UK introduces software security Code of Practice to bolster digital resilience

The UK Department for Science, Innovation and Technology (DSIT) has released the Software Security Code of Practice, a voluntary framework aimed at strengthening the security and resilience of software systems used by organisations across the country. Developed in collaboration with the National Cyber Security Centre (NCSC) and refined through public consultation, the Code sets out practical expectations for software vendors to mitigate the growing risk of supply chain attacks and systemic vulnerabilities.

Structured around 14 principles grouped into four thematic areas, the Code addresses all critical stages of software security. from design and development to ongoing maintenance and communication with customers. The principles reflect internationally recognised best practices and align with global efforts, including the US Secure Software Development Framework and the EU’s Cyber Resilience Act.

The Code is intended for organisations that develop, sell, or distribute software in business-to-business settings. This includes independent software vendors, SaaS providers, managed service providers, and resellers. It outlines differing responsibilities based on the nature of the organisation. While software developers and distributors are expected to adhere to all principles, resellers are primarily responsible for secure deployment and communication with clients. Open-source developers are not the primary audience, as the Code focuses on commercial vendor obligations.

To ensure accountability, each organisation is expected to appoint a Senior Responsible Owner (SRO) at the leadership level. This individual oversees adherence to the Code and ensures teams have the necessary resources and expertise. Implementation guidance accompanies the Code to support technical teams with practical steps and references to existing frameworks.

The principles include requirements to follow secure development practices, protect the build environment, ensure secure deployment and vulnerability management, and maintain transparent communication with enterprise customers. Notably, vendors are expected to provide at least one year’s notice before withdrawing support for a product and to disclose major incidents that could affect customers.

A self-assessment tool has been released to help vendors evaluate compliance. This tool is structured using the NCSC’s Principles-Based Assurance (PBA) model, allowing flexibility in how organisations demonstrate adherence. A government-backed certification scheme based on this model is under development.

The Code also places a strong emphasis on skills development. It highlights the importance of formal training, industry certifications, and support from government-led initiatives such as the UK Cyber Security Council and NCSC-certified degree programs. A new undergraduate standard focused on software security and secure software lifecycles is expected to launch in 2025.

While voluntary, the Software Security Code of Practice represents a baseline of responsibility for organisations producing and supplying software in the UK. It is an effort to improve national cyber resilience, promote trust in digital systems, and set clear expectations for secure software development and supply.

The Code was launched at the CyberUK 2025 event on 7 May 2025.