Cyber security | UK Regulatory Outlook May 2025

NCSC blog on recent high profile cyber attacks on retailers 

Richard Horne, the Chief Executive Officer of the National Cyber Security Centre (NCSC), published a blog post urging businesses to "face the stark reality of the cyber threat they face", following news of cyber incidents affecting UK retailers in recent months. 

The NCSC previously confirmed that it is working with the affected retailers, who have reported incidents to both the NCSC and the Information Commissioner's Office. In his latest blog post, Mr Horne emphasised the importance of businesses "redoubling their efforts" in defending against and preparing for cyber attacks, which have the potential to disrupt critical services, impose financial and reputational costs, and put customers' personal data at risk. 

He highlighted that effective risk management is crucial for managing cyber risks and encouraged businesses to use the freely available guidance on the NCSC website to strengthen their defences. 

Effective incident response is key to minimising potential legal, financial, and reputational fallout. If you would like to discuss any of the issues raised, please get in touch with your usual Osborne Clarke contacts or our experts below to help you make the right decisions to minimise the risk to your business. 

New voluntary software security code of practice 

On 7 May 2025, the Department for Science, Innovation and Technology (DSIT) published a new voluntary software security code of practice for software vendors. 

Co-sealed by the Canadian Centre for Cyber Security, the new voluntary code of practice sets out expectations for the security and resilience of software. It aims to support software vendors and their customers in reducing the likelihood and impact of software supply chain attacks and other software resilience incidents. 

The code consists of 14 principles that software vendors are expected to implement to establish a consistent baseline of software security and resilience across the market. 

The software security code of practice should be considered as part of the broader suite of cyber security guidance issued by DSIT. It should be read alongside with other applicable codes of practice, such as the cyber governance code of practice, and those relating to AI cyber security (see more in our previous Regulatory Outlook).  

Download the code and access related resources on the NCSC website. See also the NCSC blog post and implementation guidance. 

Russian intelligence campaign targeting western logistics and technology organisations 

The NCSC and partners from ten countries (the US, Germany, Czech Republic, Poland, Australia, Canada, Denmark, Estonia, France and the Netherlands) published a new joint advisory detailing a malicious state-sponsored cyber campaign conducted by the Russian military intelligence service (Unit 261565 – also known as APT 28) against public and private organisations since 2022. 

The advisory warns that the campaign targets Western logistics and technology firms, including those involved in the coordination, transport, and delivery of support to Ukraine. It also targets firms in the defence, IT services, maritime, airports, ports, and air traffic management systems sectors in multiple NATO nations. 

The advisory includes advice to organisations on mitigating the malicious activity, such as increasing monitoring, using multi-factor authentication, and ensuring security updates are applied promptly. 

Read the NCSC press release.