What new cyber security regulations is the UK government introducing?

The UK government is introducing new cyber security regulations that will grant regulators the power to fine companies up to 4% of their annual turnover if they fail to comply with the rules, which include requirements to report significant cyber attacks within 24 hours.

How much are cyber attacks estimated to cost the UK economy annually?

Cyber attacks are estimated to cost the UK economy almost £15 billion each year, according to the government's estimates.

Which sectors will the new UK cyber security regulations cover?

The new regulations will expand the scope of companies covered from the transport, energy, drinking water, health and digital infrastructure sectors to include those in healthcare, IT services and data centers.

Home / Technology / UK Imposes Stiff Fines for Firms Failing to Comply with Cyber Security Rules

UK Imposes Stiff Fines for Firms Failing to Comply with Cyber Security Rules

12 Nov

•

Summary

UK government to grant regulators power to fine companies up to 4% of annual turnover for cyber security breaches
Estimated £15 billion annual cost of cyber attacks in the UK
New regulations to expand scope of companies covered, require attack reporting within 24 hours

UK Imposes Stiff Fines for Firms Failing to Comply with Cyber Security Rules

On November 12, 2025, the British government announced plans to grant regulators expanded authority to impose hefty fines on companies that fail to comply with new cyber security regulations. The upcoming cyber security and resilience bill will empower sector regulators to levy penalties of up to 4% of a company's annual turnover, or £17 million, whichever is higher, if they do not adhere to the rules.

These new measures come as the government estimates that cyber attacks are now costing the UK nearly £15 billion each year. The regulations will require companies in sectors such as healthcare, IT services, and data centers to report significant cyber incidents within 24 hours and deliver a full incident report within 72 hours. Firms will also have to meet security standards based on the National Cyber Security Centre's Cyber Assessment Framework.