Cyber security | UK Regulatory Outlook March 2025
Published on 26th March 2025
Government response to call for views on software vendors' code of practice | DSIT survey into cyber security behaviours of large UK organisations |

Government response to call for views on code of practice for software vendors
As previously reported, the government published a voluntary code of practice and related call for views for software vendors in May 2024, establishing a set of voluntary security and resilience measures for organisations developing or selling software used by businesses.
The government has now responded to its call for views, stating that minor revisions will be made to the code before it is published in 2025. The revised version will reflect feedback received on the code, including further refining the accompanying technical controls and implementation guidance, as well as developing an attestation method and assurance regime to allow software vendors to demonstrate compliance with the code.
For more information on the government's work to improve the security and resilience of software, see our previous Regulatory Outlook on the AI cyber security code of practice.
DSIT survey details cyber security behaviours of large UK organisations
The Department for Science, Innovation and Technology (DSIT) published the results from wave four of the Cyber Security Longitudinal Survey. The study tracks the cyber security behaviours of organisations to understand how their experiences change over time.
The survey found that a majority of medium and large organisations (79% of businesses) were affected by cyber security incidents in the past year. The most common types of threat being phishing, impersonation scams and online business banking account compromise.
Although almost half of large businesses stated that they had increased their cyber security budgets over the past year, monitoring supply chain security and cyber security practices of suppliers continue to be a lower priority for organisations. The number of businesses that formally assess or manage their suppliers has decreased from 28% in wave three to 23% in wave four, despite the rising threat of supply chain cyber risks. The report suggests that larger businesses continue to remain more aware of the need to stay ahead of cyber threats and invest accordingly.