United Kingdom Introduces Voluntary Software Security Code of Pra

Paul Jinks

Email

44 113-284-7234

Bio and Articles

Find Your Next Job !

Attorney Represented Bodily Injury Adjuster I, II or Sr

Legal Secretary / Typist

Early Career Trial Attorney - Las Vegas, Nevada (Remote)

Explore More Job Openings

UK Government Publishes New Software and Cyber Security Codes of Practice

by: Paul Jinks of Squire Patton Boggs (US) LLP - Global IP and Technology Law Blog

Thursday, May 15, 2025

Print Mail Download info_icon_img

/>i

As cyber security continues to make be headline news it is timely that on 7 May 2025 the UK government published a new voluntary Software Security Code of Practice: Software Security Code of Practice – GOV.UK

This Code is designed to be complementary to relevant international approaches and existing standards and where possible reflects internationally recognized best practice including as outlined in the US Secure Software Development Framework (Secure Software Development Framework | CSRC) and the EU Cyber Resilience Act (Cyber Resilience Act (CRA) | Updates, Compliance, Training).

This Code consists of 14 principles split across 4 themes (secure design and development; build environment security; secure deployment and maintenance; and communication with customers) that software vendors are expected (but to stress the voluntary nature of this code, are not legally obliged) to implement to establish a consistent baseline of software security and resilience across the market – these principles are stated to be relevant to any type of software supplied to business customers.

“Software Vendors” are defined under this Code as organisations that develop and sell software or software services; “Software” is code, programmes and applications that run on devices including on hardware devices and via cloud/SaaS.

A self-assessment form is also made available (Software-Security-Code-of-Practice-Self-Assessment-Template.docx) which software vendors can use to assess and evidence compliance with this Code.

This Code follows on from the Cyber Governance Code of Practice and supporting tool kit published on 8 April 2025 (Cyber Governance Code of Practice – GOV.UK) to support boards and directors of medium and large organizations to govern cyber security risks. The emphasis of this Code is to support boards and directors to effectively govern and monitor cyber security within their business, but it is not intended for use by those people in a business whose role is the day-to-day management of cyber security.

As cyber security continues to be a high-profile and business critical issue for many businesses it is likely that in the coming months we may start to see compliance with these voluntary codes becoming contractual obligations imposed on suppliers.