Collection

Cyber security codes of practice

This page brings together the various DSIT codes of practice for cyber security. It explains who they are aimed at and how they align with Cyber Essentials.

From:: Department for Science, Innovation and Technology
Published: 15 May 2024
Last updated: 3 February 2025 — See all updates

What is a cyber security code of practice? 

The Department for Science, Innovation and Technology (DSIT) has developed codes of practice to set clear expectations for cyber security. Voluntary codes use principles to set out the recommended baseline response to a given set of cyber security risks.

Why are codes of practice important?

DSIT publishes codes setting out good practices when it deems a particular area has significant cyber security risks which are not sufficiently being addressed by industry. Organisations should implement applicable DSIT codes of practice as a minimum, although more stringent measures may be needed in higher risk contexts. The codes may act as stepping stones towards further tailored guidance, international standards or domestic regulation.

Organisational cyber resilience

To date, DSIT has published five codes of practice on cyber security - see the full list further down this page.

These codes are a part of a broader approach taken by government to ensure citizens and businesses in the UK can use digital technologies safely. Organisations and their directors must also better understand cyber risks and ensure their organisation implements cyber security measures to use technologies securely and remain resilient to common cyber threats.

To support this, DSIT has taken an evidence-based, multi-stakeholder and cyber security risk-based approach for improving technologies and supply chains. Through Cyber Essentials, the government supports organisations across the economy to protect themselves and their supply chains from cyber risks. Cyber Essentials is a government certification scheme which supports organisations to implement five fundamental cyber security controls, which provide protection against the most common cyber attacks.

DSIT’s codes are complementary with Cyber Essentials and seek to build on the scheme, whether by addressing specific additional risks beyond these baseline controls, or by identifying broader, non-technical measures that support organisational resilience. They also help businesses and other organisations understand what to expect from their technology suppliers, and to hold them accountable.

A secure by design approach for developing digital technology

The codes of practice also stem from the UK government’s long-standing advocacy for a “secure by design” approach. This involves proactively focusing on risk-mitigation, instilling confidence in users, whilst encouraging the adoption of secure technologies. Ultimately, the responsibility for cyber security should not be placed disproportionately on the shoulders of consumers and business customers. The responsibility for managing and mitigating security and resilience risks should instead be owned by those developing the products that increasingly underpin our digital lives and economic sectors.

A modular approach: clarity on how the codes interlink

We recognise that the introduction of codes of practice, and the potential for further codes to be published, will create a layered landscape. DSIT has therefore set out a modular approach which explains the scope and relevancy of current and future codes. This information will make it easier for stakeholders to understand how the various codes fit together, and it will also help organisations easily identify which codes are relevant to them. This will mean that the complexity and types of products or services provided by an organisation will determine which code(s) they should implement. 

All organisations which rely on online/digital services, across all sectors of the economy, should aim to implement the Cyber Governance Code of Practice and become certified to the Cyber Essentials scheme. This is because the Cyber Governance Code brings together the critical governance areas that directors and boards of all organisations need to take ownership of in one place. The Governance Code, alongside the technical controls set out within Cyber Essentials, forms the baseline which all organisations should implement to develop cyber resilience. Further guidance on implementation of these principles and actions is provided within the NCSC’s Cyber Security Toolkit for Boards, and the Code and Toolkit work together to form a coherent set of guidance for boards, directors and their senior advisors.

All technology providers, including manufacturers and suppliers of any software or digital products and services containing software, should also implement the Code of Practice for Software Vendors. This Code provides the baseline cyber security practices for all software.

If the technology that the provider creates includes AI, consumer IoT or Apps and App Stores then they are expected to also adhere to the applicable code of practice. For these technologies this would be the Code of Practice for AI Cyber Security, the Consumer IoT Code of Practice / ETSI EN 303 645 / PSTI Act 2024 and the Code of Practice for Apps/App Stores.

This page will be updated where needed, and if future codes of practice are developed.