Policy paper

DSIT cyber security newsletter - December 2025

Published 18 December 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/dsit-cyber-security-newsletter-december-2025/dsit-cyber-security-newsletter-december-2025

1. Director’s message

While there have been many successes since our last update, probably the most anticipated has been the introduction of the Cyber Security and Resilience Bill to Parliament in November. This was preceded by months (and years!) of hard work by the Bill team, policy officials across DSIT and government, and a wide range of industry colleagues. The Bill is a key milestone in our goal to make the UK economy more secure, resilient and prosperous. 

The need for the Bill - and the measures it proposes - are clear, particularly considering the large scale cyber attacks we have seen this year and the growing frequency of cyber-related incidents.   

To support improved cyber resilience across the wider economy, our Secretary of State, along with other ministers and security chiefs, have written to the UK’s leading companies, as well as to small businesses, urging them to take action on cyber security.  

Talking of ministers, we have a new lead minister on cyber security, Baroness Liz Lloyd, and you can read more about what she has been doing below.  

You can also respond to our survey for cyber security companies about AI and software security – see below for details. 

Finally, I want to say thank you to everyone in the cyber security sector who has worked so hard this year, both in their day jobs and in engaging with government. It has not been a year without challenges. But we end the year with a positive outlook and many positive things to look forward to, including a new National Cyber Action Plan and further robust government action to help protect and grow the economy in future. 

Thank you for your continued support and engagement. I wish you all a good festive break with your family and friends. 

Irfan Hemani

Deputy Director, Cyber Security

2. Cyber Security and Resilience Bill introduced to Parliament 

The government has announced tough new laws to strengthen the UK’s defences against cyber attacks on NHS, transport and energy. 

The Cyber Security and Resilience Bill was published on 12 November 2025 for its first reading in Parliament. The Bill will strengthen UK cyber defences and protect the essential services the public rely on. The Bill builds on the existing NIS regulations which cover organisations delivering essential services in health, transport, energy, water, digital infrastructure and some digital services.

Key measures include: 

  • Managed service providers, data centres, large load controllers and critical suppliers will be brought into the scope of legislation, meaning they will need to have robust cyber defences in place 

  • Cyber regulators will be more effective, with increased powers and more incident reporting 

  • Government will have new powers to update the law in response to new cyber threats. 

The second reading of the Bill (the debate stage in Parliament) will happen on Tuesday 6 January and will be available to be viewed on Parliament TV.  

3. New research highlights significant cost of cyber attacks

To support the introduction of the Cyber Security and Resilience Bill, the government published a new collection of independent research quantifying the cost of cyber attacks across different parts of the economy. 

The research estimates the average cost of a significant cyber attack for an individual business in the UK is almost £195,000. When scaled to an annual UK cost, this amounts to £14.7 billion, equivalent to 0.5% of the UK’s GDP. The research also details costs associated with the theft of intellectual property and knowledge-assets (between £1 billion and £8.5 billion), fraud linked to data breaches (£755 million per year) as well as impacts on consumers and the rail sector. 

For further details, see the independent research on the cost of cyber attacks

4. UK cyber security approach goes global 

The UK is cementing its place as a global leader in cyber security, with a range of agreements coinciding with Singapore International Cyber Week in October. The UK’s Code of Practice on AI Cyber Security has been used to create a global ETSI standard (EN 304 223) on AI cyber security, while our product security laws are being recognised by international partners. In addition, Australia became the latest country to follow the UK in setting out a voluntary code of practice for app stores and developers, designed to closely mirror the UK’s own Code of Practice for App Stores. 

For more information, see the press notice on global cyber standards

5. Ministerial cyber letters having positive industry impact  

In light of significant cyber incidents earlier in the year, the government wrote to leading UK companies in October with urgent advice to help ensure they are best protected against cyber threats. The letter set out three actions large businesses can take to improve their cyber resilience: 

This letter was sent to all companies in the FTSE100 and FTSE250, as well as a number of other leading UK firms. Ministers and the National Cyber Security Centre also wrote to smaller businesses, which included highlighting the new free Cyber Action Toolkit to help SMEs protect against cyber threats. 

These letters have seen an increase in engagement with cyber security tools, schemes and guidance, and the government will follow this up with further activity in the new year.     

6. Cyber Essentials scheme growing at a record rate 

The latest statistics show the government’s Cyber Essentials scheme is being adopted by ever-increasing numbers of businesses and organisations.  

53,699 certificates have been awarded over the past year - an increase of 18% since last year and the highest amount to date - with 40,626 at Cyber Essentials level and 13,073 at Cyber Essentials Plus. The scheme is highly effective, with those organisations holding a Cyber Essentials certificate 92% less likely to make a claim on their cyber insurance. 

For more information, see the Cyber Essentials quarterly statistics, the free resources to help promote the scheme and the new Playbook to help organisations embed Cyber Essentials in their supply chain.   

7. New figures show increasing cyber security employment

The new cyber security skills in the UK labour market report was published on 19 September 2025 setting out cyber skills needs and job vacancies across the UK. The report found 143,000 people were employed in cyber security roles across the economy, a 5% increase on the previous year. 

A high demand for skilled people remains. The cyber workforce gap stabilised at around 3,800 professionals, substantially down from 11,100 in the 2023 report. Around half of UK businesses (49%) reported a basic technical cyber security skills gap, while 30% reported gaps in more advanced technical areas.  

Women made up just 17% of the cyber security workforce, falling to 12% in senior positions (6+ years of experience), compared 48% female representation in the wider UK workforce. 

For more information, see the Cyber security skills in the UK labour market report 2025. 

8. TechFirst delivering new skills and opportunities  

The government’s £187 million TechFirst programme announced in the summer is beginning to deliver new skills and opportunities for learners and young people. The CyberFirst bursary scheme has been in operation offering support for undergraduates pursuing cyber security degrees, helping to boost the number of skilled people entering the cyber profession. 

The CyberFirst Girls Competition ran during November and December to inspire girls to consider cyber careers and test their cyber and tech skills against their peers. A big thanks to IBM for their support for the competition and congratulations to all the regional winning schools, which are listed on the Cyber First website.

9. New cyber Minister Liz Lloyd speaks at techUK

Liz Lloyd – Baroness Lloyd of Effra – was appointed as Minister for the Digital Economy on 11 September 2025. Minister Lloyd has responsibility for cyber security as part of her portfolio and made her first speech on cyber security at techUK event on 15 October. The speech sets out the government’s approach to cyber security and the importance of the UK cyber sector.  

For more information, read Minister Lloyd’s speech at techUK

10. Minister Lloyd visits Manchester to see NCC Group and DiSH 

Minister Lloyd (right) meets Angela Brown of NCC Group.

To support the publication of the Cyber Security and Resilience Bill and to further the government’s ongoing regional engagement, Minister Lloyd visited the Manchester office of cyber security firm NCC Group on 13 November 2025.    

Minister Lloyd said “it was fantastic to see first hand the great work they’re doing in cyber security as one of the UK’s leading cyber firms. NCC Group have done valuable work supporting on the Cyber Growth Action Plan and the development of the Cyber Security and Resilience Bill, which was just laid in Parliament.”   “The Bill will strengthen our defences against cyber-attacks in critical national infrastructure. This will mean fewer cancelled NHS appointments, less disruption to local services, and a faster national response when threats emerge.” 

Minister Lloyd also met founders and startups at the Greater Manchester Digital Security Hub (DiSH) to hear their views on the Bill and test drive technology being developed to boost cyber security. 

11. Cyber Growth Partnership meets as industry engagement continues 

The Cyber Growth Partnership – jointly chaired by Minister Lloyd and Julian David, CEO of techUK – met on 17 December 2025 to discuss ways to continue growing the UK cyber security sector. The group, which features representatives from large and small cyber and tech firms, discussed issues including investment, procurement and educational partnerships. 

DSIT has also invited security professionals into the department recently to discuss and comment on policy, while a range of experts continue to advise the team and respond to consultations. A big thank you to all our industry partners who have worked with the government over the past year to provide insight and help shape policy. 

12. Respond to our surveys on software security and AI security 

If you work in a cyber security company providing products or services related to software or AI security, we would love to hear from you.  

We have launched a new survey to map the UK’s AI and software cyber security services. This supports the AI Cyber Security Code of Practice and the Software Security Code of Practice launched earlier this year.  

Organisations can participate by completing the online AI survey here or the completing the software security survey here. You can also register your interest to receive a call back.  

We are looking specifically for cyber security companies providing cyber security services or tools which relate to secure software development (e.g. testing tools, SC A - anything that can help their clients with software security).  

Separately, we are interested in hearing insights on the implementation of software security practices themselves and are collecting evidence through a separate piece of research you can respond to here

All information collected will be treated in strict confidence by Pye Tait Consulting and shared with the government only in anonymised, aggregated form.  

New research and recent publications 

For further information, visit the government’s cyber security page on gov.uk.

Back to top