Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Compliance and Regulations
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
List of Cybersecurity Laws and Regulations in the UK
Last updated
December 2, 2025
{x} minute read

List of Cybersecurity Laws and Regulations in the UK

Get a demo
Free trial
Download the PDF guide
Free trial
Written by
Kyle Chin
Cybersecurity Writer
Kyle's work has been featured in law publications, academic institutions, and government bodies.
Reviewed by
Cindy Ruan
Lead GRC specialist
Cindy combines degrees in Computer Science and Law with expertise in GRC, and she has presented her insights at the Australian Cyber Conference.
Table of contents

The digital threat landscape in the United Kingdom (UK) continues to evolve as businesses that undergo a massive transition towards increased digitalization and cloud-based migrations are forced to change their IT system operations.

More importantly, UK laws and regulations must also adapt to ensure that UK businesses and organizations are working to improve their cybersecurity posture and IT infrastructure to protect data security and privacy. Especially during the post-Brexit era, businesses must ensure compliance with the UK’s newest cybersecurity laws and regulations.

In this article, we will examine the most current cybersecurity laws and regulations in the UK, how to comply with them, the penalties and fees they impose for non-compliance, the newest legislative measures of the NIS Regulations, and which steps UK businesses can take to protect their networks, data, and systems.

List of Cybersecurity Laws and Regulations in the UK

The UK has established a comprehensive legal framework to address the growing importance of cybersecurity, ensuring that organizations across various sectors are equipped to protect against digital threats and operational disruptions. Below is a list of key cybersecurity laws and regulations that play a crucial role in maintaining the security and resilience of the UK's digital and critical infrastructure.

Other global cybersecurity regulations and frameworks, such as PCI-DSS, NIST, SOX, and HIPAA, are also actively followed by many UK businesses and organizations. However, businesses are not obliged to follow them under UK law.

Learn the difference between a regulation and a cyber framework >

DPA (Data Protection Act 2018)

The Data Protection Act 2018 (DPA 2018) is the UK government’s primary law on personal data processing in the UK, which is enforced along with the UK-GDPR. It serves as a data protection framework that regulates all aspects of how businesses, organizations, and government bodies control and process personal data.

Because the UK is still considered an EU member-state in the post-Brexit era, many of its businesses are still subject to GDPR. However, the UK created its own version of the GDPR to better accommodate its domestic laws, called UK-GDPR.

The DPA 2018 requires all UK data controllers (companies and organizations that control the processing of personal data) to implement and maintain proper security measures for safeguarding personal data. More specifically, it applies to businesses that typically process customer data and records.

Is Compliance With the DPA 2018 Mandatory?

Yes. All businesses subject to the Data Protection Act of 2018 must have the appropriate measures for safeguarding data like personally identifiable information (PII), medical records, and customer data.

Additionally, data processors are required to report data breaches and cyber incidents to relevant authorities within 72 hours without undue delay, inform the controller of the data breach, as well as inform everyone involved in the data breach.

What Are the Penalties for DPA 2018 Non-Compliance?

If UK organizations fail to comply with the DPA 2018, they may be fined up to £17.5 million or 4% of annual global turnover.

Additionally, under the Data Protection (Charges and Information) Regulations 2018, controllers who process personal data are obliged to pay an annual data protection fee to the Information Commissioner’s Office (ICO), depending on the company's size and turnover.

Read more: The UK Data Protection Act 2018: Data Protection Post-Brexit

UK-GDPR (UK General Data Protection Regulation)

The UK-GDPR (General Data Protection Regulation) is the United Kingdom’s data security regulation, tailored by and complementing the Data Protection Act 2018. Also modeled after the EU-GDPR, it governs and regulates how UK organizations and businesses collect, store, use, and process personal data.

Prior to Brexit, data handling regulations were part of the EU-GDPR under the jurisdiction of the EAA (European Economic Area). Although the UK today isn’t affiliated with European policies, it reuses the same components of the regulation with slight adjustments and modifications to fit with its domestic laws.

The UK-GDPR regulation applies to every country in the United Kingdom (England, Scotland, Wales, and Northern Ireland), and it mandates businesses to protect all personal data by only allowing third-party entities access to the personal data that are “subject to sufficient guarantees involving the security of the processing services.”

Additionally, the UK-DGPR protects the rights of data subjects (people whose data is held, according to the Data Protection Act 2018) to control how their data is handled.

The UK-GDPR recognizes seven main principles of how organizations process personal data:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

The UK-GDPR regulations mandate that businesses store, handle, and process UK citizens’ data in a manner that meets the principles' requirements.

Read here to learn more about the seven principles and how they help with compliance.

Is Compliance With the UK-GDPR Mandatory?

All UK organizations and businesses that are involved in the collection, handling, storage, or processing of personal/private data of all entities in the United Kingdom must comply with the UK-GDPR.

The UK-GDPR applies to UK organizations that process and control personal data and are obliged to implement security measures to safeguard personal data, as recommended by the UK-GDPR guidelines.

One of the main steps in achieving UK-GDPR compliance, as well as DPA compliance, is to:

  • Adhere to the seven principles of data processing
  • Create an IT Security Policy to meet the GDPR's security requirements
  • Implement strong data protection concepts
  • Maintain a clear, comprehensive, and suitable privacy policy

What Are the Penalties for UK-GDPR Non-Compliance?

Organizations that fail to comply with the UK-GDPR may be penalized by a maximum fine of up to £17.5 million (€20 million) or 4% of their overall annual turnover (whichever is greater). Businesses can be fined even if they aren’t affected by a cyber attack or data breach if they fail to implement adequate security standards for third-party data accessibility.

NIS2 (Network and Information Systems Directive)

The NIS2 Directive, an updated and more robust version of the original NIS Directive, aims to enhance cybersecurity across the European Union, including critical sectors for national infrastructure. These regulations expand the scope of the original directive, bringing more sectors and types of organizations under its purview.

Essential and important service providers in energy, transport, health, and digital infrastructure are mandated to implement stringent cybersecurity measures to protect their network and information systems. These measures include:

  • Expanded scope: NIS2 covers additional sectors, including cloud computing, digital providers, manufacturing, and research. 
  • Risk-based approach: NIS2 emphasizes the importance of risk management, assessment, and mitigation strategies.
  • Incident reporting: NIS2 imposes advanced reporting obligations on applicable organizations, requiring entities to report cybersecurity incidents to all relevant stakeholders. 
  • Enhanced cooperation: NIS2 encourages collaboration among EU member states, prompting cross-border information sharing to prevent and mitigate cyber threats. 
  • Stricter penalties: NIS2 introduces strict penalties for non-compliance, including fines of up to 10% of an organization’s annual turnover. 

NIS2 represents a significant evolution in the EU’s approach to cybersecurity, addressing the shortcomings of the original NIS Directive and adapting to the increasingly interconnected and digital nature of modern society. Organizations covered by NIS2 must take proactive steps to comply with the new requirements to safeguard their operations and contribute to a more resilient cybersecurity environment across Europe.

Is compliance with NIS2 mandatory?

Yes, organizations identified as operators of essential services (OES) and digital service providers (DSP) are required to comply with the NIS2 Regulations. These regulations outline specific cybersecurity requirements for managing risks, including the implementation of security measures, reporting incidents, and conducting regular risk assessments. Non-compliance can result in regulatory breaches, significant financial penalties, and harm to the organization's reputation.

What are the penalties for NIS2 non-compliance?

In comparison to NIS1, NIS2 imposes stricter penalties for non-compliance, including fines of up to 10% of an organization’s annual revenue. The penalties and fines depend on an organization's classification:

  • Penalties for essential entities: Administrative fines of up to EUR €10 million (or at least 2% of the organization’s total annual revenue from the previous fiscal year, whichever is higher).
  • Penalties for important entities: Administrative fines of up to EUR €7 million (or at least 1.4% of the organization’s total annual revenue from the previous fiscal year, whichever is higher).

These increased penalties highlight the EU’s commitment to enhancing cybersecurity and cyber awareness throughout Europe. Regulatory authorities can hold compliant organizations responsible for failing to comply with any of the directive’s regulatory components.

Read more: Preparing for NIS2: A Compliance Guide For Covered Entities

DORA (Digital Operational Resilience Act) 

The Digital Operational Resilience Act (DORA) is a regulatory framework introduced by the European Union to ensure that financial institutions and related entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. DORA is part of a broader strategy to enhance the financial system's overall cyber resilience against digital risks, including cybersecurity threats.

The core components of DORA include:

  • ICT risk management: Implement robust ICT risk management frameworks, integrate ICT risk into overall risk management, and regularly review and update ICT risk policies.
  • Incident reporting: Establish clear processes for detecting, managing, and reporting ICT-related incidents, ensure timely reporting to authorities, and conduct post-incident analysis.
  • Digital operational resilience testing: Continuously test ICT systems through stress testing, scenario-based testing, and penetration testing, involving external parties when necessary, and use testing results to enhance resilience.
  • Third-party risk management: Manage risks associated with third-party ICT service providers through due diligence, ongoing monitoring, and ensuring resilience provisions in contracts.
  • Information sharing: Participate in information-sharing arrangements to improve collective resilience, share information on vulnerabilities, threats, and incidents, and contribute to industry-wide best practices.
  • Governance and oversight: Establish governance structures for proper oversight of ICT risk management, assign responsibilities at the board level, ensure ongoing operational resilience efforts, and integrate ICT resilience into corporate governance.

DORA applies to a wide range of financial entities, including banks, investment firms, payment service providers, and insurance companies.

Is compliance with DORA mandatory?

Yes, compliance with DORA is mandatory for all financial service institutions and relevant entities operating within the European Union. This includes:

  • Payment institutions
  • ​Investment firms
  • Insurance companies
  • Credit rating agencies
  • ​Crypto-asset service providers
  • Crowdfunding service providers
  • Data analytics and audit services
  • Fintech
  • ​Trading venues
  • Financial system providers
  • Credit institutions

Third-party ICT service providers for financial entities are also within the scope of DORA requirements. Compliance is not optional, and failure to adhere to DORA’s requirements can result in serious consequences.

What are the penalties for DORA non-compliance?

Penalties for non-compliance with DORA are enforced by designated regulators in each EU state, known as "competent authorities." Potential consequences for non-compliance include administrative fines, remedial measures, public reprimands, withdrawal of authorization, and compensation for damages incurred.

Major breaches (such as failures to implement mandatory ICT risk management measures, failure to report significant ICT-related incidents, or inadequate third-party risk management) face fines up to 2% of the firm’s total annual global turnover or €10 million, whichever is higher.

Lesser breaches (such as failures in documentation, minor lapses in transparency, or issues with governance and oversight of ICT risk) face fines of up to 1% of the firm’s total annual global turnover or €5 million, whichever is higher.

Read more: What is the Digital Operational Resilience Act (DORA)?

UK Operational Resilience Framework

The UK Operational Resilience Framework is a regulatory initiative developed by the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) to ensure that financial institutions and other regulated firms can withstand and recover from operational disruptions.

The framework focuses on the continuity of important business services during severe disruptions, whether they stem from cyber incidents, technology failures, pandemics, or other operational risks. Requirements include:

  • Identification of important business services: Identify and map critical business services that, if disrupted, could impact customers, financial stability, or the broader economy, focusing on the end-to-end processes that support these services.
  • Setting impact tolerances: Establish clear impact tolerances for each important business service, defining the maximum level of disruption the organization can tolerate before the service fails to meet its objectives.
  • Mapping and dependencies: Develop detailed mappings of the resources and dependencies (e.g., people, processes, technology, third parties) that support important business services, ensuring a comprehensive understanding of the factors influencing operational resilience.
  • Scenario testing: Conduct regular and rigorous scenario testing to assess the firm’s ability to remain within impact tolerances during various disruptive events, including cyberattacks, system failures, and other operational risks.
  • Risk management and governance: Integrate operational resilience into the firm’s overall risk management framework, ensuring that senior management and the board have clear oversight of resilience efforts and are accountable for maintaining operational continuity.
  • Communications and coordination: Develop robust internal and external communication strategies to effectively manage and coordinate responses during operational disruptions, ensuring clear, timely, and accurate information flow.
  • Continuous improvement: Regularly review and update operational resilience strategies, learn from past incidents, and make necessary adjustments to improve resilience capabilities and ensure alignment with evolving threats and regulatory expectations.

The UK Operational Resilience Framework represents a shift from traditional risk management to a more proactive approach, emphasizing the importance of operational resilience in maintaining the stability of the financial system.

Is compliance with the UK Operational Resilience Framework mandatory?

Compliance with the UK Operational Resilience Framework is mandatory for firms regulated by the Bank of England, PRA, and FCA. Covered organizations include a wide range of financial institutions such as banks, building societies, insurers, and certain investment firms.

The framework mandates that firms conduct regular testing and reviews to ensure ongoing compliance and resilience, with the expectation that they will continuously improve their operational resilience capabilities.

What are the penalties for UK Operational Resilience Framework non-compliance?

Failure to comply with the UK Operational Resilience Framework can lead to serious consequences, such as financial penalties, regulatory sanctions, and enforcement actions. Regulatory bodies like the FCA and PRA have the power to levy fines that reflect the severity of the non-compliance, which could be substantial depending on its impact on the firm's ability to provide crucial services.

EU Cybersecurity Act

The EU Cybersecurity Act is a comprehensive regulation aimed at strengthening cybersecurity across the European Union, establishing a framework for European cybersecurity certification of ICT products, services, and processes.

Key components of the EU Cybersecurity Act include:

  • EU Cybersecurity Certification Framework: Establish a comprehensive framework for the certification of ICT products, services, and processes, ensuring they meet defined cybersecurity standards across the EU.
  • Role of ENISA (European Union Agency for Cybersecurity): Strengthen the mandate and role of ENISA, empowering it to develop certification schemes, support Member States, and improve overall cybersecurity capabilities within the EU.
  • Cybersecurity certification schemes: Develop and implement specific cybersecurity certification schemes tailored to different categories of ICT products and services, with varying levels of assurance (basic, substantial, and high).
  • Voluntary certification: Encourage voluntary adoption of cybersecurity certifications, which, while not mandatory in all cases, provide significant market advantages and help build trust among consumers and businesses.
  • Harmonization of cybersecurity standards: Promote the harmonization of cybersecurity standards across the EU, ensuring consistency in the certification process and facilitating the free flow of ICT products and services within the digital single market.
  • Transparency and trust: Increase transparency by making information about certified ICT products and services publicly available, allowing consumers and businesses to make informed choices based on recognized cybersecurity standards.
  • Support for SMEs: Provide support and guidance for small and medium-sized enterprises (SMEs) to help them achieve cybersecurity certifications, enhancing their competitiveness and security posture within the EU market.

These components collectively aim to enhance the security and resilience of ICT products and services across the EU, fostering a more secure digital environment and building trust in the digital economy.

Is compliance with the EU Cybersecurity Act mandatory?

Compliance with the EU Cybersecurity Act is mandatory for entities within the regulation's scope, particularly those involved in the production, distribution, or use of ICT products, services, and processes within the EU.

While the Act itself mandates compliance with the certification schemes, it is important to note that certification is voluntary unless it is mandated by other EU laws or regulations. However, once a certification scheme is chosen, compliance with its specific requirements is mandatory.

Parties encouraged to comply with the EU Cybersecurity Act include the following:

  • Manufacturers and developers: Any business that creates ICT products and services for the European market or imports into the EU.
  • Service providers: Providers of ICT digital services, including online marketplaces, cloud computing connectivity, and search engines.
  • Critical infrastructure operators: Entities that operate essential services (energy, transport, banking, health) if they use ICT products or services. While the EU Cybersecurity Act does not mandate compliance with the certification framework, other regulations, like the NIS Directive, may encourage them to use certified products or services.
  • Public sector and government agencies: In specific situations, organizations in the public sector or government may be required to use certified ICT products or services.

What are the penalties for EU Cybersecurity Act non-compliance?

Penalties for not complying with the EU Cybersecurity Act vary based on specific circumstances. Failing to adhere to certification schemes or falsely claiming certification can lead to legal and financial repercussions under national laws. Non-compliance may result in the loss of certifications, legal liabilities, and reputational damage affecting competitiveness in the EU market.

Read more: Unveiling the EU Cybersecurity Act

EU Cyber Resilience Act

The EU Cyber Resilience Act is a proposed regulation aimed at improving the cybersecurity of digital products and services across the European Union. The Act seeks to establish common cybersecurity standards to ensure that hardware and software products are designed, developed, and maintained with security in mind.

The law covers a wide variety of products, including consumer devices and industrial software. It aims to ensure that these products can withstand cyber threats throughout their entire lifespan. Products are divided into two risk categories based on the level of risk they pose. Higher-risk products must undergo more rigorous evaluations to ensure they meet the minimum standards outlined in the law.

The Act emphasizes the importance of securing the entire supply chain and mandates that manufacturers, developers, and vendors meet specific cybersecurity requirements before their products can be sold within the EU.

Is compliance with the EU Cyber Resilience Act mandatory?

Yes, compliance with the EU Cyber Resilience Act will be mandatory for all businesses that manufacture, distribute, or sell digital products and services within the European Union. This includes both EU-based companies and international businesses that wish to market their products in the EU. 

The Act requires these entities to adhere to cybersecurity standards throughout the product lifecycle, including design, development, production, and post-market processes. Products that do not meet these standards may not be allowed on the EU market, making compliance critical for businesses operating in or targeting the EU market.

What are the penalties for EU Cyber Resilience Act non-compliance?

Non-compliance with the Cyber Resilience Act may lead to significant monetary or legal consequences. Companies that fail to meet compliance standards, such as not reporting cybersecurity incidents and vulnerabilities, lacking necessary technical documentation, or not updating products to address evolving cyber threats, may be subject to administrative fines of up to €15 million or 2.5% of their global turnover, whichever is higher.

Furthermore, businesses that provide false or inaccurate information to regulatory bodies may face fines of up to €5 million, or 1% of global turnover, whichever is higher.

Read more: The EU Cyber Resilience Act: Securing Digital Products

Computer Misuse Act 1990

The Computer Misuse Act 1990 is the main cybersecurity act that regulates the UK’s digital relationship between individuals and malicious parties. It is enforced directly with the Data Protection Act 2018 and the UK-GDPR, which protect UK residents’ personal data.

Primarily designed in 1990 to protect telephone exchanges, the Computer Misuse Act 1990 also prosecutes criminals for unauthorized access to computers for the purpose of modifying, removing, or tampering with data, as well as malicious cybercrime and cyber attacks like ransomware and DDoS attacks.

This includes cybercriminals who have committed a cybercrime in the UK or computers located in the UK. The information illegally accessed by a cybercriminal doesn’t necessarily need to be PII (personally identifiable information) that cybercriminals use to commit identity fraud or identity theft.

As stated by the CPS (Crown Prosecution Services), a “computer” refers to devices like smartphones, tablets, and other devices besides personal desktop computers that store, retrieve, and process sensitive information and data.

The Computer Misuse Act 1990 prohibits non-consensual system access, making ethical hacking technically illegal. UK organizations believe this hinders ethical hackers' work. Despite this, there have been no reported cases of UK cybersecurity teams being penalized for ethical hacking.

Is Compliance With the Computer Misuse Act 1990 Mandatory?

The Computer Misuse Act 1990 prosecutes cybercriminals if they commit the following illegal activities:

  • Gaining unauthorized access to a computer’s data and sensitive information with malicious intent and without permission
  • The intentional use of computers to commit a crime or harm others
  • The modification, removal, tampering with, or ransom of personal data via malware and viruses
  • Complacency and aiding computer misuse by creating or obtaining information to perform other cybercrimes

What are the Non-Compliance Penalties for Computer Misuse Act 1990?

The fines and prison sentences for breaking the law under the Computer Misuse Act 1990 vary but generally include the following:

  • £5,000 fine or a six-month sentence for unauthorized access to or malicious use of data;
  • Unlimited fine or a five-year prison sentence for intention to commit cybercrime;
  • Unlimited fine or a five-year prison sentence for the modification, malicious tampering, removal, and data ransom
  • Unlimited fine or a 10-year prison sentence for complacency and aiding in computer misuse

EU Artificial Intelligence Act

The EU Artificial Intelligence (AI) Act is a significant regulatory framework proposed by the European Union to govern the development, deployment, and use of artificial intelligence (AI) technologies within the EU. Key components of the AI Act include:

  • Risk-based classification: Categorizes AI systems by risk level—unacceptable, high, limited, and minimal.
  • Regulation of high-risk AI: Imposes strict requirements on high-risk AI, including data quality, transparency, and human oversight.
  • Banning unacceptable AI: Prohibits AI practices that pose unacceptable risks, such as social scoring.
  • Transparency requirements: Mandates user awareness when interacting with AI systems, especially for chatbots and deepfakes.
  • Governance and accountability: Requires organizations to implement governance frameworks for AI compliance.
  • Market surveillance: Strengthens enforcement through conformity assessments and audits.
  • Support for SMEs: Offers guidance to SMEs to ensure compliance while fostering AI innovation.
  • Post-market monitoring: Ensures ongoing compliance and risk mitigation throughout the AI system’s lifecycle.

These components work together to create a comprehensive framework for ensuring that AI systems developed, deployed, and used within the EU are safe, transparent, and aligned with fundamental rights, while also fostering innovation in the AI sector.

Is compliance with the EU Artificial Intelligence Act mandatory?

Yes, once the Artificial Intelligence Act is officially adopted in 2024, compliance with it will be mandatory for organizations that develop, deploy, or use AI systems within the European Union. The specific requirements depend on the AI system's risk category.

Compliance will involve adhering to stringent regulatory requirements for high-risk AI systems, including conducting risk assessments, ensuring data quality, and implementing robust governance mechanisms. Developers and users of AI systems classified as limited or minimal risk will face lighter regulatory obligations, such as transparency requirements and voluntary codes of conduct.

What are the penalties for EU Artificial Intelligence Act non-compliance?

Failure to comply with the EU Artificial Intelligence Act may lead to substantial financial penalties and, if needed, legal action. The fines for breaching the EU AI Act will vary based on the type of AI system, the company's size, and the seriousness of the violation.

  • €7.5 million or 1.5% of a company's total worldwide annual turnover (whichever is higher) for incorrect, incomplete, or misleading information
  • €15 million euros or 3% of a company's total worldwide annual turnover (whichever is higher) for breaches of obligations listed in the Act
  • €35 million euros or 7% of a company's total worldwide annual turnover (whichever is higher) for violations of prohibited AI applications

Telecommunications (Security) Act 2021

The Telecommunications (Security) Act, which came into effect in November 2021 (full implementation expected by March 2024), is a strict, all-encompassing act that regulates the network security against cyberattacks of all mobile carriers in the UK.

The new regulations are amended after the Communications Act 2003, and Ofcom enforces and formulates them with help and input from the National Cyber Security Centre.

This act covers how telecommunication providers procure infrastructure and services such as 5G networks and the incentives to protect the software, equipment, and data processed by networks and services.

The Telecommunications (Security) Act includes:

  • How CSPs (communication service providers) monitor activity and access;
  • How they monitor security and data protection investments;
  • How service providers inform stakeholders about data breaches or cyber incidents.

Is Compliance With the Telecommunications (Security) Act Mandatory?

Complying with the UK Telecommunications (Security) Act is mandatory for communications service providers (CSPs).

The act requires CSPs to:

  • Minimize cybersecurity risks
  • Safeguard the information that’s handled by their network information
  • Focus on supply chain risks and handle who has access to their networks and services
  • Promptly inform the regulator in case of cybersecurity breaches
  • Protect the monitoring and analysis of hardware and software of their network and services
  • Enhance their ability to understand and identify cybersecurity anomalies and report any unusual activities

What Are the Penalties for Telecommunications (Security) Act Non-Compliance?

Failure to comply with the Telecommunications (Security) Act means that UK mobile carriers and broadband service providers may face fines of £117K/day or 10% of annual revenues, which is enforced by Ofcom.

PECR (Privacy and Electronic Communications Regulations)

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) is the UK’s law for electronic communications networks and services in line with the Data Protection Act and the UK-GDPR, regulating privacy rights regarding electronic communication.

PECR plays a major part in maintaining the security of UK communication services, customer privacy, and location data. It also criminalizes transmitting automated and recorded marketing messages via phone, email, fax, or text without the subscriber's consent. Additionally, it regulates the use of tracking cookies.

PECR requirements apply only to organizations, networks, and service providers that offer electronic communications services like email, text, fax, and phone marketing, use cookies, and compile telephone directories.

PECR works in conjunction with UK-GDPR, and it utilizes the UK GDPR standard of consent. Businesses that use tracking cookies or work with electronic marketing must be compliant with both the UK-GDPR and PECR, and the overlapping of both regulations’ data privacy requirements means that businesses that comply with PECR may also meet the requirements of the UK-GDPR.

Is Compliance With PECR Mandatory?

Yes, compliance with PECR is mandatory. Businesses that fail to comply will be penalized by the ICO.

To comply with PECR, businesses must:

  • Inform their customers and users that they use cookies and explain why they’re used
  • Notify the ICO and all affected parties in case of a data breach within 24 hours of detection, and maintain a log
  • Ask for customer consent for tracking cookies
  • Specify how long the cookies will be in use.

What Are the Penalties for PECR Non-Compliance?

Businesses and organizations that fail to meet PECR requirements face auditing and non-criminal enforcement. Frequent infringers may face being penalized by the Information Commissioner with a fine of up to £500,000 or criminal prosecution.

Reporting Cybercrime in the UK

Whether it’s a minor offense like an unintentional data leak or a severe cybercrime like hacking, all cybercrimes in the UK must be reported to respective reporting centers and law enforcement agencies for cybercrime.

There are organizations in the UK that serve as cybercrime reporting centers, and some also offer guidance for mitigation and fraud prevention tips.

National Cyber Security Centre (NCSC)

While the UK has no national CERT (Computer Emergency Response Team) or CSIRT (Computer Security Incident Response Team), the NCSC plays a significant role in informing and providing technical support and guidelines to UK businesses and organizations for reporting cyber incidents.

The NCSC, which is part of GCHQ (Government Communications Headquarters), has a significant role in technical authority for cybersecurity that:

  • Acts as a CSIRT that offers guidance and support to organizations that have reported a cybersecurity incident
  • Engages with EU partners as a SPOC (Single Point of Contact) for submitting yearly cybersecurity incident statistics and coordinating requests
  • Advises operators of essential services and competent authorities with cybersecurity knowledge and technical expertise for NIS security principles, cyber assessment frameworks, and best practices
  • Serves as the national breach notification and cybercrime reporting organization, providing guidance and suitable incident response procedures for the UK public

The Cybersecurity Information Sharing Partnership

The CiSP (Cybersecurity Information Sharing Partnership) is a government-funded initiative that collaborates with the National Cyber Security Centre to exchange real-time cyber threat information, increase cybercrime awareness, and minimize security breaches in the UK.

The CiSP is a digital service that encourages private UK sectors and organizations to collaborate with government sectors to prevent cybercrime.

Related posts

Learn more about the latest issues in cybersecurity.
Compliance and Regulations

NIST compliance in 2025: A complete implementation guide

NIST compliance ensures alignment with leading cybersecurity frameworks. Explore how the NIST standards can safeguard sensitive data and manage third-party
Edward Kost
Edward Kost
December 2, 2025
Compliance and Regulations

Introducing UpGuard’s DPDP Act Security Questionnaire

Discover the latest addition to UpGuard's industry-leading Questionnaire Library and learn how to achieve comprehensive DPDP compliance.
Nicholas Sollitto
Nicholas Sollitto
November 18, 2024
Compliance and Regulations

From NIS to NIS2: What Your Organization Needs to Know

Understanding the transition from NIS to NIS2 is crucial for protecting your organization. Explore the key changes and compliance steps in this blog.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

How to Prepare for a Cyber Essentials Plus Audit

Learn more about the Cyber Essentials Plus independent assessment process, and steps your organization can take to prepare.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

PSPF 001-2024: Safeguarding GovTech from Foreign Influence

Explore Australia’s new PSPF Direction, including key components and strategies to help government entities prevent foreign influence over tech assets.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

GDPR's Influence on Indian Data Protection Practices

Explore the impact of the GDPR on India's cyber regulations, comparing pre-GDPR and post-GDPR data protection laws.
Leah Sadoian
Leah Sadoian
July 10, 2025
All posts