UK outlines cyber & AI regulatory overhaul in King's Speech

The UK government has outlined plans to overhaul its digital and cyber regulation framework in the King's Speech. The agenda includes reforms to the Computer Misuse Act, a Cyber Security and Resilience Bill, a Regulating for Growth Bill covering AI, and a new Financial Services Bill.

The programme points to a wider shift in technology and security policy, with cyber resilience, regulatory reform and digital identity emerging as core themes. Industry groups, lawyers and technology businesses broadly welcomed the direction, while cautioning that the details of the legislation will determine how far the measures change day-to-day practice.

Campaigners who have long pressed for changes to the UK's 1990 Computer Misuse Act said the move marked a significant moment for cyber defence. The government intends to create more legal certainty for cyber security professionals who test and secure systems as part of the National Security Bill.

"Today marks a genuine turning point for cyber security in the UK. For years, the Computer Misuse Act (CMA) has left legitimate cyber security professionals and researchers operating under unnecessary legal risk, while hostile actors move faster and with fewer constraints. By including CMA reform in the National Security Bill, the Government has recognised a basic reality: cyber professionals cannot be expected to defend the country with one hand tied behind their backs. The test now is whether the legislation delivers a clear, workable statutory defence for good-faith cyber security activity, including vulnerability research and threat intelligence. We stand ready to work with ministers and Parliament to turn this commitment into a lasting upgrade to the UK's cyber resilience," said a spokesperson for the CyberUp Campaign.

The Cyber Security and Resilience Bill featured heavily in industry reaction. The draft law will place new obligations on managed IT service providers and data centres, and expand incident reporting and risk management requirements across critical digital supply chains.

Rob Demain, chief executive of cyber security company e2e-assure, linked the Bill to a broader push for national control of key technologies.

"The Cyber Security and Resilience Bill, included in today's King's Speech as it continues through Parliament, should be seen as part of a much bigger message: Britain's security increasingly depends on the capability it can build, control and scale at home. The Speech rightly puts economic security, national security, infrastructure resilience and homegrown capability at the centre of the Government's programme. That logic cannot stop at steel, energy or physical infrastructure. It must also include cybersecurity.

"We know AI is changing the threat environment at speed, with hostile state and criminal actors using automation and AI to identify vulnerabilities and scale attacks faster than humans. Cyber is where the AI race becomes real for critical industries.

"It is not enough for Britain to adopt AI cyber defence; we need to build, buy and scale British capability. The UK cyber security sector generated £14.7bn in annual revenue, up 11%, with 2,603 active firms. The capability is here. The question is whether procurement and policy now back it as a strategic national asset," he said.

Compliance specialists said the cyber legislation would reshape expectations for service providers that sit behind many organisations' IT operations.

"It is traditional at the State Opening of Parliament for an MP to be held hostage in Buckingham Palace until the monarch safely returns. Given the current state of Labour politics, the prime minister may have had a rather long shortlist.

"Nevertheless, there are several significant compliance changes in this King's Speech. The Cyber Security and Resilience Bill is probably the most important for many businesses. It will expand the UK's cyber framework, bring more managed IT providers and data centres into scope, and introduce tougher incident reporting expectations.

"The Enhancing Financial Services Bill confirms that reform of the Senior Managers and Certification Regime is moving into legislation, with the government aiming to reduce administrative burden while keeping individual accountability.

"The Competition Reform Bill is also worth watching because it could make the CMA faster and more predictable, while also making it more exposed to political priorities. Moving major Phase 2 merger and market review decisions closer to the CMA Board may improve accountability, but businesses will need to factor political and reputational sensitivities into competition risk, particularly for deals involving prices, jobs, digital markets or national competitiveness.

"And then there are the omissions. No Audit Reform and Corporate Governance Bill. No Equality (Race and Disability) Bill. No standalone AI Bill. So the compliance agenda is not quite the one many expected. Nor is there specific legislation to make the FCA the single professional services regulator for anti-money laundering, despite this being one of the most significant expected changes for law firms, accountants and other professional services firms.

"That leaves the SRA and other professional body supervisors in an awkward holding pattern. The government has previously pointed to a major overhaul of AML supervision, but the King's Speech provides no clear timetable or dedicated legislative vehicle. The open question is whether this reform is now delayed, quietly deprioritised, or folded into a broader Bill such as the Regulating for Growth Bill.

"The political context can't be ignored. This King's Speech lands amid continuing leadership speculation and a government that looks far from settled. A change in prime minister would not automatically mean a new King's Speech, but it could change which reforms are prioritised, delayed or quietly dropped," said Nick Henderson-Mayo, head of compliance at VinciWorks.

Legal commentators said the cyber package would bring the UK closer to European standards while retaining a distinct emphasis.

"The King's Speech confirms the government's intention to finish work on the Cyber Security and Resilience Bill, the long-awaited strengthening of the UK's cyber-security laws, extending responsibility to IT companies in the supply chain as well as to key infrastructure providers such as data centres. This law will bring the UK into closer alignment with the EU's updated standards (NIS 2), whilst taking a different approach by focusing more on supply chain security, rather than a broad expansion of the sectors regulated as critical infrastructure.

"The government is also moving forward with a national digital ID scheme, aimed at modernising public services and streamlining identity verification. It is likely to dovetail with the framework for digital verification services set out in last year's Data (Use and Access) Act. While an initial proposal for a mandatory 'BritCard' was abandoned after backlash, the government is proceeding with a voluntary system designed to be used for accessing services, with important questions about inclusion, privacy and security still to be answered," said James Clark, partner at Spencer West.

Digital identity also featured in the response from financial technology leaders. The King's Speech confirmed separate legislation on digital ID as part of the wider package.

"Today's King's Speech unveils a new Financial Services Bill with a range of measures to streamline UK regulation that we at Innovate Finance have advocated for with our Unicorn Council for UK FinTech and wider membership base. This includes faster authorisations, a more proportionate approach to approval and certification of senior managers, and a more focused role for the Financial Ombudsman to reduce the risk of acting as a shadow regulator.

"Taken together with proposals on payments, the proposed legislation will give the regulator more powers to develop and flex its rule book. This should help enable the more agile regulatory approach we need as the pace of technology, innovation and international competitiveness accelerates. It also creates a need for greater accountability from regulators.

"As the FCA and Bank of England take on more powers and responsibilities in payments, there is now a strong case for giving the Bank a statutory objective to promote growth, competition and innovation in payments systems and regulation. Given the increased need to build growth and resilience, now is also the time to revisit how best to combine regulators' independence with democratic oversight and the ability of a government to set wider public policy priorities that cut across regulatory responsibilities.

"We also look forward to seeing the proposed legislation on digital identity. Digital ID and verification is a critical building block for finance and technology innovation, enabling easy and safe access to services and helping combat fraud. Government work on digital identity for public services can support this if it is accessed through a wide range of digital wallets and trusted, world-leading verification providers.

"We look forward to continuing to convene industry and support government and Parliament in developing a modern regulatory regime that supports innovation," said Janine Hirt, chief executive of Innovate Finance.

The government also outlined plans for a Regulating for Growth Bill to frame the UK's approach to artificial intelligence oversight. Business groups said the legislation would succeed only if it was paired with support for adoption.

"The Regulating for Growth Bill announcement in today's King's Speech brings us one step closer to securing the UK's future as an AI-confident G7 economy by 2035 and will increase trust in AI products and services.

"Awareness of AI is now universal and adoption has reached scale. Data from our AI Impact Report, launched yesterday, shows that among the 70% of UK businesses now using AI, 43% report increased revenue, more than a quarter have reduced costs, and a similar proportion say it is shortening their working day.

"Yet despite these positives, a gap remains. Many businesses are still limiting AI to lower-risk tasks, rather than embedding it where it can drive real growth. Only 7% are using it extensively in their day-to-day operations, significantly behind the US and Canada, where that number is closer to 12%.

"Thirty-five per cent of UK businesses cite data privacy and security as their biggest concern, with a further 26% worried about errors and accuracy, reflecting that trust remains a real barrier. Deeper integration of AI, used with confidence, consistency and in ways that improve how a business runs, remains uneven.

"Formalising safeguards is an important step in addressing these concerns. But legislation alone is not enough. As this Bill progresses, it must be paired with investment in skills and support to help smaller businesses become AI-literate. Targeted incentives will be essential to ensure they can fully adopt AI and drive economic growth," said Leigh Thomas, vice president of EMEA at Intuit.