As 2025 draws to a close, the UK’s crisis management landscape looks very different from the one we started the year with. New legislation, high-profile cyber incidents, and the continued evolution of security threats have pushed crisis preparedness from an operational priority to a board-level necessity.
From Martyn’s Law - a defining piece of legislation for physical security - to the Government’s push for stronger cyber resilience, organisations are facing new responsibilities and expectations. At the same time, recent cyber attacks on household names like Jaguar Land Rover, Marks & Spencer, and the Co-operative Group have shown how quickly an incident can escalate into a full-scale crisis affecting operations, reputation, and compliance.
For leaders and resilience professionals, 2026 must be a year of action: a time to modernise crisis management strategies, unify communications, and embed resilience into every layer of the organisation.
On 3 April 2025, the Terrorism (Protection of Premises) Act 2025 - better known as Martyn’s Law - received Royal Assent. Named in memory of Martyn Hett, one of the victims of the Manchester Arena attack, the legislation marks a milestone in how the UK approaches public safety and protective security.
Martyn’s Law introduces a requirement for certain publicly accessible premises and events to take “reasonably practicable” measures to mitigate and respond to terrorist incidents. A Government implementation period of up to 24 months means organisations could face compliance checks as early as 2026, making the next 12 months crucial for preparation.
The Act will require organisations to think differently about how they plan for, communicate during, and recover from major incidents. Preparedness will no longer be voluntary - it will be a legal obligation.
Key actions include:
Crisis management platforms such as YUDU Sentinel can underpin these requirements - offering tools for mass alerting, two-way communication, audit trails, and training simulations - but the principle is universal: readiness must be planned, practised, and proven.
If Martyn’s Law strengthens the UK’s approach to physical security, the UK Cyber Security and Resilience Bill aims to do the same for digital infrastructure. Announced in late 2025, the Bill is designed to expand and toughen existing NIS (Network and Information Systems) Regulations, bringing managed service providers, critical suppliers, and key national sectors under stricter oversight.
The proposed legislation follows a year in which the UK saw an alarming rise in cyber attacks - not only in number but in their scale and sophistication. The economic impact of cyber crime in the UK now exceeds £14 billion per year, according to Government research, and the costs of individual breaches are spiralling.
Cyber threats are no longer confined to the IT department — they are now business-wide crises with immediate financial, legal, and reputational consequences.
The forthcoming legislation will:
For crisis leaders, this underscores the need for joined-up communication between cyber, operations, and executive teams. When systems go down or sensitive data is compromised, the ability to coordinate securely - outside standard corporate networks - becomes essential.
2025 provided no shortage of examples of what happens when crisis preparedness fails to keep pace with evolving threats.
Jaguar Land Rover was hit by one of the most disruptive cyber attacks in UK history, halting production and reportedly costing the economy £1.9 billion.
Marks & Spencer faced a ransomware incident that disrupted its e-commerce operations, wiping hundreds of millions off expected profits.
The Co-operative Group suffered a “malicious” data breach affecting over six million members and damaging public trust.
These incidents shared common characteristics: delayed communication, operational paralysis, and the need for months of recovery. They also demonstrate that crisis management is no longer an isolated discipline - it must integrate with IT security, business continuity, public relations, and legal compliance.
For 2026, the lesson is clear: organisations that continue to treat crisis response as reactive and siloed risk becoming the next headline.
The coming year will mark a turning point in how organisations approach resilience. As regulatory and stakeholder scrutiny intensifies, the ability to demonstrate preparedness - and recover quickly from disruption - will define operational credibility.
Here’s what to expect in 2026:
Cyber, physical, and reputational threats are increasingly intertwined. A ransomware attack could disable physical access systems; a safety incident could trigger IT shutdowns. Crisis management frameworks must evolve to handle multi-dimensional scenarios.
The Cyber Resilience Bill is expected to extend liability to suppliers and service providers. Organisations will need full visibility of who they rely on — and how those partners would respond in a crisis.
Having a crisis plan will not be enough. Regulators will want to see proof — logs, audit trails, and after-action reports that show plans were executed and teams were trained.
The window between detection and disclosure is shrinking. Organisations must have pre-approved communication pathways and multi-channel alert systems that can operate even when normal networks are down.
Crisis exercises will shift from occasional table-tops to continuous simulation programmes, testing physical and cyber readiness together.
One of the most significant trends heading into 2026 is the mainstream adoption of out-of-band communication platforms - systems that operate independently of core IT and email networks.
The need for these secure, alternative channels has become clear after a year marked by severe cyber disruptions and increasing scrutiny from regulators such as the FCA and ICO. When traditional networks are compromised, whether by ransomware or infrastructure failure, organisations must retain the ability to coordinate, communicate, and make decisions securely.
As digital resilience becomes an operational standard, out-of-band platforms such as YUDU Sentinel are emerging as an essential component of every modern crisis management toolkit - not just for emergencies, but as part of everyday resilience planning.
To meet these rising expectations, organisations should focus on five practical priorities heading into 2026:
Integrate your crisis plans - align physical, cyber, and reputational response into one coherent framework.
Establish alternative communication channels that remain functional during outages or cyber incidents.
Map and monitor your supply chain, identifying critical dependencies and third-party vulnerabilities.
Invest in regular crisis simulations, including hybrid physical–cyber scenarios.
Capture evidence - maintain detailed records of training, drills, and incident responses for regulatory and internal review.
Platforms such as YUDU Sentinel are already helping organisations achieve these goals - offering secure, out-of-band communication, mass alerting, and robust reporting features that support compliance under Martyn’s Law and the forthcoming Cyber Resilience Bill.
But even without new tools, the mindset shift is clear: resilience is now a core business function, not a supporting one.
2025 has been a defining year for crisis management in the UK. With the passage of Martyn’s Law, the emergence of a new cyber resilience regime, and a string of major security incidents shaking public trust, organisations face a more demanding — and interconnected — risk environment than ever before.
As 2026 approaches, the challenge is not only to respond faster when crises occur, but to build systems, teams, and cultures that are ready before they do.
Those that succeed will treat resilience as a living capability — one that is trained, tested, and continuously improved.
And in the years ahead, that readiness will be what separates those who merely survive disruption from those who lead through it.