New UK Software Security Code of Practice

The question

What impact will the new voluntary Software Security Code of Practice have on UK organisations?

The key takeaway

The UK Government has now established and published a voluntary Software Security Code of Practice (the Code). The Code aims to improve the security and resilience of software that organisations and businesses rely on by outlining the steps businesses should take to improve the software security and resilience across the market.

The background

On 7 May 2025, the UK Government published the Code which is designed to support software vendors and their customers in reducing the likelihood and impact of software supply chain attacks.

The scope of the Code is focused on security and resilience expectations for organisations that develop and/or sell software to other businesses or organisations. While voluntary, the Code is designed primarily for use in business-to-business (B2B) contexts involving proprietary software.

Designed in conjunction with technical experts at the National Cyber Security Centre as well as a group of industry and academic experts, the Code is directed at senior leaders within software vendor organisations, who are expected to ensure compliance across their organisation. The Code is accompanied by implementation guidance tailored to technical teams and varied organisational contexts. Organisations procuring software are also encouraged to use the Code and guidance to assess supplier practices and inform contract negotiations.

The development

The Code consists of 14 principles that software vendors are expected to implement to establish a consistent baseline of software security and resilience across the market. The Code is also designed to work alongside similar guidance implemented internationally in order to reduce the compliance burden on businesses operating internationally. The Government has identified principles, impacting key stakeholder groups, as fundamental and achievable measures which, if implemented, represent a robust approach to software security and resilience across the market.

As mentioned above, the stakeholder groups include:

• software developers and distributors: "any organisations that both develop and sell software or software services"
• software resellers: "organisations that sell software but do not develop the software themselves"
• software developers only: "organisations that develop software but are not involved in the sale of distribution of software"
• senior leaders in software vendor organisations: "a Senior Responsible Owner (SRO) should be appointed at the top-tier leadership level of an organisation. This individual will be accountable for ensuring the principles of the Code are followed by relevant teams and individuals within their organisations"
• specialist and technical teams/roles: "those who design and develop software, those responsible for maintaining software, and those responsible for communicating with business customers"
• ·organisations procuring software: "business and organisations that procure software can use this Code to inform negotiations with suppliers".

The code contains 14 principles split across four themes. These themes include:

• secure design and development
• build environment security
• secure deployment and maintenance, and
• communication with customers.

Key principles outlined in the Code include:

• following an established secure development framework
• understand the composition of the software and assess risks linked to the ingestion and maintenance of third-party components throughout the development lifecycle
• having a clear process for testing software and software updates before distribution
• following secure by design and secure by default principles throughout the development lifecycle of the software
• protecting the build environment against unauthorised access
• distributing software securely to customers
• having processes and documentation in place for proactively detecting, prioritising and managing vulnerabilities in software components, and
• reporting vulnerabilities to relevant parties where appropriate.

As mentioned above, an SRO should be appointed at senior leadership level to hold accountability for the principles being followed within their organisations.

Why is this important?

By adhering to the Code, in-scope UK businesses will improve their ability to effectively manage the risk of software supply chain attacks and other software resilience incidents. This in turn will allow businesses to maintain a strong reputation with UK consumers and differentiate themselves from competitors through their commitment to software security.

The implementation of the Code aligns with the global trend of strengthening cybersecurity legislation and tools, such as the recently published European Vulnerability Database. This is primarily due to the increased risk of cyber threats and identified supply chain vulnerabilities globally. The focus on security aims to help promote the UK as a leader in the technology marketplace.

Any practical tips?

The relevant stakeholders within UK organisations should start taking steps towards the implementation of the principles of the Code. In the first instance, an SRO should be appointed at the top-tier leadership level of software vendor organisations in order to assess which areas of the Code their business is lacking and start to pull together relevant cross functional resources required to implement the Code's principles.