COUNTRY FOCUS: UNITED KINGDOM
72 hours for a full report. As it stands, only four in ten businesses report disruptive breaches outside of their organisation, meaning these new rules will place additional strain on already stretched cybersecurity teams. Adapting to these regulations will demand time, resources and operational change – making early preparation essential for avoiding penalties and ensuring readiness.
How to prepare
Despite rising threats, many businesses still lack the necessary talent to respond quickly and effectively to immediate attacks. According to research from the Chartered Management Institute( CMI), just 10 % of managers say they have basic cyber knowledge such as using secure passwords and identifying phishing attacks.
Similarly, Pluralsight research reveals that 45 % organisations say they don’ t have the right people or skills in place to manage security risks effectively and this isn’ t a new issue: cybersecurity has been the number one technical skills gap since 2021.
Investing in cyber training isn’ t just about avoiding fines, it’ s about building resilience. Upskilling staff across all roles, from board members to front-line employees, helps embed cyber awareness into daily operations and decision-making.
Look at processes and procedures
Most organisations already have a data breach reporting procedure that meets GDPR reporting requirements. However, like NIS2, the bill’ s proposed reporting obligations will introduce tighter deadlines and a wider scope of incidents.
To stay compliant, organisations should conduct a thorough security audit to ensure that their procedures are updated to reflect this. In addition, regular rehearsals of cyber security incident response – such as red team blue team exercises – are essential to strengthen readiness and improve response effectiveness under pressure.
Educate key leaders on compliance
Cybersecurity oversight must come from the top. Yet, board-level responsibility for cyber has been steadily declining from 38 % in 2021 to just 27 % in 2025. This downward trend is at odds with the direction of the new legislation which places significantly greater accountability on senior leadership.
To meet these expectations, key decision-makers must be fully informed by the regulatory landscape, the organisation’ s exposure and their roles in ensuring cyber resilience. Re-engaging leadership is essential to build a culture of accountability, readiness and proactive risk management.
Review supplier contracts
The bill makes supply chain vigilance a board-level issue. Failure to comply with its two-stage incident reporting can expose organisations financially, so prime contractors need watertight language that obligates third parties to raise the alarm and cooperate with any subsequent investigation. Yet, most UK firms are starting from a low base, with only 14 % of businesses formally assessing the cyber-risk posed by their immediate suppliers.
Contracts therefore need to move beyond generic‘ reasonable endeavours’ wording. In practice, that means inserting a mandatory 24 – 72-hour breach notification clause that extends to all sub-contractors and mandating evidence of control maturity through certifications such as ISO 27001 or Cyber Essentials Plus.
Contractors should also be required to have an up-todate Software Bill of Materials( SBOM), clear timelines for applying patches, and businesses should hold the contractual right to carry out annual security audits and forensic investigations at no additional cost.
Together, these measures give regulated organisations meaningful oversight of third-party resilience, along with the documentation regulators are likely to demand after a breach.
Finally, international firms should also align their contract language with NIS2-style obligations already live in the EU. This ensures that a breach at a single
48 INTELLIGENTCIO EUROPE www. intelligentcio. com