Cyber Security Breaches Survey 2025/2026: What the Data Tells UK Organisations About Article 32

The DSIT Cyber Security Breaches Survey 2025/2026, published 30 April 2026, is usually read as a measure of how often UK organisations are attacked. It is more useful to read it as a measure of how well they comply with Article 32 of the UK GDPR. Only 47% of businesses have deployed two-factor authentication. Fourteen per cent hold personal data without encryption or anonymisation. Just 25% have a formal incident response plan. These are not projections of future breach risk: they are current measurements of the technical and organisational measures that Article 32 requires controllers and processors to maintain.

What the survey found

Forty-three per cent of UK businesses (approximately 612,000 organisations) and 28% of charities reported at least one cyber security breach or attack in the previous twelve months. Breach prevalence has stabilised after a decline from 50% in 2023/24 to 43% in 2024/25, and remains materially higher in medium (65%) and large (69%) businesses than in their smaller counterparts.

Phishing attacks remained the most prevalent and most disruptive type of incident: 38% of businesses and 25% of charities experienced at least one such attack, and 51% of businesses that reported any breach had experienced phishing attacks as the sole attack type. Ransomware declined from 3% to 1% among businesses, but the proportion of businesses reporting revenue or share value loss increased from 2% to 5%, and reputational damage from 1% to 3%, suggesting that the incidents that do occur are landing harder.

The survey reports median ‘perceived costs’ of nil across all businesses. That figure reflects DSIT’s methodology (self-reported, direct costs only) rather than the true financial exposure. Indirect costs — management time, reputational damage, regulatory investigation, notification obligations — are not captured. The proportion of businesses reporting revenue or share value loss rose from 2% to 5%, and reputational damage from 1% to 3%. At the 95th percentile, direct costs reached £10,000 for medium and large businesses. DSIT itself acknowledges that extreme cases are “persistently difficult to measure robustly within a survey of this size”. The cost data should not be read as evidence that breaches are financially harmless. The breach statistics set the context. What matters more for Article 32 compliance is what the survey records about the security measures organisations currently have in place.

Key findings: DSIT Cyber Security Breaches Survey 2025/2026 and Article 32 UK GDPR implications for UK organisations

Metric	Survey finding (2025/2026)	Article 32 UK GDPR implication
Breach prevalence (businesses)	43% (approx. 612,000 businesses)	Art 32(2): baseline for risk assessment of accidental/unlawful disclosure or access
Two-factor authentication	47% of businesses (53% without)	Art 32(1)(b): ongoing confidentiality, integrity and access control
Phishing attacks	38% of businesses; most disruptive type (69% of those breached)	Art 32(1)(d): regular testing and evaluation of TOMs, including phishing simulation
Personal data without encryption or anonymisation	14% of businesses	Art 32(1)(a): pseudonymisation and encryption of personal data
Cyber security risk assessments	30% of businesses (broadly flat for two years)	Art 32(1)(d) and Art 32(2): regular assessment and risk evaluation
Staff training and awareness	19% of businesses	TOMs must address human factors, the dominant vector for phishing attacks
Formal incident response plan	25% of businesses (21% micro; 76% large)	Art 32(1)(c): ability to restore availability and access in timely manner after incident
Supply chain cyber security review	15% review immediate suppliers; 6% review wider supply chain	Art 32: processor and sub-processor risk framework; supply chain as TOM gap
Cyber Essentials certification	5% of businesses (up from 3%)	Art 32(3) (as amended by DUAA 2025): approved certification as element of compliance evidence

Article 32 UK GDPR: the legal standard

Article 32 of the UK GDPR imposes a risk-proportionate obligation on both controllers and processors to implement appropriate technical and organisational measures (TOMs), having regard to the state of the art, implementation costs, and the nature, scope, context and purposes of the processing. The four sub-measures at Article 32(1)(a) to (d) collectively define the architecture of a compliant security programme: pseudonymisation and encryption of personal data; ongoing confidentiality, integrity, availability and resilience of processing systems; timely restoration of availability and access following a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of TOMs.

For law enforcement processors subject to the DPA 2018 section 66, the equivalent obligation mirrors the Article 32 structure and was amended in the same terms. Both provisions were amended by the Data (Use and Access) Act 2025 (DUAA 2025) with effect from 20 August 2025, a development addressed further below. The ICO’s security guidance makes clear that Article 32 requires demonstrable, maintained and tested TOMs rather than a one-time implementation exercise.

Where the survey data exposes compliance gaps

The most widespread compliance gap in the survey is two-factor authentication. Only 47 per cent of businesses have deployed it, meaning that more than half of UK organisations process personal data relying solely on passwords for access control. Only 36 per cent operate a virtual private network for remote staff. Nineteen per cent conduct staff training and awareness activities, despite human factors accounting for the overwhelming majority of phishing attacks. Low-income charities have seen this figure fall further in 2025/2026. These are the controls that Article 32(1)(b) requires — ongoing confidentiality, integrity and access control — and the majority of UK organisations are not meeting the standard.

Fourteen per cent of businesses hold personal data that is not protected by anonymisation or encryption. That figure maps directly to Article 32(1)(a) and to the category of inadequate encryption that has attracted ICO enforcement action in multiple penalty decisions during 2025. Thirty per cent of businesses conducted a cyber security risk assessment, broadly flat for two years, against the Article 32 requirement to assess the risks presented by the processing, including risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Only 25% of businesses had a formal incident response plan, the structural prerequisite for timely restoration of personal data availability under Article 32(1)(c). Plans were present in 76% of large businesses but only 21% of micro businesses. Article 32 imposes a proportionate obligation calibrated to the nature and scale of processing, not a flat exemption for size. Article 33 of the UK GDPR requires ICO notification within 72 hours of becoming aware of a personal data breach; data breach notification at that pace is considerably harder to achieve without a tested incident response plan in place. The low adoption rate across smaller organisations represents a measurable liability.

Supply chain governance presents a further gap. Only 15% of businesses reviewed the cyber security risks posed by their immediate suppliers and 6% examined their wider supply chain. These figures sit within the Article 32 sub-processor risk framework and should be read alongside the NCSC‘s supply chain security guidance, which has addressed this area for several years without producing material improvement in the survey data.

The DUAA 2025 amendment: approved certifications as compliance evidence

The DUAA 2025 inserted a new Article 32(3) into the UK GDPR and an equivalent provision into DPA 2018 section 66(3), both operative from 20 August 2025. The amendment provides that adherence to an approved code of conduct under Article 40 or to an approved certification mechanism under Article 42 may be used as an element to demonstrate compliance with Article 32. This is a significant development for the broader DUAA 2025 reform package, which restructures several means of evidencing UK GDPR compliance. The practical significance of Article 32(3) depends on the availability of approved certifications. The survey found that only 5% of businesses hold Cyber Essentials (up from 3%), and that only 24% of organisations using or adopting AI have cyber security practices in place to manage AI-related risks. Against the DUAA 2025 framework, the low uptake of approved certifications leaves most organisations without the evidential shortcut the Act contemplates.

ICO enforcement in context

The ICO’s enforcement record in 2025 illustrates the financial exposure that Article 32 failures carry. A password management provider was fined over £1.2 million after a failure to maintain appropriate encryption and access controls enabled attackers to access a large volume of personal data over an extended period. A law firm received a £60,000 penalty for inadequate access management that left personal data exposed to unauthorised access. An outsourcing provider faced a combined penalty approaching £14 million, in part because deficient TOMs enabled a ransomware attack to affect a large personal data estate including special category health data.

The survey data provides a direct bridge from statistics to enforcement risk. ICO investigators applying the Article 32 standard to a controller or processor can point to the DSIT benchmarks (14% of businesses holding unprotected personal data, 25% without a formal incident response plan, 70% without a cyber security risk assessment) to characterise a particular organisation’s security position as below the expected standard for its sector. Where the ICO has published specific sector guidance or issued previous enforcement notices in the same sector, the evidential threshold will be higher still.

Commercial and operational implications

For fintech operators and telecoms service providers with large personal data estates, the survey confirms that the threat landscape has not materially improved. Phishing attacks and associated credential compromise remain the dominant vector. The data on AI adoption is particularly striking for those advising on data protection for AI-enabled products: 31% of organisations are using or actively considering AI, but only 24% of that group have cyber security practices in place to manage the risks that AI technology introduces. This gap sits squarely within the ICO’s expectation that data protection by design and by default under Article 25 of the UK GDPR encompasses security controls appropriate to the specific processing activity.

Cyber insurance provides some commercial protection: 47% of businesses hold some form of cover against cyber security risks. Insurance does not discharge the Article 32 obligation, and modern underwriting requirements increasingly mirror the same technical and organisational measures framework that the ICO applies, making Article 32 compliance and insurability increasingly aligned. Businesses that cannot demonstrate they have assessed and addressed the gaps identified in this survey may find both their regulatory exposure and their insurance position deteriorating together.

The survey’s cost figures should be read alongside the real-world outcomes of significant incidents. The April 2025 ransomware attack on Marks and Spencer reduced statutory half-year pre-tax profits from £391.9 million to £3.4 million, with £101.6 million in direct incident costs and online sales falling 42.9% during the six-week system outage (M&S Half Year Results, 5 November 2025). The Co-operative Group reported a £285 million revenue impact and £107 million profit impact from the same campaign, with personal data for 6.5 million members exfiltrated (Co-op Group H1 2025 Results). These are the consequences that a survey median of nil fails to capture.

Bratby Law advises data controllers and processors on Article 32 compliance reviews, personal data breach response and ICO engagement. If you would like to discuss your organisation’s security obligations under the UK GDPR, please contact Rob Bratby directly or visit the Direct Legal Advice page.