Three compliance clocks are running simultaneously for UK SMEs right now. The Data (Use and Access) Act 2025, an updated Cyber Essentials v3.3 framework, and relentless FCA enforcement are converging in the first half of 2026. Miss any of them and the consequences range from regulatory fines to lost NHS contracts to an ICO investigation.
This guide cuts through the noise. Here is what each deadline means, who it affects, and what you need to do before June 19.
1. DUAA Deadline: June 19, 2026
The Data (Use and Access) Act 2025 โ DUAA โ receives Royal Assent and its key provisions commence on June 19, 2026. The most immediate impact for SMEs: a mandatory complaints handling process for data subjects.
Under DUAA, any individual whose data you process can formally complain about how it has been handled. You are now legally required to have a documented, auditable process to receive, investigate, and respond to those complaints within defined timeframes. "We'll get back to you" is no longer a process.
Law firms, accountancies, financial services firms, and healthcare-adjacent businesses hold the highest volumes of sensitive personal data. If you process client financial records, health data, or legal files, your data governance must be airtight by June 19.
ICO fines under GDPR are already at up to ยฃ17.5 million or 4% of global annual turnover, whichever is higher. DUAA does not change those fine levels โ but it tightens the enforcement trigger. Inadequate complaints handling is a direct path to an ICO investigation.
2. Cyber Essentials v3.3: MFA Mandate from April 27, 2026
The UK government's Cyber Essentials v3.3 update lands on April 27, 2026. The headline change: multi-factor authentication (MFA) is now mandatory for all cloud services and administrator accounts.
This is not a recommendation. From April 27, any organisation seeking Cyber Essentials certification โ or renewing an existing certification โ must demonstrate MFA is enforced on cloud platforms (Microsoft 365, Google Workspace, AWS, etc.) and for every account with admin-level privileges.
Cyber Essentials certification is increasingly a procurement requirement. NHS suppliers must hold it. Many government contracts and regulated-sector tenders now list it as mandatory. Losing your certification in April means losing tender eligibility โ potentially in days, not months.
The broader Cyber Essentials v3.3 update also refines scope for cloud services, tightens patch management timelines (critical patches within 14 days, down from 30), and clarifies bring-your-own-device policies. But MFA is the immediate action item.
50% of UK SMEs experienced a breach in the past 12 months (UK Government Cyber Breaches Survey 2025). The vast majority of those breaches involved compromised credentials. MFA would have stopped most of them.
For the full breakdown of all 5 technical controls, certification costs, and step-by-step process, see our Cyber Essentials Certification: Complete Guide โ
3. FCA Enforcement: +15% Year-on-Year
For regulated firms โ fintech, financial advisers, accountants, legal practices with FCA-regulated activities โ enforcement is accelerating. FCA enforcement actions increased by 15% year-on-year from 2023 to 2025, and the agency has explicitly signalled that operational resilience and cyber controls are priority review areas for 2026.
The FCA's position is straightforward: a weak cybersecurity posture is a systemic risk to clients and to market integrity. Firms that cannot demonstrate adequate controls โ including access management, incident response, and third-party supplier assessments โ are direct targets for supervisory scrutiny.
The average breach cost for a UK law firm is ยฃ5.08M (2024โ2025). For most SMEs in regulated sectors, the median breach cost sits between ยฃ40,000 and ยฃ100,000. Regulatory fines on top of that can exceed the breach cost itself.
Crypto-asset firms have an additional clock running: the FCA's new cryptoasset registration window opens in September 2026. Firms that want to operate legally in the UK need to demonstrate robust cyber and compliance controls as part of that application. Pre-work starts now.