DigitalXRAID

Cyber Governance Code of Practice: What UK Boards Need to Know

Cyberattacks are no longer just a concern for IT and security teams. In today’s connected economy, they represent a direct threat to business growth, continuity, and reputation. They also have a direct impact on the country’s economy and stability. Recognising this, the UK Government’s Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC) launched the Cyber Governance Code of Practice in April 2025. 

This guidance is designed to put cyber governance firmly on the boardroom agenda. It recognises that cyber risk is a business critical issue, on a par with financial and legal risk, and that directors and board members need clear, actionable steps to fulfil their responsibilities to mitigate these risks. 

The challenge is that many organisations are uncertain about what the Code means in practice. How does it apply to your role as a Board member? What are the requirements? How does the Code align with other industry specific regulations such as NIS2 and DORA? And what if your organisation doesn’t have specialist cyber expertise in-house? 

In this guide, we will explain the Cyber Governance Code of Practice, set out its five pillars, and show you how it compares with other regulatory frameworks. You will leave with a clear understanding of how to answer all of these questions, and how your organisation can apply the Code to strengthen cyber governance and safeguard your business resilience. 

Table of Contents

Key Takeaways 

  • The Cyber Governance Code of Practice is a new UK framework launched in April 2025 to guide Boards in governing cyber risk. 
  • It sets out five pillars: risk management, strategy, people, incident planning, and assurance. 
  • Boards and directors are expected to own cyber risk, not delegate it solely to IT. 
  • The Code aligns with broader regulations such as NIS2 and DORA, which also make cyber a Board level responsibility. 
  • Following the Code will help you to safeguard your business growth, continuity, and reputation while meeting regulatory expectations. 

What is the Cyber Governance Code of Practice? 

The Cyber Governance Code of Practice is part of the government’s broader approach to improving national resilience to cyber threats, aligned with its broader Plan for Change 

It has been developed with input from the NCSC, industry experts, and Non-Executive Directors, with the aim of giving Boards leading UK businesses a clear direction on how to govern cyber risk. 

Why the Code was introduced 

The scale of cyber threats has escalated. According to the UK’s Cyber Security Breaches Survey, 74% of large businesses and 70% of medium-sized organisations experienced a cyberattack or breach in just one year. For UK Boards, this represents not only an operational risk, but also a strategic and financial one. 

The Code was introduced to address the leadership gap when it comes to cyber security. A third of large businesses do not have a formal cyber strategy in place, and nearly half of medium firms lack an incident response plan. The Code provides practical steps for board directors to close these gaps. 

Who the Cyber Governance Code of Practice is for 

The Code is aimed at Board members and directors of medium and large organisations, across both the private and public sectors. It’s not designed for IT managers or technical teams, but it does provide a framework for Boards to engage with their CISOs and IT and security leadership teams. 

While not specifically written for small businesses, the principles are still relevant. SMEs play a critical role in supply chains and the wider UK economy, and adopting the Code’s guidance can strengthen cyber resilience at every level. 

How it fits into DSIT’s modular cyber codes of practice 

The Cyber Governance Code of Practice is the foundation in DSIT’s modular approach. It complements Cyber Essentials, which focuses on baseline technical controls, as well as other emerging codes such as the Software Security Code of Practice and the AI Cyber Security Code of Practice. Together, they all create a multi layered approach to governance and cyber resilience. 

Cyber Governance for Boards UK - Guidelines

The Five Pillars of the Cyber Governance Code of Practice 

At its core, the Code of Practice sets out five pillars. Each represents an area where Boards must take responsibility and gain assurance. 

1: Risk Management 

Boards are expected to treat cyber risk as an integral part of enterprise risk management. This includes identifying critical technology, processes, and services, defining risk appetite, and ensuring that supplier and third-party risks are routinely assessed. 

Risk management is not static. The Code makes clear that Boards must ensure regular reassessment of cyber risks, taking into account changes in technology, regulation, and the wider threat landscape. 

2: Strategy 

A cyber strategy should not sit in isolation. The Code requires Boards to align their cyber strategy with the wider organisational strategy, ensuring that risk appetite, regulatory obligations, and resource allocation are all factored in. 

Boards must also gain assurance that the company’s cyber strategy is being delivered effectively and is achieving measurable outcomes. This requires active oversight rather than passive approval. 

3: People 

People are often the weakest link in cyber security, but they can also be your strongest first line of defence if your governance is strong. The Code emphasises the importance of promoting a cyber aware culture across the whole organisation. 

This includes setting clear policies, holding individuals accountable, and ensuring that training and awareness programmes are in place. Importantly, the Code also calls for directors themselves to improve their cyber literacy and take responsibility for the digital assets they use. 

4: Incident Planning, Response and Recovery 

The Code requires Boards to gain assurance that incident response plans are in place, that they’re tested regularly, and updated based on lessons learned. These table-top exercises should involve both internal teams and external stakeholders to ensure real world relevance. 

When an incident occurs, Boards have direct responsibilities, including regulatory reporting and supporting critical decision making. Post incident reviews are expected to feed back into your risk assessments and governance processes. 

5: Assurance and Oversight 

Strong governance depends on effective oversight. The Code sets expectations for Boards to embed cyber governance structures within wider organisational governance. 

This includes establishing reporting mechanisms with clear metrics, maintaining direct dialogue with CISOs, and ensuring alignment with internal and external audit processes. Boards are also responsible for ensuring that executives understand their regulatory obligations and best practice. 

Cyber Governance Code of Practice

Why Cyber Governance is Now a Board Responsibility 

The days when cyber security could be left to IT departments are gone. Cyber risk is now a boardroom issue because it affects financial performance, operational continuity, regulatory compliance, and reputation. 

Cyber frameworks and regulations such as the EU’s NIS2 for critical national infrastructure and DORA in financial services explicitly make cyber a Board level responsibility.  

The UK’s Code of Practice aligns with this direction, ensuring that organisations in the UK are prepared for the Cyber Security and Resilience Bill expected later in 2025. 

Failure to govern cyber effectively can have severe consequences, not just for your business, but for the whole economy. From regulatory fines, to loss of customer trust, poor governance can damage competitiveness and long term viability. 

How CISOs can use the Code to engage with Boards 

Chief Information Security Officers (CISOs) play a critical role in bridging the gap between technical teams and the Board. The Cyber Governance Code of Practice gives CISOs a clear framework to frame discussions in governance terms rather than technical language. 

By mapping their reports to the five pillars of the Code, CISOs can provide directors with structured updates on risk appetite, strategy delivery, cultural awareness, incident readiness, and assurance. This not only helps Boards to understand where gaps exist, but also ensures cyber risks are considered alongside financial and legal risks. 

For CISOs, the Code offers an opportunity to elevate cyber security to a leadership issue. Using it as a reference point, CISOs can build trust, demonstrate alignment with regulatory expectations such as NIS2 and DORA, and secure the resources needed to strengthen resilience. 

How the Cyber Governance Code of Practice Aligns with Other Regulations 

The Code of Practice doesn’t exist in isolation. It aligns closely with other regulatory frameworks that also require Boards to take ownership of cyber risk. 

Cyber Governance Code vs. DORA 

The Digital Operational Resilience Act (DORA) applies to financial institutions operating within or with businesses residing in the EU.  

Like the Code, it emphasises Board accountability for ICT resilience, requiring oversight of incident response, risk management, and continuity planning. Both frameworks prioritise operational resilience as a driver of long term stability. 

Cyber Governance Code vs. NIS2 

The NIS2 Directive broadens the scope of critical national infrastructure entities, and introduces stricter governance obligations for directors.  

Like the Code, it requires Boards to own risk management, incident response, and reporting processes. Both frameworks establish director level liability, ensuring that governance can’t be delegated away. 

Cyber Governance Code and ISO 27001 

ISO 27001 remains the gold standard for information security management. The Code of Practice sets out what Boards should do, while ISO 27001 provides a practical framework for implementing those requirements.  

Organisations adopting both will be well placed to demonstrate cyber security maturity and compliance. 

Cyber Governance Code of Practice - Cyber Governance for Boards UK

Overcoming Common Challenges for Boards 

Many Boards recognise the importance of cyber governance, but they often struggle to translate principles into practice.  

Common internal challenges include: 

  • Lack of in-house expertise to interpret and apply the Code 
  • Difficulty aligning cyber strategy with business strategy 
  • Limited Board level understanding of cyber risks 
  • Uncertainty on how to measure success and gain assurance 

Practical support is available. The NCSC’s Cyber Security Toolkit for Boards provides a useful starting point, and Cyber Governance Training can help directors build cyber literacy.  

However, most organisations can benefit from external expertise to guide them through implementation and assurances aligned with the Code.  

This is where trusted partners such as DigitalXRAID can help. Our CREST and NCSC accredited consultancy services give Boards and senior leadership the independent assurance and practical guidance needed to implement the Code effectively.  

Whether aligning governance with ISO 27001, preparing for NIS2, or strengthening incident response plans, expert cyber security support can bridge the knowledge gap. 

Final Thoughts: Applying the Cyber Governance Code of Practice in Your Organisation 

The Cyber Governance Code of Practice is a huge step forward in understanding cyber resilience for Boards. It recognises that cyber is not just a technical issue, but a strategic business risk that requires strong leadership and governance. 

By adopting the five pillars of the Code, you can strengthen your cyber resilience, protect your reputation, and support your business growth in an increasingly hostile cyber threat environment. 

While the Code provides a clear roadmap, implementation requires expertise, cultural change, and continuous oversight. DigitalXRAID can help you apply the Code in practice, providing the assurance and advisory services needed to govern cyber risk effectively. We can also partner with you to provide incident response services and regular cyber incident exercises – or table-top exercises – providing the resilience needed to comply with the Code and evidence of assurance to external parties. 

Take the next step to strengthen your organisation’s cyber governance. Get in touch with DigitalXRAID today. 

Cyber Protection - speak to an expert

FAQs: Cyber Governance Code of Practice 

What is the Cyber Governance Code of Practice? 

The UK Government and NCSC launched the Cyber Governance Code of Practice in April 2025 to help Boards govern cyber security risks. 

Who should use the Code of Practice? 

The Code of Practice is designed for Boards and directors of medium and large organisations, but SMEs can also benefit. 

What are the five pillars of the Code? 

The five pillars of the Code are; Risk management, strategy, people, incident planning, and assurance. 

Is the Cyber Governance Code of Practice mandatory? 

Currently the Cyber Governance Code of Practice is guidance, but it aligns with forthcoming legislation such as the Cyber Security and Resilience Bill. 

How does the Code of Practice compare with NIS2 and DORA? 

All three frameworks place cyber security responsibility at Board level, with overlapping focus on risk, incident response, and accountability. 

How can DigitalXRAID help with the Code of Practice? 

We provide expert consultancy and cyber security services to help Boards implement governance frameworks, build resilience and gain assurance. 

Previous Article

Cyber Essentials Certification for Legal Aid Firms

Next Article

Automated Pen Tests Explained

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

cybersecurity experts
x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]
DigitalXRAID
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.