Why the UK Cyber Security Reforms Matter to Your Business?

Cyber attacks are now one of the biggest threats to small and medium-sized businesses in the UK (SMEs/SMBs). According to the UK government’s Cyber Security Breaches Survey 2024, 50% of businesses suffered a cyber incident or data breach over the course of the year, rising to 67% for medium-sized firms. However, many small to medium-sized businesses still underestimate the risks.

We hear it all the time, “We’re too small to be targeted by cyber criminals.” The reality is that because SMEs are most likely not to have adequate cyber security measures in place... You are also most likely to be targeted. You may hear about the big brands on the news, but that does not mean that businesses similar to yourselves are not being targeted as you read this article.

New government initiatives are aiming to change this perspective, and it is time for small to medium-sized businesses to take note, and more importantly, take action.

Could 2025 be the year that marks a significant shift in cyber defence for all UK businesses? And could we start to see the number of UK businesses impacted by cyber security or data breaches start to decrease instead of rise?

The UK government's Cyber Growth Action Plan, the upcoming Cyber Security and Resilience Bill (in addition to Europe's NIS2 Directive), are collectively raising the bar on how businesses must defend themselves against growing and evolving digital threats. These initiatives will affect not only what cyber security tools you use, ensuring that your tools can protect you against modern attacks, but also how you work with IT providers, bid for contracts, and even the ways in which you handle your data.

Let’s take a closer look at each of these.

What is the UK Gov Cyber Growth Action Plan?

The UK Government launched its Cyber Growth Action Plan in June 2025, backed by £16 million in new funding. The aim for this plan is to support cyber security innovation, particularly among small to medium-sized businesses and startups.

This aims to benefit businesses throughout the UK by ensuring that they are protected by smarter, affordable tools. But it also means increased support for developing cyber security skills, access to modern solutions, and increased opportunities to partner with growing cyber security companies.

This is especially important for small to medium-sized businesses that have been struggling to keep up with evolving threats, or do not know which way to turn to keep themselves protected.

This action plan represents a clear signal to SMEs: help is out there, but businesses must take initiative in adopting the solutions being developed before they are impacted by the unseen threats they face every day.

What is the Cyber Security and Resilience Bill?

While the Action Plan is about opportunity, in contrast, the Cyber Security and Resilience Bill focuses on responsibility.

The Bill, which is due to be introduced to Parliament later this year, will update the UK’s cyber laws and introduce stricter requirements for business, particularly those in critical and digital services (such as ourselves).

It is important to understand that not every business will be directly regulated, however the ripple effects will be felt across the UK business landscape.

For instance, if your company supplies a regulated or government sector (such as healthcare, energy, transport, and many others), you will be asked to demonstrate “cyber maturity” including certifications like Cyber Essentials, Cyber Essentials Plus or even ISO27001.

One major development in this bill is the inclusion of “Managed Service Providers” (MSPs) such as us under the scope of this new regulation.

This is to ensure that for businesses throughout the UK, their external IT partners must meet these robust security standards to be able to support businesses across these key sectors.

The bill is expected to introduce:

• Mandatory cyber security incident reporting, possibly within as little as 24 hours (currently, businesses must report this within 72 hours to the ICO)
• Ransomware disclosures, helping the government respond to threats more effectively
• Additional Supply Chain security obligations, requiring businesses to ensure partners throughout their supply chain also follow good cyber practices
• But why is this important? If your business wants to remain competitive in its industry, especially when bidding for public sector contracts or working with larger clients, meeting these new regulations will no longer be optional, it will be essential.

As an MSP, how will this impact us?

Whilst we will be putting new processes in place internally to ensure that we remain compliant with these standards, the good news is that we already are Cyber Essentials Plus and ISO27001 Certified.

As providers of IT support and cyber security to nearly 15,000 users in 17 countries, we understand that it is essential that our clients understand that we take their and our cyber and data security seriously, and that we have the certifications to be able to back up our claims. We lead by example, not just for our clients, but within our industry. We feel that it is essential that MSPs such as us be held accountable for the services and security that we provide for our clients and that highlighting that we comply with these standards and regulations is more than just about keeping people secure. It is about building trust.

Additionally, we will also be putting new processes in place for our customers, ensuring that all their cyber and data security services and solutions are extensively documented in line with the new bill. We already ensure that our minimum cyber security level for all of our customers is in line with Cyber Essentials guidelines, however we will now also be ensuring that these solutions and tools are being documented for all of our clients (not just those who we have supported to be certified) in line with these standards so that application and auditing of these will be seamless.

While some of these changes may feel like added pressure or complexity, especially enforcing things such as Multi-Factor Authentication, which many users find frustrating to have to use, these changes are in the best interest of your business. Businesses that ignore such guidance and minimum requirements could find themselves isolated from partners who demand higher security standards.

At TwentyFour, we feel that all businesses in the UK should be (at least) following the minimum cyber defence levels laid out by the Cyber Essentials standard, and we have committed to not work with prospective clients who do not take their cyber defence seriously. This new bill only emphasises our commitment to protecting businesses from evolving cyber threats.

NIS2: Europe’s New Rules, UK’s New Direction

The European Union’s Network and Information Security Directive 2 (more commonly referred to as NIS2) Directive came into effect across Europe in October 2024, expanding and strengthening the original NIS regulations.

NIS sets strict cyber security requirements for essential and digital services, covering more sectors and introducing steeper penalties for non-compliance with these new regulations.

Although the UK is no longer in the EU, the Cyber Security and Resilience Bill aims to align with NIS2 “where appropriate”, to maintain consistency with international standards (such as ISO27001 and other international standards).

But why is this important?

European and other international clients and suppliers may start requiring you to meet NIS2-level security.

UK regulations will mirror key NIS2 expectations, including mandatory controls and incident response notifications.

It emphasises a greater scrutiny of the security in business supply chains, meaning your business will need to prove it is not a security risk to others (and similarly, others aren’t a security risk to you).

If you are operating in a sector that is regulated under NIS2, or supplying to someone who is, aligning your cyber and data security strategy now could prevent future compliance headaches, or even the loss of clients due to not meeting these standards.

Why Cyber Essentials and ISO27001 Matter More Than Ever

As regulations continue to tighten, and the UK government recognises the importance of modern cyber security services for businesses of all sizes, industry standard certifications are becoming must-haves to showcase your compliance and stand out amongst your competitors. But which of these frameworks do you need to consider following? We have a whole article about the differences between Cyber Essentials, Cyber Essentials Plus & ISO27001, but here is a brief summary:

Cyber Essentials: A government-backed scheme covering core cyber resilience, such as firewalls, multi-factor authentication, endpoint security, access control, and software updates. Affordable and ideal for small to medium-sized businesses to show they are compliant with government-backed regulations. Additionally, Cyber Essentials is now a requirement for many government contracts.

Cyber Essentials Plus: The same core scheme, but with an independent audit offering greater assurance to clients and regulators that you are indeed following the core principles of a comprehensive cyber defence strategy.

ISO/IEC 27001: A global standard for information security management. This is increasingly seen as the gold standard for businesses handling sensitive data or working in a multitude of regulated sectors.

Depending on your business, industry, or even customer base, adopting one or all of these certifications helps you stay ahead of regulatory change, win new contracts, and build trust with your customers.

Are you ready to embrace a safer and more secure future?

With the increase of cyber attacks on UK businesses building from 2.39 million in 2022 to 8.58 million in 2024, the new UK Government cyber reforms are about building national resilience against these increasing threats, and small to medium-sized businesses are a central part of this mission. Especially as they represented 67% of businesses that were targeted throughout 2024. Whether through innovation, legal obligations, or international alignment, the direction of travel is clear: cyber security is now a business essential, not a nice-to-have.

Regulation is tightening. Expectations of data security for small to medium businesses are rising. Now is the time to take control of your cyber resilience.

Fill out the form below, or book an appointment to see how we can ensure that your business is prepared for these changes and stays secure.