NCC Group evidence informs UK Business and Trade Committee report

24 November 2025 – Global cyber security and resilience experts, NCC Group, welcomes the publication of the House of Commons Business and Trade Committee report “Toward a new doctrine for economic security.” The report, which quotes NCC Group’s evidence to the committee, calls for an Economic Security Bill to enshrine the approach set out in the new report in law, with the appointment of a dedicated Economic Security Minister. Katharina Sommer, NCC Group Head of Government Affairs and Analyst Relations, is quoted in the report, commenting on cyber and emerging technology, diagnosing a shared understanding of threats, and increased liability for software developers. 

The Committee’s report recommends a number of concrete steps to re-double efforts to build the UK’s cyber resilience. A critical step is including the creation of a dedicated SME Resilience Fund to enhance the cyber resilience of smaller businesses. NCC Group has long advocated for digital safety nets for small and medium-sized organisations, in light of the critical role they play across the economy. 

Commenting on the report’s findings, Katharina Sommer, NCC Group Head of Government Affairs and Analyst Relations said:

“This report is a clarion call for Government to take a more coordinated approach to safeguarding the UK’s economic security. This must include enhanced cyber resilience. The attack surface for nation states and organisations is rising, as warned in NCC Group’s Global Cyber Policy Radar, cyber security programmes must adapt to a new era of geopolitics. This is a challenge that requires a whole-of-society approach, with public-private partnerships and the UK cyber sector playing a crucial role. Greater guidance has been provided by the UK’s National Cyber Security Centre (NCSC) and Government’s Codes of Practice, such as on software security, but this guidance must be backed by greater accountability. NCC Group will continue to engage with parliament on the critical issues facing our economic security, particularly on the recommendations to redouble cyber resilience efforts, such as mandatory incident reporting, and tax relief on cyber improvement spend.” 

NCC Group’s Global Cyber Policy Radar is the definitive report on the ripple effects of cyber security regulation, available here: www.nccgroup.com/global-cyber-policy-radar/ 

Cyber and emerging technology 

Evidencing the growing threat faced by organisations, coupled with the vital dependency that society and the economy have on IT systems, Katharina Sommer’s evidence adds: “digital technology… has just broadened the attack surface massively, so there are targets everywhere nowadays.” 

Diagnose a shared understanding of threats 

The report argues that achieving a ‘whole of society approach’ to economic security will require a shared diagnosis of the threats the UK faces across the public and private sectors. Katharina Sommer’s evidence adds: “more mature private sector partners, whether they come from the cyber industry or from businesses” can act as the “bridge” between Government and other firms: “We’ll do that translation layer and make that intelligence actionable for a less mature organisation.” 

Liability for software developers 

While “secure by design” principles are critical for software providers, as set out in the Government’s Software Security Code of Practice, such compliance should be seen as a minimum standard. Commenting on the Government’s Software Security Code of Practice, Katharina Sommer’s evidence adds: “this aims to incentivise “software developers and procurers of software to pay attention to secure-by-design features in their software.” Noting that the Code is currently voluntary, with self-assessment the only method for monitoring compliance amongst participants. 

The report aims to reinforce a whole-of-society approach to economic security, recommending a doctrine with clear strategic principles, referred to by the Committee as the Six Ds: 

1. Diagnose emerging risks early, using shared intelligence across sectors; 
2. Develop domestic capability in key industries; 
3. Diversify critical supply chains, energy sources and technology inputs; 
4. Defend against hostile state and non-state actors in markets and cyberspace; 
5. Deter coercion and malign influence through credible counter-measures; and 
6. Dovetail the UK’s efforts with allies to build collective strength and resilience. 

The report's recommendations

To embed this approach, the report recommends four first steps: 

1. The adoption of a new economic security doctrine with clear strategic principles; 
2. A holistic approach to threat assessment, fully involving the private sector; 
3. A coherent institutional framework across Government; and 
4. A truly whole-of-society approach, underpinned by strong public-private partnership.