The Compliance Tailwind: Why the King's Speech Just Changed the Budget Conversation for UK Security Teams
The Cyber Security and Resilience Bill confirms that regulatory obligations are expanding and reporting requirements are tightening. GET-IT's passive audit of 2,011 UK domains shows what the exposure reality looks like on the ground — and why the remediation is more achievable than most boards assume.
Franco Pietrantonio·Principal Consultant, GET-IT Solutions Ltd15 MAY 2026
Wednesday's King's Speech received rather less media attention than it deserved, drowned out as it was by the week's political noise. For IT and security leaders, that would be a costly oversight. Buried within the legislative agenda were two of the most practically significant signals in years for anyone responsible for UK organisational security.
The Cyber Security and Resilience Bill — confirmed for the coming Parliamentary year — will expand the scope of existing regulations to cover a broader range of digital services, place regulators on firmer statutory footing, and significantly tighten incident reporting requirements. The intent is not ambiguous: the government wants a clearer national picture of the threat landscape, and organisations will be legally obliged to provide it.
Alongside this, the long-overdue reform of the Computer Misuse Act — legislation that dates, improbably, to 1990 — signals meaningful relief for the security researchers and ethical hackers who have spent decades operating in a legal grey area that has consistently hamstrung the very people responsible for stress-testing our defences.
The Board Argument, Gift-Wrapped
The perennial obstacle for security leaders is rarely technical. It is the boardroom — where security has historically been framed as a cost centre rather than infrastructure. Legislative obligation changes that calculus, and the direction of travel from Wednesday is now unambiguous.
The question is not whether your organisation will need to respond — the question is how to use this moment.
Franco Pietrantonio — GET-IT Solutions, May 2026
Boards that have historically deferred security investment may find themselves in a different conversation when the question is no longer "should we spend this?" but "what is our plan for meeting our legal obligations?" That is a fundamentally different kind of discussion — and it is the one security leaders have been waiting for.
None of this will happen overnight. But direction of travel is what drives forward planning, and the direction here is clear.
The Exposure Reality: What 2,011 UK Domains Actually Show
In parallel with this legislative backdrop, GET-IT recently completed a passive external audit of 2,011 UK-biased domains across five sectors: Finance, Charities, Education, Manufacturing, and general SMEs. The methodology is entirely non-intrusive — no systems accessed, no credentials tested — focusing solely on what any motivated external observer could discover without ever logging in anywhere.
The headline findings are sobering.
87.8%Lack DMARC 'reject' enforcement
60.5%Strong front-end, exposed back-end
82%Charity sector exposure rate
55.2Whole-market avg. maturity score /100
Nearly nine in ten domains lacked DMARC 'reject' enforcement — the policy control that actively blocks email impersonation attempts. In financial services, where a convincingly spoofed payment instruction or a cloned login page can cause immediate material harm, this gap between regulatory intent and technical execution is striking. In the charity sector, the same gap enables fraudulent donation campaigns using addresses that appear entirely legitimate to recipients.
The "Half-Done" Problem
Across all sectors, 60.5% of domains showed what the audit terms a "Half-Done" pattern: meaningful investment in front-facing security controls alongside surprisingly exposed administrative pathways and back-end infrastructure. The digital equivalent of a locked front door with an open window round the side.
Sector by Sector
Sector
Maturity /100
Risk Score
Exposure Rate
Profile
Finance
65
30
42%
Resilient but Leaky
Charity
61
85
82%
High Risk Profile
Education
53
55
67%
Monitoring Gap
Manufacturing
49
60
54%
Maturity Floor
General SME
48
55
38%
Hidden Vulnerability
Finance leads on maturity but its 42% exposure rate is conspicuous for a heavily regulated industry — suggestive of legacy systems or complex third-party integrations creating persistent gaps that compliance posture alone doesn't close. The Charity sector presents the most concerning picture: a respectable maturity score of 61 sitting alongside an 82% exposure rate. High policy adoption being overwhelmed by resource constraints and systems that have been allowed to drift.
For SMEs — likely the majority of supply chain partners for any regulated entity — the picture is quietly worrying in a different way. A relatively low exposure rate reflects a smaller digital footprint, not better security. With the lowest maturity score in the dataset (48), any expansion in digital activity could see risk spiral quickly.
The Remediation Gap
One of the audit's most striking findings concerns the remediation test. A standard WordPress deployment — configured to mirror the most common systemic failings found across the dataset — was hardened to a consistent A+ security header rating using established best practices, with no loss of site functionality. Observable risk dropped by approximately 90%.
Which raises the question the audit closes on: if the remediation is achievable and well understood, why do these exposures persist at scale?
The honest answer, in most cases, is prioritisation. And the legislative signal from Wednesday's King's Speech is, at minimum, an unusually powerful prompt to revisit that conversation at board level — while the argument, for once, is sitting firmly on the security team's side.
The full UK Cyber Risk Landscape 2026 report and the GET-IT Cyber Vitals assessment tools are available at get-it.uk/check-your-exposure. The passive scan and security headers grader require no login.