High-level map of cyber-relevant UK obligations by sector — with authoritative links.
What you'll walk away with. Sector obligation summaries with primary-source links.
Was this useful?
Not legal advice
Obligations depend on your activity, data and contracts — verify with qualified advisers. Mapper version 2026-01-high-level-v1.
Not legal advice. Select a sector profile to see plain-English obligations (UK GDPR, sector regulators, PCI where relevant, NIS awareness, Cyber Security and Resilience Bill headline themes). Always confirm with counsel for your facts.
If you process personal data, you need a lawful basis, transparency with individuals, appropriate security measures, sub-processor contracts where relevant, and breach reporting to the ICO within 72 hours when notification thresholds are met.
Future duties are expected to strengthen resilience reporting for in-scope digital supply chains and critical providers — exact thresholds will depend on final statute and secondary legislation. Track commencement guidance.
Operators of essential services and relevant digital service providers already sit inside NIS duties — whether you qualify depends on sector rules and scale. Confirm against NCSC / sector regulator guidance.
