The UK’s Software Security Code Of Practice Is More Than Just A Guidance

The publication of the Software Security Code of Practice by the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC) on 7 May 2025 marks the beginning of a new phase in the evolving principle of cybersecurity.

While the Code currently serves as guidance, with software vendors "expected (but to stress the voluntary nature of this code, are not legally obliged) to implement" its principles, the growing number of successful cyberattacks on prominent companies highlights the increasing urgency of these security measures.

This guidance is a critical first step, and as the cybersecurity landscape continues to evolve and software supply chain attacks become more pronounced, this code may very well pave the way for future formal regulations.

Voluntary Today, Mandatory Tomorrow

The code's voluntary status masks an inevitable regulatory shift. The code is part of a series of cybersecurity-related materials published before the Cyber Bill, which seeks to update the UK’s regulatory framework, was introduced in Parliament. The Cyber Security and Resilience Bill will be introduced to Parliament in 2025, expanding regulatory scope to cover more digital services and supply chains while providing regulators with enhanced enforcement powers.

This pattern mirrors the EU's regulatory approach. NIS2 came into force in January 2023, with Member States having until 17 October 2024 to transpose the directive into national law. The NIS2 directive grants EU member states the power to enforce penalties, both financial and administrative, for non-compliance, with administrative fines of up to 10 million euros, or 2% of the company's annual revenue, whichever is higher.

As data custodians, organisations are accountable to those who entrust them with their information, and failure to adhere to the Software Security Code of Practice could lead to legal consequences and reputational harm.

Within the next 12 months, organisations may face legal action if they don't act now to strengthen their systems and prevent attacks.

The AI Factor

This shift becomes even more critical as AI-powered agents are increasingly entrusted with processing data and transforming it into valuable business insights. With the rise of AI-powered agents processing sensitive data, the importance of secure practices cannot be overstated.

When AI systems have access to vast datasets and can make autonomous decisions, a security vulnerability doesn't just compromise information, it can compromise entire decision-making processes that drive business operations. The rapid growth of AI across various sectors means that security must be baked into the development and deployment processes from the outset.

Aligning with the Code’s 14 Principles

The Code consists of 14 principles split across 4 themes: secure design and development, build environment security, secure deployment and maintenance, and communication with customers. 

While the specific implementation details will vary by organisation, industry best practices typically focus on embedding security throughout the development lifecycle, managing supply chain risks, implementing comprehensive risk assessment processes, and establishing robust incident response protocols.

Critical Business Systems at Risk

In enterprise environments, particularly those running SAP systems, the integration of AI and automation creates unique security challenges. These platforms process some of the most sensitive business data, financial records, customer information, and strategic plans, making them prime targets for sophisticated attacks.

Every AI agent, every automated process, every data transformation must be evaluated through the lens of security first, functionality second. The stakes have never been higher, and the margin for error continues to shrink.

Moving Forward

Should organisations fail to follow these guidelines, the repercussions will be felt not only in terms of security breaches but also in legal and reputational damage. The regulatory precedent is unmistakable, as can be seen in previous regulations like the NIS2, where EU Member States can set maximum administrative fines for non-compliance at 10m EUR or 2% of total worldwide turnover, whichever is higher, with board-level personal liability for senior management in cases of security negligence. 

The immediate next step is clear: Check your systems. The attackers are at your data’s door. 

Now is the time to act. Organisations must proactively address security vulnerabilities and ensure their practices align with the Software Security Code of Practice before compliance becomes compulsory or threat actors force the issue. Ignoring this guidance could mean jeopardising the very trust that data owners place in their custodians.

Andreas Vermeulen is Head of AI at Avantra

Image: Shahadat Rahman

You Might Also Read: 

Strengthen Software Supply Chain & Governance For Better AI System Cybersecurity:


If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« US Seeks To Ban 'Adversarial AI'
Iranian Hackers Attack After US Air Strikes »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

NSFOCUS Information Technology

NSFOCUS Information Technology

NSFOCUS is a global service provider and enterprise DDoS mitigation solution provider.

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA)

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing

Infrascale

Infrascale

Infrascale specialise in providing cloud backup and disaster recovery services.

Association of Information Security Professionals (AISP)

Association of Information Security Professionals (AISP)

The Association of Information Security Professionals (AISP) represents the interests of information security professionals in Singapore.

Veridify Security

Veridify Security

Veridify Security (formerly SecureRF), develops and licenses quantum-resistant, public-key security tools for the low-resource processors powering the Internet of Things.

ComTrue Technologies

ComTrue Technologies

ComTrue Technologies provides artificial intelligence solutions and information security solutions.

Open Systems International (OSI)

Open Systems International (OSI)

Our innovative Operations Technology (OT) solutions are highly scalable and can be deployed by various utility companies to monitor, control and optimize their real-time operations.

Cyber Execs

Cyber Execs

Cyber Execs is a Cyber Security Consultancy & Executive Recruitment firm.

Advanced Systems International SAC

Advanced Systems International SAC

Advanced Systems international is a global company dedicated to data security software design, development, support, and licensing.

CLDigital

CLDigital

CLDigital's no-code risk and resilience platform, CL360, provides leaders with risk and resilience data to make strategic and tactical continuity decisions.

Pentest Limited

Pentest Limited

Pentest Limited provide information security consultation, penetration testing & red teaming services to companies across the globe.

Airtel Secure

Airtel Secure

Airtel Secure’s multi-layered, full service cybersecurity offerings are designed to safeguard enterprises against threats of various kinds and origins.

Coviant Software

Coviant Software

Coviant Software delivers secure managed file transfer (MFT) software that integrates smoothly and easily with business processes.

StepSecurity

StepSecurity

StepSecurity provides a comprehensive security platform for GitHub Actions.

Neptune Shield

Neptune Shield

Neptune Shield's mission is to deliver cutting edge Maritime focused Cyber Security & Threat Protection through our Hampton Roads based Tech & Cyber Security Hub.

SureStack

SureStack

SureStack is an AI-native cybersecurity platform that provides organizations with continuous validation, optimization, and real-time security of their cybersecurity stacks.