As we head into the second half of 2026, the cyber-threat landscape continues to evolve at pace.
Organisations are grappling with increasingly challenging attacks, as geopolitical instability, a fragmented threat-actor landscape and technological developments (not least AI and quantum) raise cyber risk. Meanwhile, legislators respond with new frameworks designed to strengthen resilience and accountability.
Treasury’s key role in cyber preparedness and incident response means it is important to keep abreast of these changes and the lessons organisations can take from recent cyber developments.
The proposed changes include bringing critical technology suppliers, such as data centres and managed service providers, in scope
Lesson 1: New laws
There is a range of new laws, along with changes to existing law, that organisations must consider. Many of these are designed to increase cyber preparedness or tackle known cyber risks:
- Cyber has always been a board-level issue, but must now be shown as such: In the UK, changes to the Corporate Governance Code (Provision 29), which came into effect at the start of this year reinforce the importance of boards understanding, and taking responsibility for, cyber governance in their organisation. This is an expectation echoed by investors, the NCSC (which has published its boardroom toolkit) and the UK government.
- Supply chain management is key, legally and operationally: The UK’s Cyber Security and Resilience Bill, which updates the 2018 Network and Information Systems Regulations (NIS) regime for critical services, was published last November and will continue working its way through the parliamentary process this year. The proposed changes include bringing critical technology suppliers, such as data centres and managed service providers, in scope. The EU’s equivalent law, NIS2, is still bedding down, with variations in practice across member states, and revisions are already being discussed as part of its Digital Omnibus simplification package.
- Ransomware remains the top risk: The UK is pushing forward with new plans to try to stem the tide of ransomware, particularly where it targets critical national infrastructure. It plans to introduce a targeted ransomware payment ban, prevention scheme and notification scheme, which will change the way UK organisations approach ransomware demands.
- Increasingly complex web of regulation: Organisations are having to grapple with increasing amounts of cyber and digital legislation, meaning one incident can lead to multiple notification obligations and potential claims. In recognition of this, the EU is planning a number of changes to its cyber laws. These include plans in its Digital Omnibus package to simplify reporting obligations by introducing one single entry point (that is, one platform) for notifications under multiple regimes (GDPR, NIS2, Cyber Resilience Act, DORA and others). The plans are also looking to change the GDPR’s breach notification timeframe, extending it from 72 to 96 hours.
It is therefore important to ensure that plans around operational resilience and cyber are viewed holistically
Lesson 2: Recent cyber incidents
Last year, there were a number of highly disruptive, headline-grabbing cyber attacks, from Jaguar Land Rover (JLR) and M&S to Co-op and Harrods. The sense of escalating threat was reinforced by statistics from the National Cyber Security Centre’s 2025 review, which reported a 50% increase in highly significant incidents since 2024. So, what lessons can businesses take from these high-profile attacks?
- The threat-actor landscape is diverse and complex: Whether dealing with nation-state-backed actors who are carrying out ransomware as a sideline, less predictable young hackers motivated by kudos as much as financial gain, or attackers using ‘ransomware as a service’, the threat-actor landscape is multilayered and evolving, creating new challenges for victims. The blurring of lines between these different groups is also adding complexity.
- Serious incidents cost real money: Last year’s attacks disrupted production, sales and general BAU activities (with some organisations reverting to pen and paper). The financial impact of such disruption was stark – reports suggest £1.9bn for JLR and more than £300m for M&S. Cyber preparedness and operational resilience plans must factor in these potential consequences.
- Should you pull the plug? Co-op managed to take its systems offline before ransomware was deployed in its systems (although data was still exfiltrated). Whether this approach reduces the impact of the attack will be fact-specific, but organisations should consider the legal implications of taking systems offline and whether cyber-governance plans clearly set out who has authority to make the decision in time.
- Supply-chain risk works both ways: Businesses often think of suppliers as being a risk – the weak link that threat-actors target to gain access to customer data or systems. This remains a major risk, prompting the UK government to urge all major businesses to require Cyber Essentials certification in their supplier contracts. However, the JLR attack also showed how cyber-caused business disruption can negatively impact suppliers, putting smaller and heavily dependent suppliers at financial risk. It is therefore important to ensure that plans around operational resilience and cyber are viewed holistically.
Organisations may want to consider how their cyber governance operates
Lesson 3: ICO activity
Finally, it is important for organisations to understand how regulators will view cyber breaches. Over the past year, we have seen a range of cyber-related activity from the UK’s data regulator (the ICO) that provides lessons for organisations.
- Suppliers can be fined when acting as data processors: In 2025, the first processor fines were issued by the ICO – one for Advanced Software and one for Capita (both of which were service providers). Traditionally, fines have been levied on the ‘data controller’ (which is the customer in most supply arrangements).
- Parent companies remain exposed: Parent company liability for group cyber breaches is a topic about which we are increasingly speaking to clients given the management body liability under NIS2, the legal duty of care established in the Vedanta case, and recent instances of ICO fines being levied on the listed parent as well as the operating company that provided services to the customers whose data was impacted by the breach. Organisations may want to consider how their cyber governance operates. Who owns cyber? How much authority do local operating companies have around their security? Does the business operate in jurisdictions with strict-liability regimes that may pass cost up the group? And which entity would lead in a regulatory investigation?
- Getting the security basics right is key: Whether it is poor patching, failure to apply multifactor authentication fully, a lack of system segregation or not sharing penetration-testing learnings across an organisation, the ICO’s monetary penalty notices set out the security expectations of the regulator and benchmarks organisations should meet.
- All relevant data must be kept secure: The ICO’s recent court case against DSG retail confirmed that an organisation must take appropriate steps to protect the personal data it holds from unauthorised access – even if, once exfiltrated, the affected individuals are not directly identifiable from the data (for example, if the data is encrypted). The recent Farley case also shows the English courts’ apparent willingness to allow individual claims where there was no obvious or evidenced loss or material harm.
- New technology creates new risks: The ICO’s recent guidance on agentic AI highlights some clear risks that generative and agentic AI present, albeit the nightmare scenario of a multitarget series of attacks launched by rogue agentic AI has yet to land. Good AI governance and procurement processes that build in controls and firebreaks are important to help manage this evolving risk.
Cyber remains one of the most significant corporate risks facing organisations. However, by learning from recent incidents, tightening basic security and governance controls, and staying ahead of emerging technological and regulatory change, organisations can strengthen their resilience and be better prepared for this evolving threat.
About the authors
Kathrine Meloni is special adviser and head of treasury insight at Slaughter & May
Natalie Donovan is head of technology, digital, data and IP knowledge at Slaughter & May
