Home / Technology / UK Imposes Stiff Fines for Firms Failing to Comply with Cyber Security Rules
UK Imposes Stiff Fines for Firms Failing to Comply with Cyber Security Rules
12 Nov
Summary
- UK government to grant regulators power to fine companies up to 4% of annual turnover for cyber security breaches
- Estimated £15 billion annual cost of cyber attacks in the UK
- New regulations to expand scope of companies covered, require attack reporting within 24 hours
On November 12, 2025, the British government announced plans to grant regulators expanded authority to impose hefty fines on companies that fail to comply with new cyber security regulations. The upcoming cyber security and resilience bill will empower sector regulators to levy penalties of up to 4% of a company's annual turnover, or £17 million, whichever is higher, if they do not adhere to the rules.
These new measures come as the government estimates that cyber attacks are now costing the UK nearly £15 billion each year. The regulations will require companies in sectors such as healthcare, IT services, and data centers to report significant cyber incidents within 24 hours and deliver a full incident report within 72 hours. Firms will also have to meet security standards based on the National Cyber Security Centre's Cyber Assessment Framework.
Regulators will be able to impose the fines as a "last resort" if companies do not comply with the new rules. However, the legislation will not cover all businesses, as it excludes retailers and other companies not deemed as critical infrastructure. The government has encouraged all companies to prioritize cyber resilience, urging boards to have discussions on appropriate security measures.
