The UK government has launched a targeted campaign urging businesses to “lock the door” on cyber criminals, directing small and medium‑sized enterprises to practical, baseline controls under the National Cyber Security Centre’s Cyber Essentials scheme. The Department for Science, Innovation and Technology (DSIT) says activity will run across social media, radio, podcasts and business networks to reach time‑pressed owners and managers. Published on 17 February 2026, the campaign’s focus is immediate, low‑cost steps that materially reduce exposure to commodity attacks. (gov.uk)
The economic rationale is explicit in new government research. Independent modelling for DSIT puts the average cost of a significant cyber incident at nearly £195,000 per affected firm, with the annual aggregate cost to UK businesses estimated at £14.7 billion. Separately, official statistics show half of small businesses identified a breach or attack in the past 12 months. (gov.uk)
Officials are also emphasising evidence of practical benefit. Government reporting notes that organisations with Cyber Essentials in place made 92% fewer cyber insurance claims last year compared with peers on the same policy. Certification is recognised in public procurement and, for eligible firms, includes access to free cyber insurance and a 24/7 incident helpline via the scheme’s delivery partner. (gov.uk)
Cyber Essentials sets five mandated control areas-firewalls, secure configuration, software updates, user access control and malware protection-designed to close the most commonly exploited gaps. The new campaign signposts free support: a Cyber Essentials Readiness Tool, a preview of the assessment question set and 30‑minute consultations with an NCSC‑assured adviser for SMEs preparing for certification. (gov.uk)
Uptake among larger organisations is rising. The government’s Cyber Security Longitudinal Survey (wave five) reports that 30% of medium and large businesses now adhere to Cyber Essentials, up from 23% a year earlier; at the same time, 82% experienced some form of cyber incident, underscoring why basic controls and incident readiness are being pushed harder. (gov.uk)
Ministers are coupling communications with legislative change. The Cyber Security and Resilience Bill, introduced to Parliament on 12 November 2025, would reform and extend the UK’s Network and Information Systems (NIS) Regulations 2018, bringing additional services and key suppliers into scope to strengthen national resilience. Policy materials highlight the intention to better protect essential and digital services people rely on daily. (gov.uk)
Proposed reporting reforms are central. Under the Bill, regulated entities would submit a light‑touch initial notification within 24 hours of becoming aware of a harmful cyber breach, followed by a fuller report within 72 hours; the National Cyber Security Centre would be sighted at the same time. Data centres and digital or managed service providers would also be required to notify affected customers. Timelines and thresholds will be finalised in secondary legislation after Royal Assent. (gov.uk)
Enforcement would be overhauled. The government proposes a simpler two‑band penalty model with higher maxima linked to turnover: up to £17 million or 4% of worldwide turnover for more serious breaches, and up to £10 million or 2% for less serious breaches. Regulators would have a clearer toolkit to drive compliance proportionately and consistently across sectors. (gov.uk)
Managed service providers are a new focus. Medium and large providers meeting the Bill’s definition of a Relevant Managed Service Provider would come under the regime, with the Information Commission (formerly the ICO) as regulator. Duties include registering, appointing a UK representative if overseas, reporting significant incidents and applying proportionate security measures to the networks and systems their managed services rely on. (gov.uk)
Data centres would be designated as essential services, with DSIT and Ofcom as joint competent authorities-Ofcom acting operationally. Scope is primarily defined by rated IT load: facilities at or above 1 MW are in scope, and enterprise data centres at or above 10 MW. The fact sheet also signals tailored incident thresholds, structured notification duties and the potential for inspections and penalties where operators fall short. (gov.uk)
Implementation will be staged. Government materials indicate some measures would commence within the first two months following Royal Assent, while others-including incident reporting, data centre scope and cost recovery-would be set through subsequent regulations, subject to consultation and parliamentary scrutiny. (gov.uk)
Policy Wire analysis: for SMEs outside the Bill’s direct scope, today’s campaign translates into immediate governance actions. Owners should assign board‑level responsibility for cyber risk, complete the Cyber Essentials Readiness Tool, and document patching, access control and backup routines that align with the scheme’s question set. Organisations reliant on managed service providers should also confirm incident notification clauses, 24‑hour escalation paths and evidence of their provider’s own certification, anticipating stronger supply‑chain scrutiny as the Bill progresses. (gov.uk)