This framing article summarises a set of responses to DSIT’s Cyber Governance Code of Practice consultation in Jan/Feb 2024. It highlights practitioner and institutional submissions, alongside thematic deep dives on law, assurance, incentives, and professionalism. The message: DSIT asked the right questions, but the hardest answers were still missing.

Contents

Introduction

In January 2024, the Department for Science, Innovation and Technology (DSIT) launched its consultation on a Cyber Governance Code of Practice. For the first time, the government was openly exploring whether directors should carry explicit duties for cyber resilience — potentially even embedded in company law.

That consultation marked a turning point. It asked boards to consider five principles — risk, strategy, people, incident planning, and assurance — but it also left key questions unanswered. How should boards evidence compliance? How can SMEs realistically engage? Who counts as a credible professional? And why should directors invest in governance without incentives?

Background Article

I described the background to the code in the article:

• Before the DSIT Cyber Governance Code of Practice: What the Consultation Proposed — what DSIT actually proposed, and what was missing.

Response Articles

Over the course of the consultation, I submitted two responses:

• Directors and Cyber Governance: My Practitioner’s Response to DSIT’s Consultation — blunt, problem-led, based on lived experience.
• From Practitioner to Professional Body: The IET Response on Cyber Governance — institutional, policy-ready, amplifying practitioner concerns with professional framing.

Thematic Deepdive Articles

Following it all up with a set of thematic reflections that dig deeper into the unresolved issues:

• Directors and Cyber Responsibility: Towards a New Company Law — should cyber become a legal duty?
• Why Self-Attestation Doesn’t Work: Lessons for the DSIT Code — why tick-box approaches have failed.
• From Cyber Essentials to Corporate Governance: Raising the Bar — moving beyond Cyber Essentials.
• Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance — why obligations alone won’t work.
• Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering — the need for recognised, accountable experts.

Why This Moment Matters

Cyber is no longer a technical nuisance. It is financially material, strategically defining, and systemically dangerous. By inviting consultation, DSIT signalled that it recognises this — but recognition is not enough. The consultation is only valuable if it translates into a Code that drives real change in boardrooms.

My articles from this period capture that tension: supportive of the ambition, critical of the gaps, and insistent that if cyber governance is to work, it must be credible, proportionate, and actionable.

Conclusion

The consultation asked the right questions. But the answers, at that stage, were still contested. These articles represent my attempt to shape those answers: to bring practitioner urgency, institutional weight, and thematic depth to a debate that will define the next decade of UK corporate governance.

References 

• Before the DSIT Cyber Governance Code of Practice: What the Consultation Proposed
  • https://horkan.com/2024/01/30/before-the-dsit-cyber-governance-code-of-practice-what-the-consultation-proposed
• Directors and Cyber Governance: My Practitioner’s Response to DSIT’s Consultation
  • https://horkan.com/2024/02/05/directors-and-cyber-governance-my-practitioners-response-to-dsits-consultation
• From Practitioner to Professional Body: The IET Response on Cyber Governance
  • https://horkan.com/2024/02/12/from-practitioner-to-professional-body-the-iet-response-on-cyber-governance
• Directors and Cyber Responsibility: Towards a New Company Law
  • https://horkan.com/2024/02/19/directors-and-cyber-responsibility-towards-a-new-company-law
• Why Self-Attestation Doesn’t Work: Lessons for the DSIT Code
  • https://horkan.com/2024/02/26/why-self-attestation-doesnt-work-lessons-for-the-dsit-code
• From Cyber Essentials to Corporate Governance: Raising the Bar
  • https://horkan.com/2024/03/04/from-cyber-essentials-to-corporate-governance-raising-the-bar
• Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance
  • https://horkan.com/2024/03/11/incentives-not-just-obligations-driving-real-uptake-of-cyber-governance
• Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering
  • https://horkan.com/2024/03/18/professionalism-and-accountability-why-cyber-needs-recognition-like-law-and-engineering
• Cyber Governance at a Crossroads: Responding to DSIT’s Consultation
  • https://horkan.com/2024/03/25/cyber-governance-at-a-crossroads-responding-to-dsits-consultation
• Cyber Governance Code of Practice 2024: What Government Finally Published
  • https://horkan.com/2025/04/22/cyber-governance-code-of-practice-2024-what-government-finally-published
• Did We Influence DSIT’s Cyber Governance Code of Practice?
  • https://horkan.com/2025/04/26/did-we-influence-dsits-cyber-governance-code-of-practice
• From Consultation to Code Retrospective: Did We Influence the Outcome of the Cyber Governance Code of Practice
  • https://horkan.com/2025/05/17/from-consultation-to-code-retrospective-did-we-influence-the-outcome-of-the-cyber-governance-code-of-practice
• Cyber Governance Code of Practice – published 8th April 2025
  • https://www.gov.uk/government/publications/cyber-governance-code-of-practice/cyber-governance-code-of-practice