Compliance frameworks answer a different question: how do you demonstrate, to a regulator, an auditor or an insurer, that the organisation meets a set of requirements set outside itself.
The NIS Regulations 2018 are the UK's core cyber security legislation for operators of essential services and relevant digital service providers, covering risk management, security measures and incident reporting (a 24-hour early warning followed by a 72-hour report to the relevant sector regulator and the NCSC). The regime is being substantially reformed: the Cyber Security and Resilience Bill, introduced to Parliament in November 2025 and expected to receive Royal Assent in late 2026 (with phased implementation potentially running to 2028), widens scope to managed service providers and data centres, tightens reporting, and introduces a two-tier penalty regime (up to £17m or 4% of global turnover for the most serious breaches). The NCSC's Cyber Assessment Framework (CAF) is being placed on a firmer footing as the assessment backbone. Note that if your organisation has EU operations, the EU's NIS2 Directive may apply there in parallel.
The FCA/PRA operational resilience regime governs the UK financial sector. Firms were required to remain within their impact tolerances for important business services by 31 March 2025, and the Critical Third Parties (CTP) Oversight Regime — created under the Financial Services and Markets Act 2023 and in force since 1 January 2025 — lets the FCA, PRA and Bank of England directly oversee the most systemically important suppliers to the sector. It is the UK's closest analogue to the EU's DORA, which applies to your EU financial operations.
UK GDPR and the Data Protection Act 2018 govern personal-data protection, with technical and organisational security obligations (Article 32) directly tied to cyber security, enforced by the Information Commissioner's Office (ICO). The October 2025 ICO fine against Capita illustrates the stakes: £14m, following a 2023 ransomware breach that exposed the data of around 6.6 million people, with the ICO citing inadequate privileged-access controls, a 58-hour delay in isolating a compromised device against a one-hour target, an under-resourced SOC and insufficient penetration testing.
ISO 27001 and Cyber Essentials are certifications rather than laws. ISO 27001 certifies a structured, audited information-security management system; Cyber Essentials (and Cyber Essentials Plus), the NCSC-backed UK scheme, certifies a baseline of five technical controls and is frequently required to bid for UK government and public-sector contracts. Neither is a legal obligation in itself, but both are increasingly demanded contractually.
Compliance frameworks can also be sector-specific rather than cross-cutting — for example the NHS Data Security and Protection Toolkit (DSPT) in health, which is aligning with the NCSC's CAF.
What these compliance frameworks share: they demand documented, traceable and often timestamped evidence, not merely a good practice applied silently. An organisation can be genuinely well secured and yet non-compliant, simply because it hasn't documented what it does.