportunity. Businesses that invest now will be more resilient, trusted and better positioned to outpace cyberthreats.
50 WWW. INTELLIGENTCISO. COM