The UK’s Software Security Code Of Practice Is More Than Just A Guidance
The publication of the Software Security Code of Practice by the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC) on 7 May 2025 marks the beginning of a new phase in the evolving principle of cybersecurity.
While the Code currently serves as guidance, with software vendors "expected (but to stress the voluntary nature of this code, are not legally obliged) to implement" its principles, the growing number of successful cyberattacks on prominent companies highlights the increasing urgency of these security measures.
This guidance is a critical first step, and as the cybersecurity landscape continues to evolve and software supply chain attacks become more pronounced, this code may very well pave the way for future formal regulations.
Voluntary Today, Mandatory Tomorrow
The code's voluntary status masks an inevitable regulatory shift. The code is part of a series of cybersecurity-related materials published before the Cyber Bill, which seeks to update the UK’s regulatory framework, was introduced in Parliament. The Cyber Security and Resilience Bill will be introduced to Parliament in 2025, expanding regulatory scope to cover more digital services and supply chains while providing regulators with enhanced enforcement powers.
This pattern mirrors the EU's regulatory approach. NIS2 came into force in January 2023, with Member States having until 17 October 2024 to transpose the directive into national law. The NIS2 directive grants EU member states the power to enforce penalties, both financial and administrative, for non-compliance, with administrative fines of up to 10 million euros, or 2% of the company's annual revenue, whichever is higher.
As data custodians, organisations are accountable to those who entrust them with their information, and failure to adhere to the Software Security Code of Practice could lead to legal consequences and reputational harm.
Within the next 12 months, organisations may face legal action if they don't act now to strengthen their systems and prevent attacks.
The AI Factor
This shift becomes even more critical as AI-powered agents are increasingly entrusted with processing data and transforming it into valuable business insights. With the rise of AI-powered agents processing sensitive data, the importance of secure practices cannot be overstated.
When AI systems have access to vast datasets and can make autonomous decisions, a security vulnerability doesn't just compromise information, it can compromise entire decision-making processes that drive business operations. The rapid growth of AI across various sectors means that security must be baked into the development and deployment processes from the outset.
Aligning with the Code’s 14 Principles
The Code consists of 14 principles split across 4 themes: secure design and development, build environment security, secure deployment and maintenance, and communication with customers.
While the specific implementation details will vary by organisation, industry best practices typically focus on embedding security throughout the development lifecycle, managing supply chain risks, implementing comprehensive risk assessment processes, and establishing robust incident response protocols.
Critical Business Systems at Risk
In enterprise environments, particularly those running SAP systems, the integration of AI and automation creates unique security challenges. These platforms process some of the most sensitive business data, financial records, customer information, and strategic plans, making them prime targets for sophisticated attacks.
Every AI agent, every automated process, every data transformation must be evaluated through the lens of security first, functionality second. The stakes have never been higher, and the margin for error continues to shrink.
Moving Forward
Should organisations fail to follow these guidelines, the repercussions will be felt not only in terms of security breaches but also in legal and reputational damage. The regulatory precedent is unmistakable, as can be seen in previous regulations like the NIS2, where EU Member States can set maximum administrative fines for non-compliance at 10m EUR or 2% of total worldwide turnover, whichever is higher, with board-level personal liability for senior management in cases of security negligence.
The immediate next step is clear: Check your systems. The attackers are at your data’s door.
Now is the time to act. Organisations must proactively address security vulnerabilities and ensure their practices align with the Software Security Code of Practice before compliance becomes compulsory or threat actors force the issue. Ignoring this guidance could mean jeopardising the very trust that data owners place in their custodians.
Andreas Vermeulen is Head of AI at Avantra
Image: Shahadat Rahman
You Might Also Read:
Strengthen Software Supply Chain & Governance For Better AI System Cybersecurity:
If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible