The Cyber Governance Code of Practice (The Code) is a UK government-backed guide introduced in 2025 by the Department for Science, Innovation and Technology (DSIT) and supported by the National Cyber Security Centre (NCSC). It has been created to help board members and senior staff take ownership of cyber risk, treating it as a key business issue, not just a technical one.
Cyberattacks can completely shut down operations, leak sensitive data, and seriously harm a company’s reputation. The Code sets clear expectations for how leadership teams can build stronger cyber resilience into everyday business decisions, and encourages leadership to ask the right questions, assign clear responsibilities, and treat cyber risk as a financial or legal risk.
For example, in the finance sector, where customer trust and regulatory scrutiny are high, the Code supports directors in understanding how to evaluate third-party risks, like vulnerabilities in fintech platforms or cloud services. In defense or critical infrastructure, it helps ensure that board-level leaders are fully aware of the security implications of working with suppliers or handling sensitive data, especially in the face of state-sponsored threats. Even in sectors like healthcare, the guidance helps executives manage digital transformation securely, so patient data and connected medical devices aren’t left exposed.
Although the Code is voluntary, it is built on tried-and-tested best practices. And in order to make implementation easier, tools like the Cyber Security Toolkit for Boards and the Cyber Governance Training for leaders back it. The overall aim is to create a culture of accountability and resilience, where cybersecurity is part of everyday governance, not just something you react to when things go wrong.