Cyber Security Breaches Survey 2025/2026: Article 32 in Practice
Quick answer
The DSIT Cyber Security Breaches Survey 2025/2026, published 30 April 2026, records that only 47% of UK businesses require two-factor authentication, that 14% hold personal data without anonymisation or encryption, and that just 25% have a formal incident response plan. Article 32 of the UK GDPR requires appropriate technical and organisational measures across all three areas. The survey gives the ICO a current baseline against which to apply that standard, and gives DPOs the data they need to make the case internally for security investment.
The DSIT Cyber Security Breaches Survey 2025/2026, published 30 April 2026, is usually read as a measure of how often UK organisations are attacked. It is more useful to read it as a measure of how well they comply with Article 32 of the UK GDPR. Only 47% of businesses require two-factor authentication. Fourteen per cent hold personal data without anonymisation or encryption. Just 25% have a formal incident response plan. These are not projections of future breach risk: they are current measurements of the technical and organisational measures that Article 32 requires controllers and processors to maintain.
What the survey found
Forty-three per cent of UK businesses (approximately 612,000 organisations) and 28% of charities reported at least one cyber security breach or attack in the previous twelve months. Breach prevalence has stabilised after a fall from 50% in 2023/24 to 43% in 2024/25, and remains higher in medium (65%) and large (69%) businesses than in their smaller counterparts.
Phishing attacks were the most prevalent and most disruptive type of incident: 38% of businesses and 25% of charities experienced at least one such attack, and 51% of businesses that reported any breach experienced phishing attacks as the sole attack type (up from 45% in the prior year). Ransomware fell from 3% to 1% among businesses, but the proportion of businesses reporting that a breach led to loss of revenue or share value rose from 2% to 5%, and reputational damage from 1% to 3%, suggesting that the incidents that do occur are landing harder.
The median perceived cost of the most disruptive breach was £0 for all businesses, rising to £30 for medium and large businesses. At the 95th percentile the figure reached £4,000 for all businesses and £10,000 for medium and large businesses. The breach statistics set the context. What matters more for Article 32 compliance is what the survey records about the security measures organisations currently have in place.
| Metric | Survey finding (2025/2026) | Article 32 UK GDPR implication |
|---|---|---|
| Breach prevalence (businesses) | 43% (approx. 612,000 businesses) | Art 32(2): baseline for risk assessment of accidental or unlawful disclosure or access |
| Two-factor authentication | 47% of businesses (53% without) | Art 32(1)(b): ongoing confidentiality, integrity and access control |
| Phishing attacks | 38% of businesses; most disruptive type for 69% of those breached | Art 32(1)(d): regular testing and evaluation of TOMs, including phishing simulation |
| Personal data without encryption or anonymisation | 14% of businesses | Art 32(1)(a): pseudonymisation and encryption of personal data |
| Cyber security risk assessments | 30% of businesses (broadly flat for two years) | Art 32(1)(d) and Art 32(2): regular assessment and risk evaluation |
| Staff training and awareness | 19% of businesses | TOMs must address human factors, the dominant vector for phishing attacks |
| Formal incident response plan | 25% of businesses (21% micro; 76% large) | Art 32(1)(c): ability to restore availability and access in a timely manner after an incident |
| Supply chain cyber security review | 15% review immediate suppliers; 6% review wider supply chain | Art 32: processor and sub-processor risk framework; supply chain as a TOM gap |
| Cyber Essentials certification | 5% of businesses (up from 3%) | Art 32(3): adherence to an approved certification mechanism may be used as a means of demonstrating compliance |
Article 32 UK GDPR: the legal standard
Article 32 of the UK GDPR imposes a risk-proportionate obligation on both controllers and processors to implement appropriate technical and organisational measures (TOMs), having regard to the state of the art, implementation costs, and the nature, scope, context and purposes of the processing. The four sub-measures at Article 32(1)(a) to (d) collectively define the architecture of a compliant security programme: pseudonymisation and encryption of personal data; ongoing confidentiality, integrity, availability and resilience of processing systems; timely restoration of availability and access following a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of TOMs.
For competent authority controllers and processors subject to Part 3 of the Data Protection Act 2018, the equivalent security obligation sits at DPA 2018 section 66. The ICO’s security guidance makes clear that Article 32 requires demonstrable, maintained and tested TOMs rather than a one-time implementation exercise.
Where the survey data exposes compliance gaps
The most widespread compliance gap in the survey is two-factor authentication. Only 47% of businesses require it, meaning that more than half of UK organisations process personal data relying solely on passwords for access control. Only 36% operate a virtual private network for staff connecting remotely. Nineteen per cent run staff training and awareness raising activities, despite human factors accounting for the overwhelming majority of phishing attacks. These are the controls that Article 32(1)(b) requires, and the majority of UK organisations are not meeting the standard.
Fourteen per cent of businesses hold personal data that is not protected by anonymisation or encryption. That figure maps directly to Article 32(1)(a) and to the category of inadequate encryption that has attracted ICO enforcement action in multiple penalty decisions during 2025. Thirty per cent of businesses conducted a cyber security risk assessment, broadly flat for two years, against the Article 32 requirement to assess the risks presented by the processing, including risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
Only 25% of businesses had a formal incident response plan, the structural prerequisite for timely restoration of personal data availability under Article 32(1)(c). Plans were present in 76% of large businesses but only 21% of micro businesses. Article 32 imposes a proportionate obligation calibrated to the nature and scale of processing, not a flat exemption for size. Article 33 of the UK GDPR requires ICO notification within 72 hours of becoming aware of a personal data breach; meeting that deadline is considerably harder without a tested incident response plan in place. The low adoption rate across smaller organisations is a measurable liability.
Supply chain governance presents a further gap. Only 15% of businesses reviewed the cyber security risks posed by their immediate suppliers and 6% examined their wider supply chain. These figures sit within the Article 32 sub-processor risk framework and should be read alongside the NCSC’s supply chain security guidance, which has addressed this area for several years without producing material improvement in the survey data.
The DUAA 2025 wording change to Article 32(3)
The Data (Use and Access) Act 2025 (DUAA 2025) made a small but pointed change to Article 32(3) of the UK GDPR. With effect from 20 August 2025, Schedule 11 paragraph 10 to the DUAA substituted the closing words of Article 32(3): adherence to an approved code of conduct under Article 40 or to an approved certification mechanism under Article 42 may now be used “as a means of demonstrating” compliance with Article 32(1), in place of the previous formulation “as an element by which to demonstrate” compliance. The substantive route to evidencing compliance through approved codes and certifications has been on the statute book since 2016; the DUAA strengthens the language and signals that the ICO can be expected to give weight to such adherence in its enforcement assessments.
The DUAA also inserted a new section 66(3) into the Data Protection Act 2018, making the same evidential pathway available for competent authority processing under Part 3. Both changes were brought into force by SI 2025/904 on 20 August 2025. The practical significance of the wording change depends on the availability of approved certifications and codes. The survey records that only 5% of businesses hold Cyber Essentials (up from 3%), and that only 24% of organisations using or adopting AI have cyber security practices in place to manage AI-related risks. Most organisations therefore lack the evidential shortcut Article 32(3) contemplates, and will instead need to demonstrate compliance through documented technical and organisational measures.
ICO enforcement in context
The ICO’s enforcement record in 2025 illustrates the financial exposure that Article 32 failures carry. LastPass UK Ltd was fined £1,228,283 in November 2025 for infringements of Articles 5(1)(f) and 32(1)(f) of the UK GDPR after attackers obtained access to its master password vault. DPP Law Ltd received a £60,000 penalty in April 2025 for infringements of Articles 5(1)(f), 32(1), 32(2) and 33(1) following a cyber attack that allowed attackers to move laterally across its network and exfiltrate 32GB of data. Capita plc and Capita Pension Solutions Limited were fined a combined £14m (£8m and £6m respectively) in October 2025 for infringements of Articles 5(1)(f) and 32, after a 2023 cyber attack compromised the personal data of 6.6 million people, including criminal records, financial data and special category data.
The survey data provides a direct bridge from statistics to enforcement risk. ICO investigators applying the Article 32 standard to a controller or processor can point to the DSIT benchmarks (14% of businesses holding unprotected personal data, 25% without a formal incident response plan, 70% without a cyber security risk assessment) to characterise a particular organisation’s security position as below the expected standard for its sector. Where the ICO has published specific sector guidance or issued previous enforcement notices in the same sector, the evidential threshold will be higher still.
Commercial and operational implications
For fintech operators and telecoms service providers with large personal data estates, the survey confirms that the threat landscape has not materially improved. Phishing attacks and associated credential compromise remain the dominant vector. The data on AI adoption is particularly striking for those advising on data protection for AI-enabled products: 31% of organisations are using or actively considering AI, but only 24% of that group have cyber security practices in place to manage the risks that AI technology introduces. This gap sits squarely within the ICO’s expectation that data protection by design and by default under Article 25 of the UK GDPR encompasses security controls appropriate to the specific processing activity.
Cyber insurance provides some commercial protection: 47% of businesses hold some form of cover against cyber security risks. Insurance does not discharge the Article 32 obligation, and modern underwriting requirements increasingly mirror the same TOM framework that the ICO applies, making Article 32 compliance and insurability increasingly aligned. Businesses that cannot demonstrate that they have assessed and addressed the gaps identified in this survey may find both their regulatory exposure and their insurance position deteriorating together.
Bratby Law advises data controllers and processors on Article 32 compliance reviews, personal data breach response and ICO engagement. If you would like to discuss your organisation’s security obligations under the UK GDPR, please contact Rob Bratby directly or visit the Direct Legal Advice page.
Viewpoint
The Cyber Security Breaches Survey is a useful regulatory calibration point, but its real value for UK GDPR practitioners is that it converts abstract risk into quantified organisational failure rates. An ICO investigation applying the Article 32 standard will not accept as a defence that an organisation followed industry norms when those norms are demonstrably inadequate. With more than half of businesses without two-factor authentication, 14% holding unprotected personal data, 25% lacking a formal incident response plan, and the median cost of breaches still sitting at zero while the upper tail extends to £10,000, the survey signals where enforcement attention is most likely to focus next. Organisations that have not reviewed their TOMs against these benchmarks should do so before the ICO does it for them.
Rob Bratby is Managing Partner at Bratby Law. He is a specialist UK data protection lawyer and advises data controllers and processors, including fintech operators, telecoms service providers and technology businesses, on UK GDPR compliance, ICO enforcement, personal data breach response and data protection for AI-enabled products. He holds fractional General Counsel appointments at UK Payments Initiative, TOTSCo, TelXL and Core Communication.
