Regulators are tightening the screws on cyber risk

Cyber regulation is here and growing

The message to businesses is clear: prevention isn’t optional

In the second half of 2025, cyber regulation is a reality every business must deal with. The past year has seen:

• The EU’s NIS2 Directive go live expanding mandatory security and reporting obligations, breaches will become public faster.
• The SEC’s cyber disclosure rules take effect with growing enforcement activity in 2025
• UK regulators increasing scrutiny of critical sectors’ resilience, despite the UK not being directly bound by NIS2

Even if a UK-based business doesn’t operate in the EU or US, if it serves clients who do—or relies on suppliers who do—it can still be impacted by these regulations.

Business who don’t should now benchmark themselves against these expectations—as clients, suppliers, and investors start to demand it.

Organisations must start to look to :

• Implement robust cyber risk management
• Report incidents within 24 hours (preliminary) and 1 month (full report)
• Conduct supply chain due diligence

Fines of up to 10% of global annual turnover for non-compliance could be faced.

Cyber insurance protection is no longer a niche concern—it should be central to business resilience.