From Consultation to Code Retrospective: Did We Influence the Outcome of the Cyber Governance Code of Practice

Leave a Reply

This reflection examines the Cyber Governance Code of Practice as published in April 2025. It compares government output with practitioner and IET responses from 2024, showing where influence carried through and where gaps remain. The conclusion: progress was made, but without law, incentives, and professional recognition, the Code risks becoming compliance theatre.

Contents

Table of Contents

Introduction

In April 2025, DSIT and the NCSC published the final Cyber Governance Code of Practice. It sets out five principles — risk management, strategy, people, incident planning, and assurance — and makes directors personally accountable for cyber resilience.

Looking back to the consultation in early 2024, I had submitted two responses (practitioner and IET) and a set of thematic reflections (Articles 5–10). The question now is simple: did those ideas make it into the final Code?

What Government Published

Explored in depth in Cyber Governance Code of Practice 2024: What Government Finally Published.

The Code is structured, clear, and board-friendly. It requires:

  • Regular risk assessments, including supply chain oversight.
  • Alignment of cyber with organisational strategy.
  • Directors to become cyber literate.
  • Annual incident exercises and post-incident reviews.
  • Quarterly reporting and integration with audits.

On paper, this is a serious step forward. It places cyber firmly in the boardroom.

What Carried Through, and What Did Not

Fully collated and analysed in Did We Influence DSIT’s Cyber Governance Code of Practice?

From the practitioner response documented in Directors and Cyber Governance: My Practitioner’s Response to DSIT’s Consultation.

  • Supply chain risk → carried through strongly.
  • Continuous process → embedded in quarterly reporting and regular reviews.
  • Assurance → partly included, but still softer than needed.

From the IET response written about From Practitioner to Professional Body: The IET Response on Cyber Governance.

  • Proportionality for SMEs → acknowledged, but not fully developed.
  • Professional recognition → absent, replaced by “training” language.
  • Broader engagement → partially reflected, but not as wide as we argued for.

From the thematic “deepdive” related articles (Directors and Cyber Responsibility: Towards a New Company Law, Why Self-Attestation Doesn’t Work: Lessons for the DSIT Code, From Cyber Essentials to Corporate Governance: Raising the Bar, Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance, and Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering):

  • Company law duties → not adopted. Still guidance, not statute.
  • Self-attestation critique → partly addressed, but independent assurance not mandated.
  • Incentives → ignored. Obligations dominate.
  • Cyber Essentials as floor → implicit, but not explicitly linked.

Reflection

Yes, we influenced the Code — but only partially. The DNA of the practitioner and IET responses is visible in its structure and emphasis. But the hardest issues — law, incentives, professionalisation — remain untouched.

This leaves the Code in a halfway house: stronger than before, but still at risk of becoming compliance theatre if boards treat it as guidance to file, not governance to live.

Conclusion

The 2024 consultation was a moment of ambition. The 2025 Code is a step forward. But the gap between aspiration and adoption remains.

Our task now is to keep pressing on the unfinished business: making cyber a legal duty, embedding professional recognition, creating incentives, and ensuring SMEs are not left behind. Only then will cyber governance move from paper to practice.

References