UK government releases new cyber governance code for business leaders

Advice aimed at medium and large businesses

The UK government is urging business leaders to adopt a new cyber-Code of Practice to reinforce their cyber defences and support long-term economic growth.

The new code was published on Tuesday 8 April by the Department for Science, Innovation and Technology (DSIT) alongside the National Cyber Security Centre (NCSC), the code outlines clear guidance for directors and board members to take greater ownership of cyber risks. It is designed to be the first point of reference for senior leaders and forms part of the government’s broader support for cyber governance.

In a press release, Cyber Security Minister Feryal Clark emphasised the stakes involved, stating, “A successful cyber-attack doesn’t just have the potential to grind operations to a halt – it could drain millions from the bottom line.”

She adds that this new Code of Practice is part of how the government intends to stand by businesses and believes it will drive the type of economic growth fundamental to achieving the government’s Plan for Change.

What’s in the new cyber governance Code of Practice?

The new guideline is primarily for boards and directors in medium and large organisations across the public and private sectors and outlines five key areas where they should act.

One of its tenets is to embed cyber risks into enterprise-wide risk management, including assessing supply chain exposures. Directors are expected to set a clear cyber strategy, grounded in the organisation’s threat landscape and aligned with business goals.

It places a strong emphasis on creating a cyber-aware culture through regular training and clear staff responsibilities. Boards should ensure that incident response and recovery plans are in place, tested, and continuously improved. The Code also highlights the need for robust oversight — defining roles, assigning accountability at the board level, and monitoring cyber performance to strengthen overall resilience.

Also included in the announcement are practical tools such as online training modules and a detailed Board Toolkit. These resources aim to equip directors with the knowledge needed to govern cyber risks effectively. Meanwhile, the government urges smaller businesses to utilise complementary resources like the NCSC’s Small Business Guide.

While the Code of Practice is voluntary, the government has signalled more formal action ahead. Last week, Secretary of State for Science, Innovation and Technology Peter Kyle said that the forthcoming Cyber Security and Resilience Bill will help monitor uptake and consider a firmer stance, including £100,000 daily fines for non-compliance with cyber security directives from the government.

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.