COMPARE NOW
Christian M. 7 min read

Cybersecurity compliance for businesses (FCA, DPA, NIS)

Cybersecurity compliance is a legal requirement for UK businesses, designed to protect both organisations and their customers. Companies that handle personal data must comply with the Data Protection Act 2018.

Operators of critical or essential services fall under the NIS 2018 obligations, and financial services are subject to FCA cyber regulations. Even businesses that simply accept card payments need to meet PCI standards.

This guide outlines the key compliance frameworks and explains what your business must do to remain compliant with the law.

What is cybersecurity compliance?

Cybersecurity compliance refers to meeting the standards and regulations that govern how businesses protect their data, systems, and networks. These rules exist to reduce the risk of cyber attacks, protect customer privacy, and ensure businesses take responsibility for safeguarding sensitive information.

Compliance matters because the consequences of failure can be severe. Regulators can issue fines, insurers may refuse claims if protections are inadequate, and customers lose trust when breaches occur.

Evidence of compliance usually comes from documented policies, technical controls, security logs, and independent audits that prove a business is following the correct procedures.

Who needs to meet cybersecurity compliance standards?

Every UK business has some form of obligation, but the exact requirements depend on the type of organisation and its activities:

Business typeMain compliance requirementWhat it covers
All businessesData Protection Act 2018 (UK GDPR)Protecting personal data through policies, controls, and safe handling.
Essential services / key digital servicesNIS RegulationsResilience, incident reporting, and security measures for critical infrastructure and digital services.
Financial services firmsFCA (and PRA where relevant)Sector-specific rules on governance, cyber resilience, and customer protection.
Businesses that take card paymentsPCI DSSTechnical and organisational measures for secure card transactions.
Public sector and supply chainContractual requirements, often Cyber EssentialsMeeting mandated standards in government and supplier contracts.

Core cybersecurity compliance regulations

Different rules apply depending on your sector, but all of them boil down to demonstrating that you handle data securely, prepare for risks, and can provide evidence if regulators, insurers, or clients request it.

DPA 2018 (UK GDPR)

If your business collects or uses personal information, you must show that you’re doing it legally and safely. That includes only collecting what is necessary, keeping it secure, being prepared to report a breach within 72 hours, and respecting individuals’ rights over their data.

What you need to show:

  • You know why you’re using people’s data and have a legal reason for it.
  • You’re not keeping more data than you need.
  • Strong protections are in place against loss or misuse.
  • You can respond quickly to data breaches and requests from customers.

How you prove it:

  • Keep a record of the data you hold and why.
  • Write and publish a privacy policy.
  • Log data breaches and requests from customers.
  • Check that suppliers who handle your data are secure.

How to implement:

  • Map what data you hold and where.
  • Limit access so only the right people can see it.
  • Use multi-factor login and encryption.
  • Set clear rules on how long data is kept.

NIS Regulations

If you run essential services like energy, transport, healthcare or certain digital platforms, you need to prove you can keep systems running, spot threats, and respond quickly to incidents.

What you need to show:

  • You understand the main risks to your systems.
  • You can detect and respond to cyber attacks.
  • You have continuity plans to keep services going.
  • Serious incidents are reported to the right authority.

How you prove it:

  • Keep a simple risk register that’s updated regularly.
  • Test and record business continuity and response plans.
  • Show you apply updates and security patches promptly.
  • Use monitoring and alerting tools.
  • Check the security of key suppliers.

FCA cyber and operational resilience

Banks, insurers, and other regulated financial firms must prove they can keep important services running no matter what. This includes mapping dependencies, testing resilience, and having strong governance over cyber risks.

What you need to show:

  • You know which services are critical to customers.
  • You’ve set limits on how much disruption is acceptable.
  • You’ve mapped your critical suppliers and systems.
  • You test how resilient you are to disruption.
  • You report incidents and have board oversight.

How you prove it:

  • Keep a register of important services and tolerances.
  • Record results of resilience tests.
  • Show due diligence on suppliers and outsourcers.
  • Keep minutes of board meetings where risks are reviewed.
  • Demonstrate strong data security and fraud controls.

Helpful tip

Financial firms are often expected to align with best-practice frameworks like ISO 27001 or NIST, and follow the FCA/PRA operational resilience guidance.

Cybersecurity compliance standards and certifications

Beyond the legal and regulatory requirements, many businesses choose to gain recognised certifications.
These provide a structured approach to implementing controls and serve as strong evidence for regulators, insurers, and customers.

ISO/IEC 27001

ISO 27001 is the international standard for Information Security Management Systems (ISMS). It helps organisations take a risk-based approach, with documented policies, controls, and audit trails to show that data is protected and risks are managed systematically.

Why it matters:

  • Seen as one of the strongest proofs of cybersecurity by partners and insurers.
  • Demonstrates alignment with requirements under the DPA, NIS, and FCA.
  • Regular external audits provide independent assurance.

Cyber Essentials / Cyber Essentials Plus

Cyber Essentials Certification is a UK government-backed scheme covering five key areas: secure internet connections, device security, access control, malware protection, and system updates. Cyber Essentials Plus adds independent testing.

Why it matters:

  • A fast and affordable way for SMEs to evidence baseline controls.
  • It’s often required in public sector supply chains and strongly encouraged by insurers.
  • It supports compliance with DPA obligations for secure processing and aligns with FCA expectations for basic cyber hygiene.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) applies to any business that takes card payments. It focuses on protecting cardholder data through scope reduction, secure segmentation of systems, and ongoing checks such as quarterly vulnerability scans.

Why it matters:

  • Essential for demonstrating compliance when handling card payments.
  • Uses self-assessment questionnaires (SAQs) or full audits (AOCs) depending on transaction volume.
  • Helps meet DPA requirements on data security and supports resilience expectations under FCA and NIS.

Cybersecurity compliance for businesses

Compliance is not just about written policies. Regulators, insurers, and customers expect to see practical security measures in place. Here is a simple checklist that every business can work through:

Secure access

Access security is about ensuring that only authorised individuals can log in to your systems. Passwords alone are easy to guess or steal, which is why multi-factor authentication (MFA) is now essential for email, VPNs, and admin accounts.

Using a password manager also prevents staff from reusing weak or predictable passwords, significantly reducing the risk of unauthorised access.

Keep systems updated

Cybercriminals frequently exploit vulnerabilities in outdated software. When developers release updates, they are usually fixing those flaws.

If your systems are not updated quickly, you are leaving the door open to attackers, so switching on automatic updates for operating systems, browsers, and apps is one of the simplest ways to stay secure.

Protect data

Business and customer information is often more valuable than the devices on which it resides. If it’s lost or exposed, the impact can be financial, legal, and reputational. Protecting data starts with encryption. Laptops, phones, servers, and cloud storage should all be encrypted so that even if a device is stolen, the information cannot be read without the correct password or key.

Access control is another essential step. Staff should only be able to view or edit the data they need for their role, and permissions should be removed as soon as someone leaves the business.

Backups provide a safety net, but only if they work. Store copies both offline and in the cloud, and test restores regularly to make sure files can actually be recovered in a crisis.

Finally, avoid holding on to sensitive data longer than necessary. Setting clear retention rules reduces the impact if a breach occurs, since attackers can’t steal what you no longer keep.

Defend devices and email

Most cyberattacks start with a malicious email or a dodgy attachment. Protecting devices with antivirus software or endpoint security tools blocks many of these threats. On the email side, filtering can cut out suspicious messages, while SPF, DKIM and DMARC help prevent criminals from sending fake emails that look like they came from your business:

SPF checks which servers can send email from your domain, DKIM adds a digital signature to prevent messages from being altered, and DMARC sets rules for what to do if those checks fail. Many companies use cybersecurity software to manage these protections together.

Control user access

Not every employee needs access to everything. The more access someone has, the more damage can be done if their account is hacked.

Limiting permissions, removing accounts that are no longer needed, and applying role-based access controls reduces risk and makes your systems easier to manage.

Train staff

Staff are often the first line of defence, and a single click on a phishing email can open the door to attackers. Regular training helps employees recognise threats, handle data safely, and know what to do if something looks suspicious.

Keeping records of completed training also shows insurers and regulators that your business is taking awareness seriously. See our cybersecurity awareness training page for more details.

Plan for incidents

Even with the best protections in place, incidents can still happen. An incident response plan outlines who is responsible for what in the event of a system breach or data loss.

Practising the plan once a year ensures that everyone knows their role and that the process works effectively under pressure.

Check suppliers

Many businesses rely on third parties to handle data or provide IT services. If those suppliers are insecure, your business is at risk too. Carrying out supplier checks and keeping signed data processing agreements (DPAs) on file shows you have considered supply chain risk properly.

Keep logs

Logs act as a record of who accessed systems, what changes were made, and when problems occurred. They are invaluable for investigating issues and are often requested by insurers or auditors as proof that you are monitoring activity.

Get certified

Certification provides external proof that your business has the right protections in place. Cyber Essentials is a government-backed scheme that covers the basics and is often required in supply chains or by insurers. It is a straightforward way to demonstrate that you meet minimum standards of cybersecurity.

Building your cybersecurity compliance evidence pack

Regulators, insurers, and larger clients often require proof that your business is adhering to good security practices. The easiest way to handle this is to build an “evidence pack”, a central folder or index where you keep key documents and records. This makes audits, contract reviews, and renewals far less stressful.

CategoryExamples of evidence to includeRelevant regulations
PoliciesSecurity, access control, bring-your-own-device (BYOD), incident response, backupDPA (security of processing), NIS (continuity/response), FCA (governance)
Data protectionRecords of processing activities (ROPA), data protection impact assessments (DPIAs)DPA
Risk and assetsRisk register, IT asset inventoryNIS (risk management), FCA (impact tolerances and dependencies)
Updates and backupsPatch reports, backup logs, restore test evidenceNIS (resilience), FCA (system controls), PCI DSS
TrainingStaff training records (phishing, data handling)DPA (staff awareness), FCA (operational resilience)
SuppliersSigned data processing agreements (DPAs), vendor security checksDPA (processors), NIS (supply chain), FCA (outsourcing)
TestingIncident response drills, business continuity test resultsNIS (incident handling), FCA (scenario testing)
GovernanceBoard/management reports on cybersecurity risksFCA (board oversight), NIS (responsibility)

Tip: Keep a simple index of these documents and set a review schedule (for example, quarterly or twice a year) so the pack stays current.

Cybersecurity compliance FAQs

Businesses often have similar questions about what is required, which standards apply, and how to demonstrate compliance. Our experts answer below your most frequently asked questions.

What are the FCA cybersecurity requirements?

Financial firms must demonstrate their ability to maintain critical business services, establish impact tolerances, and maintain robust governance over cyber risks. This forms part of the FCA and PRA operational resilience framework.

Do SMEs need Cyber Essentials or ISO 27001?

SMEs are not legally required to hold certifications, but Cyber Essentials is often expected in supply chains and insurance. ISO 27001 is a stronger external proof usually chosen by larger firms or those handling sensitive data.

How do DPA 2018 and NIS differ?

DPA 2018 focuses on protecting personal data, while NIS covers the resilience and security of essential services and networks. Many businesses only fall under DPA, but operators of critical infrastructure must also meet NIS obligations.

Is PCI DSS mandatory if I only take card payments online?

Yes. Any business that processes card payments, in-store or online, must comply with PCI DSS. The level of assessment depends on how many transactions you process and how you handle payment data.

What’s the difference between security and compliance?

Security is about protecting systems and data day to day. Compliance is about proving to regulators, insurers, and partners that you have the right security measures in place and can evidence them.

How do I prove compliance to insurers?

Insurers often ask for policies, training records, logs, and evidence of patching, backups, and incident response testing. Certifications like Cyber Essentials or ISO 27001 can also make the process much easier.

Back to blog Back to broadband guides
Talk to a Cybersecurity Specialist

Related

Business WLANs How does a Wireless LAN (WLANs) work for businesses

A Wireless LAN (WLAN) or WiFi network is the wireless portion of a business local area network. It lets WiFi devices connect to each other, local services, and the wider internet without needing a wired connection. This article explains how they work, the different types, security, and how to implement them appropriately. Contents What is…

Next-Generation Firewalls How do Next-Generation Firewalls (NGFW) work?

Next-Generation Firewalls (NGFWs) are advanced firewalls capable of inspecting the contents of internet data in real time to detect and block threats like malware before they reach local networks or cloud environments. This article explains how NGFWs work, how they differ from traditional firewalls, their benefits, and how to choose the right one for your…

We use cookies to give you a better experience of our site and to analyse traffic. Click to view our Privacy Policy or Manage Cookie Choices.
Accept all Reject all