The UK’s Software Security Code Of Practice Is More Than Just A Guidance

Uploaded on 2025-06-30 in TECHNOLOGY--Resilience, FREE TO VIEW

The publication of the Software Security Code of Practice by the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC) on 7 May 2025 marks the beginning of a new phase in the evolving principle of cybersecurity.

While the Code currently serves as guidance, with software vendors "expected (but to stress the voluntary nature of this code, are not legally obliged) to implement" its principles, the growing number of successful cyberattacks on prominent companies highlights the increasing urgency of these security measures.

This guidance is a critical first step, and as the cybersecurity landscape continues to evolve and software supply chain attacks become more pronounced, this code may very well pave the way for future formal regulations.

Voluntary Today, Mandatory Tomorrow

The code's voluntary status masks an inevitable regulatory shift. The code is part of a series of cybersecurity-related materials published before the Cyber Bill, which seeks to update the UK’s regulatory framework, was introduced in Parliament. The Cyber Security and Resilience Bill will be introduced to Parliament in 2025, expanding regulatory scope to cover more digital services and supply chains while providing regulators with enhanced enforcement powers.

This pattern mirrors the EU's regulatory approach. NIS2 came into force in January 2023, with Member States having until 17 October 2024 to transpose the directive into national law. The NIS2 directive grants EU member states the power to enforce penalties, both financial and administrative, for non-compliance, with administrative fines of up to 10 million euros, or 2% of the company's annual revenue, whichever is higher.

As data custodians, organisations are accountable to those who entrust them with their information, and failure to adhere to the Software Security Code of Practice could lead to legal consequences and reputational harm.

Within the next 12 months, organisations may face legal action if they don't act now to strengthen their systems and prevent attacks.

The AI Factor

This shift becomes even more critical as AI-powered agents are increasingly entrusted with processing data and transforming it into valuable business insights. With the rise of AI-powered agents processing sensitive data, the importance of secure practices cannot be overstated.

When AI systems have access to vast datasets and can make autonomous decisions, a security vulnerability doesn't just compromise information, it can compromise entire decision-making processes that drive business operations. The rapid growth of AI across various sectors means that security must be baked into the development and deployment processes from the outset.

Aligning with the Code’s 14 Principles

The Code consists of 14 principles split across 4 themes: secure design and development, build environment security, secure deployment and maintenance, and communication with customers. 

While the specific implementation details will vary by organisation, industry best practices typically focus on embedding security throughout the development lifecycle, managing supply chain risks, implementing comprehensive risk assessment processes, and establishing robust incident response protocols.

Critical Business Systems at Risk

In enterprise environments, particularly those running SAP systems, the integration of AI and automation creates unique security challenges. These platforms process some of the most sensitive business data, financial records, customer information, and strategic plans, making them prime targets for sophisticated attacks.

Every AI agent, every automated process, every data transformation must be evaluated through the lens of security first, functionality second. The stakes have never been higher, and the margin for error continues to shrink.

Moving Forward

Should organisations fail to follow these guidelines, the repercussions will be felt not only in terms of security breaches but also in legal and reputational damage. The regulatory precedent is unmistakable, as can be seen in previous regulations like the NIS2, where EU Member States can set maximum administrative fines for non-compliance at 10m EUR or 2% of total worldwide turnover, whichever is higher, with board-level personal liability for senior management in cases of security negligence. 

The immediate next step is clear: Check your systems. The attackers are at your data’s door. 

Now is the time to act. Organisations must proactively address security vulnerabilities and ensure their practices align with the Software Security Code of Practice before compliance becomes compulsory or threat actors force the issue. Ignoring this guidance could mean jeopardising the very trust that data owners place in their custodians.

Andreas Vermeulen is Head of AI at Avantra

Image: Shahadat Rahman

You Might Also Read: 

Strengthen Software Supply Chain & Governance For Better AI System Cybersecurity:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

« US Seeks To Ban 'Adversarial AI'
Iranian Hackers Attack After US Air Strikes »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Rackspace Technology

Rackspace Technology

Rackspace Technology is a leading provider of managed services across all major public and private cloud technologies. Secure your IT environments with powerful cloud security solutions and support.

Malta Information Technology Agency (MITA)

Malta Information Technology Agency (MITA)

MITA is the central driver of Government Information and Communications Technology (ICT) policy, programmes and initiatives in Malta.

Syhunt Security

Syhunt Security

Syhunt is a leading player in the web application security field, delivering its assessment tools to a range of organizations across the globe.

Aricoma

Aricoma

Aricoma are Architects of Digital. We aim to become a major player in end-to-end IT services and digital transformation in Europe.

DarkLight

DarkLight

DarkLight Cyio is an AI-powered cyber risk solution that applies real-time threat intelligence and business context to risk prioritization.

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub is a non-profit network organization focused on cooperation, information sharing, research and implementation of cutting-edge technologies in cybersecurity.

Business Hive Vilnius (BHV)

Business Hive Vilnius (BHV)

BHV is one of the oldest startup incubator and technology hubs in the Baltics, primarily focused on hardware, security, blockchain, AI, fintech and enterprise software.

ISA Security Compliance Institute (ISCI)

ISA Security Compliance Institute (ISCI)

ISCI, a not-for-profit automation controls industry consortium, manages the ISASecure™ conformance certification program for industrial automation and control systems.

Pyxsoft PowerWAF

Pyxsoft PowerWAF

Pyxsoft PowerWAF responds to the problem of business cybersecurity. We protect our clients' websites and data against attacks and exploitation of all kinds of vulnerabilities.

NTT Group

NTT Group

NTT offers agile, scalable technology services to bring it all together seamlessly, securely, and sustainably. We help you adopt a holistic security approach across your network, clouds, applications.

SpiderOak

SpiderOak

SpiderOak's portfolio of Secure Communication & Collaboration products ensure the confidentiality, integrity, and availability of your most sensitive data in any environment.

1Touch.io

1Touch.io

1touch.io Inventa is an AI-based, sustainable data discovery and classification platform that provides automated, near real-time discovery, mapping, and cataloging of all sensitive data.

Ruptura InfoSecurity

Ruptura InfoSecurity

Ruptura InfoSecurity provide CREST Accredited Penetration Testing & Offensive Security Services. We secure your critical assets through targeted and research driven penetration testing.

Kolide

Kolide

Kolide ensures that if a device isn't secure, it can't access your apps.

Amplifier Security

Amplifier Security

Amplifier Security are on a mission to empower security teams to modernize their practice by connecting the dots between their security stack and their people.

Tonic Security

Tonic Security

Tonic is reshaping Exposure and Vulnerability Management by providing the context security teams need to accelerate prioritization and remediation of vulnerabilities and threats.