UK ministers have outlined a package to raise software security across UK supply chains, combining public investment with clearer expectations for industry. A speech published by the Department for Science, Innovation and Technology sets three pillars: a £210 million Government Cyber Action Plan to strengthen public services, forthcoming legislation via the Cyber Security and Resilience Bill for critical national infrastructure, and a Software Security Code of Practice now being promoted through a new ambassador scheme.
Officials framed the case for action using a recent example. On 19 September, a ransomware attack on a single software supplier disrupted airport operations across Europe, forcing manual workarounds and delaying flights. The incident did not compromise any airport directly; it propagated through a shared supplier, illustrating how one failure can cascade across an entire sector.
Government data quantify the risk. The 2025 Cyber Security Breaches Survey reports that 43% of UK businesses experienced a breach or attack in the last 12 months. Independent research commissioned by government estimates annual losses at about £15 billion, roughly 0.5% of GDP. Ministers argue that confidence in digital technologies, including AI, depends on visibly secure software and credible supply‑chain assurance.
The Government Cyber Action Plan, backed by more than £210 million, focuses on lifting cyber resilience across the public sector. According to DSIT, the programme will fund capability uplift, improve incident response and support consistent standards so essential services can withstand and recover from online threats.
Legislation will complement these measures. The Cyber Security and Resilience Bill is intended to ensure that the UK’s critical national infrastructure is protected. Detail will sit in the Bill and subsequent guidance, but the direction is towards clearer duties, improved preparedness and tighter supply‑chain risk management for operators of essential services.
Advisory levers are already in play. In October, ministers wrote to FTSE 350 companies urging stronger controls and adoption of the National Cyber Security Centre’s Cyber Essentials baseline; a similar letter went to entrepreneurs and small businesses in November with tailored advice. Government figures suggest organisations certified to Cyber Essentials are 92% less likely to claim on cyber insurance than those without, indicating measurable benefits in both risk posture and underwriting.
The Software Security Code of Practice, published by DSIT and the NCSC in May last year, sets a supplier baseline through 14 principles. The code expects secure development processes, clear policies for vulnerability disclosure and updates, robust identity and access controls, and assurance across the software supply chain. The NHS is already using the code in the public sector, with ministers encouraging wider take‑up to create a shared expectations framework between buyers and vendors.
Standards alignment is part of the strategy. The UK’s AI Cyber Security Code of Practice has informed work at the European Telecommunications Standards Institute, and the Product Security and Telecommunications Infrastructure Act introduced secure‑by‑design requirements for consumer devices from 2024. Together these measures place design‑time security and accountability at the centre of technology markets.
To accelerate adoption, DSIT has launched a Software Security Ambassador Scheme comprising 13 organisations committed to champion the code. Vendors include Sage, Cisco, Palo Alto Networks, Hexiosec, Zaizi and Nexor; buyers include Lloyds and Santander; advisers and standards bodies include Accenture, NCC Group, ISACA, ISC2 and Salus Cyber. Government intends that these early adopters model practical steps and share reusable guidance.
For contracting authorities and private buyers, the practical task is to translate the code into procurement. Teams can request supplier attestations against the 14 principles, set explicit service levels for patching and incident reporting, require a vulnerability disclosure policy and evidence of senior accountability, and, where proportionate, seek independent security testing and confirmation of Cyber Essentials or equivalent controls for relevant environments.
Suppliers aiming to meet buyer expectations should evidence secure development practices, clear update and support policies, and robust identity, access and logging controls. DSIT and the NCSC emphasise transparent vulnerability disclosure and senior accountability. Many buyers will also request a software bill of materials to support risk assessments across dependent components.
Government research indicates that only 21% of organisations currently consider cyber security when purchasing software. The combined approach-investment in public services, legislation for critical sectors and a voluntary code backed by industry ambassadors-is designed to raise that figure by making security a routine factor in procurement and a visible part of product design. For policy and procurement teams, the next test is whether contracts begin to require the code’s baseline and whether suppliers can demonstrate it quickly and consistently.