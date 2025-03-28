From malware and ransomware to phishing attacks and artificial intelligence (AI), the cybersecurity threat landscape is evolving. Threat actors are continuing to deploy increasingly advanced tools to target their chosen victims, with research by Fortinet showing 87% of organizations experienced either one or more cybersecurity breaches in 2023.

As such, it’s no longer a question of whether an organization will experience a breach – it’s when. Countries around the world are having to tighten their defenses as a result, including the UK. But as other countries make strides in their cybersecurity protection, how does the UK compare to its European counterparts, and the rest of the world? How can the UK adapt its cybersecurity ecosystem to keep up with these changing threat tactics, both now and in the future?

Ricardo Ferreira Social Links Navigation Digital transformation strategist at Fortinet.

Global cybersecurity regulations

Several countries have introduced regulations designed to protect against threats. For example, the European Union’s NIS2 Directive requires organizations in critical sectors – such as energy and transport – to implement stronger cybersecurity measures including, risk management and incident response. It also requires organizations to report incidents within 24 hours, involve senior management in accountability, and ensure any cybersecurity risks are mitigated across the supply chain.

Further afield, the US’s National Cybersecurity Strategy also establishes minimum cybersecurity requirements for organizations in critical sectors and shifts responsibility onto them by encouraging security by design and promoting data privacy in products and services. In Asia, Singapore has introduced an Operational Technology Masterplan aiming to improve the security of the technology underpinning the country’s economy.

This includes traffic light controllers, fuel station pumps and energy grid control systems. The legislation also aims to boost cybersecurity talent through programs, threat intelligence sharing and the establishment of a Cybersecurity Centre of Excellence. So, what about the UK?

Where the UK compares

The government has taken significant steps to strengthen the UK’s cybersecurity defenses in recent years. This includes the upcoming Cybersecurity and Resilience Bill which will expand existing protections for critical infrastructure and digital services, alongside introducing mandatory incident reporting for organizations.

The UK has also introduced cybersecurity legislation targeting specific industries, particularly those facing a large number of attacks – such as healthcare, energy and education – due to the value and volume of the data they are responsible for. This includes the Telecommunications Security Act 2022, which requires telecommunications providers to implement more stringent cybersecurity measures and requirements on incident reporting.

Yet, while these regulations are a step in the right direction, it’s important we continually assess and understand gaps in the UK’s cybersecurity defenses, and address them accordingly. So how can we build on the progress that’s already being made?

Narrowing these gaps

One way the UK can strengthen its line of defense is by making legislation, including the Cybersecurity and Resilience Bill, more descriptive about how it is going to combat current and future threats. As an example, the NIS2 Directive clearly outlines what needs to be done to address attacks and improve protection, as well as establishing a risk profile of the supply chain. It is also supported by a Network and Information Systems Corporation Group to ensure compliance among member states – which the UK could potentially establish for the Cybersecurity and Resilience Bill too.

It’s important to note that many EU member states are yet to officially incorporate NIS2 into national legislation, with harmonization proving difficult due to varying economic, logistical and geographical profiles between countries. However, this also provides an opportunity for the UK to ‘cherry pick’ the best parts of the regulation and incorporate them into both the Cybersecurity and Resilience Bill and future legislation.

It’s also vital the UK addresses the growing cybersecurity threat of AI. While the benefits of the technology in cybersecurity are known, we must also acknowledge AI can be used by threat actors looking to evolve their attack methods – whether that’s through sophisticated phishing attacks or gathering data – and ensure organizations are adequately protected.

The previous UK government adopted a ‘pro-innovation’ over regulatory approach towards AI technology, in comparison to the EU’s AI Act which enforced requirements for usage and development.

While the new Labour government has promised to introduce binding regulation for certain companies, we must also ensure organizations are adequately protected against threats. To do this, leaders must be encouraged to build a culture of cybersecurity through better employee education. Basic cybersecurity measures, such as multi-factor authentication, zero-trust network access and regular software and application patching, must also be put in place.

Around the world, countries are continuing to strengthen their defenses against the tactics threat actors are deploying. While the UK has made significant progress in introducing regulations designed to protect businesses and the wider economy, continually reviewing and adapting our cyber ecosystem is critical to identifying gaps in our line of defense. This will allow us to keep up with the changing cybersecurity landscape and stay one step ahead.

