The UK’s Cyber Governance Code of Practice, published in 2025, sets out five principles for boards: risk management, strategy, people, incident response, and assurance. It places cyber in the boardroom and makes directors personally accountable, but stops short of embedding duties in company law. While clear and structured, the Code lacks incentives, SME pathways, and professional recognition — making uptake uncertain.
Contents
Introduction
In January 2024, the Department for Science, Innovation and Technology (DSIT) opened its consultation on a proposed Cyber Governance Code of Practice. The ambition was clear: to make directors accountable for cyber resilience in the same way they are accountable for financial integrity or health and safety.
Twelve months on, the final Code of Practice has now been published (2025). It sets out what boards must do, how they should oversee cyber risk, and where the boundaries of accountability lie.
This article provides a clear explainer of the Code as published, with reflections on where it delivers, where it falls short, and what it means for boards and directors across the UK.
The Five Principles
At its core, the Code is organised around five principles — the same structure as the consultation. Each principle is broken into specific actions that boards are expected to oversee.
1. Risk Management
Boards must:
- Identify and prioritise critical assets and processes.
- Integrate cyber into enterprise risk management.
- Define cyber risk appetite and ensure plans to manage against it.
- Gain assurance that suppliers are routinely assessed and resilient.
- Ensure risk assessments are conducted regularly, taking account of changes in organisation, regulation, or threat landscape.
In other words, cyber is now framed as a first-class enterprise risk — no longer the preserve of the IT department.
2. Strategy
Boards must:
- Ensure there is a cyber strategy aligned to organisational strategy.
- Verify the strategy aligns with risk appetite and regulatory obligations.
- Allocate resources proportionately to agreed risks.
- Monitor delivery against outcomes.
This principle cements cyber as a strategic enabler and constraint. It is no longer an operational afterthought.
3. People
Boards must:
- Promote a cyber security culture that drives positive behaviours.
- Ensure policies exist to support that culture.
- Undertake personal cyber literacy training at board level.
- Gain assurance, with metrics, that training and awareness programmes are effective.
This is one of the most striking inclusions: the Code expects directors themselves to become cyber-literate actors, not just passive overseers. The burden of accountability is personal.
4. Incident Planning, Response and Recovery
Boards must:
- Ensure an incident response plan exists for critical assets.
- Verify the plan is exercised annually, with internal and external stakeholders.
- Take responsibility for regulatory obligations and critical communications during an incident.
- Ensure post-incident reviews feed back into risk assessments and response plans.
The message is blunt: cyber incidents are inevitable, and boards must treat them as core governance responsibilities, not “technical fires” delegated to IT.
5. Assurance and Oversight
Boards must:
- Establish a governance structure with clear executive and non-executive ownership of cyber.
- Require quarterly reporting, with tolerances linked to risk appetite.
- Maintain dialogue with senior executives, including CISOs.
- Integrate cyber into audits and assurance mechanisms.
- Ensure awareness of regulatory obligations and related Codes of Practice.
This is where accountability bites: cyber governance is to be reported, measured, and audited, not left to informal briefings.
Resources and Support
The Code does not stand alone. It is explicitly underpinned by:
- Cyber Governance Training: designed for directors to build literacy and confidence.
- NCSC Cyber Security Toolkit for Boards: practical resources, questions for the board, and sector guidance.
The government has also signalled that the Code is the foundational element in a broader suite of cyber codes of practice, including for software security and AI cyber security.
Who It Applies To
The Code is primarily designed for medium and large organisations. But DSIT and NCSC are clear that SMEs — which underpin supply chains and the wider economy — should apply the principles proportionately.
This proportionality is welcome, but it is also a risk: without clear SME-specific pathways, boards in smaller organisations may view the Code as aspirational rather than actionable.
Strengths of the Final Code
- Clarity of structure: The five principles and associated actions are easy to follow, making the Code board-friendly.
- Personal responsibility: Directors are expected to be cyber-literate and accountable — a cultural shift.
- Integration with governance: Cyber is explicitly placed alongside other enterprise risks.
- Supply chain oversight: The requirement to assess suppliers is unambiguous.
Gaps and Limitations
- No legal teeth (yet): Despite early signalling, the Code stops short of embedding cyber duties in company law. For now, it is voluntary guidance.
- No incentive mechanisms: Tax relief, insurance benefits, or procurement levers — all absent. Uptake will rely on goodwill and reputational pressure.
- Professional recognition missing: The IET’s call for professionalising cyber practitioners did not translate into the Code. Training is offered, but not formal recognition.
- SME proportionality underdeveloped: SMEs are acknowledged, but the “how” is thin. Without tailored support, many will remain excluded.
- Tool overload ignored: The Code does not tackle the practical reality of boards drowning in security metrics and dashboards.
Conclusion
The Cyber Governance Code of Practice (2024/25) is a significant step forward. It places cyber risk firmly in the boardroom, frames directors as personally accountable, and offers a structured framework for action.
But it remains guidance, not law. Without incentives, professional recognition, and SME-specific pathways, the risk is that uptake will be patchy and uneven.
For boards that take it seriously, the Code provides a valuable blueprint. For government, it is a foundation — but only the first step towards embedding cyber governance as a core element of corporate accountability.
In the next article, I will compare the practitioner response, the IET’s institutional framing, and the final Code — and ask the central question: did we influence the thinking?
References
- Before the DSIT Cyber Governance Code of Practice: What the Consultation Proposed
- Directors and Cyber Governance: My Practitioner’s Response to DSIT’s Consultation
- From Practitioner to Professional Body: The IET Response on Cyber Governance
- Directors and Cyber Responsibility: Towards a New Company Law
- Why Self-Attestation Doesn’t Work: Lessons for the DSIT Code
- From Cyber Essentials to Corporate Governance: Raising the Bar
- Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance
- Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering
- Cyber Governance at a Crossroads: Responding to DSIT’s Consultation
- Cyber Governance Code of Practice 2024: What Government Finally Published
- Did We Influence DSIT’s Cyber Governance Code of Practice?
- From Consultation to Code Retrospective: Did We Influence the Outcome of the Cyber Governance Code of Practice
- Cyber Governance Code of Practice – published 8th April 2025