May 2026 – Newsletter Update

We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.

Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites.

We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. We’ve linked to that page on our website at the end of this email.

This update includes Information Security, Environment and Health & Safety – click to jump to the relevant section. This update covers the period from November 2025 to April 2026.

Information Security

If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.

Legislative changes and Policy

Cyber Security and Resilience Bill returns to Parliament.

The Government has confirmed that the Bill will return for the second session in 2026. That keeps the proposed expansion of the UK NIS regime firmly in play, including wider coverage for critical services and digital infrastructure. Organisations that may fall within scope, or supply those that do, should continue tracking the Bill and pressure-test incident reporting, supplier assurance, and resilience arrangements now rather than waiting for Royal Assent.

Source: DSIT cyber security newsletter – May 2026; Government cyber defences announcement

 Cyber Security Breaches Survey 2025/26 underlines the continuing business exposure.

The latest UK survey says 43% of businesses experienced a cyber breach or attack in the last 12 months, rising to 69% of large businesses. Phishing remains the most common problem by a considerable margin. The figures are a helpful prompt that basic controls, phishing awareness, incident readiness, and supplier assurance remain worthwhile board-level topics, even where no major incident has yet been experienced internally.

Source: Cyber Security Breaches Survey 2025/2026

 International Standards

No noted significant changes or proposed changes to the ISO27000 family of standards during the reporting period.

Microsoft

May 2026 Patch Tuesday was a larger-than-usual release.

SANS reports that Microsoft’s 12 May 2026 release addressed 137 Microsoft vulnerabilities, alongside 137 Chromium-related fixes for Edge, with no publicly disclosed or already exploited Microsoft vulnerabilities listed in that month’s set. The release still included several high-value targets, including a pre-authentication Netlogon remote code execution issue and an elevation of privilege issue affecting the Microsoft SSO plugin for Jira and Confluence. Businesses should check that normal monthly patch cycles have completed and that higher-risk externally exposed services have not slipped.

Source: SANS May 2026 Patch Tuesday summary; Microsoft Security Update Guide

Exchange administrators should note the separate May Exchange vulnerability activity.

Microsoft also issued Exchange Server Subscription Edition hotfix material in May and published additional guidance around CVE-2026-42897. Where Exchange remains on-premise, it would be prudent to confirm that hotfix and security update processes remain current and that emergency update routes are understood in advance.

Source: Exchange Server HU6 May 2026; Exchange CVE-2026-42897 guidance

Apple

Apple issued a broad May security update cycle across current and legacy platforms.

Apple’s security releases page shows coordinated updates on 11 May 2026 for iOS, iPadOS, macOS, tvOS, watchOS and visionOS, including support for older devices still in service, followed by Safari 26.5 on 13 May 2026. That breadth is a useful reminder that Apple estates often include a mix of supported older hardware, so patch checks should include legacy iPhones, iPads, and Macs rather than only the newest devices.

Source: Apple security releases

NCSC and ICO Guidance

NCSC has been emphasising AI-enabled threats and the need to prepare for rapid patching.

Two particularly useful NCSC posts this month are its warning on retaining defensive advantage in the age of frontier AI cyber capabilities and its advice on preparing for a potential ‘vulnerability patch wave’. The practical message is familiar but important: cyber risk remains a business risk, and organisations need strong fundamentals, a workable incident process and the ability to assess possible compromise while patches are being rolled out.

Source: NCSC on frontier AI cyber capabilities; NCSC on a vulnerability patch wave; NCSC guidance on responding to active exploitation

ICO published final storage and access technologies guidance and opened consultation on updated ADM guidance.

The ICO’s final Storage and Access Technologies guidance is relevant to organisations using cookies, tracking pixels, device fingerprinting and similar tools. Alongside that, the ICO’s consultation on automated decision-making and profiling reflects the Data (Use and Access) Act 2025 changes and is especially relevant where organisations are buying or deploying decision-support or AI-enabled systems. Together, these developments point to closer scrutiny of online tracking and automated decision-making governance.

Source: ICO final Storage and Access Technologies guidance; ICO ADM and profiling consultation

ICO also published practical advice on AI-powered cyber threats.

The ICO’s five-step article is pitched accessibly and is useful for non-specialists as well as technical teams. It focuses on horizon scanning, layered controls, restricting access points, stronger monitoring and incident response, and protecting personal data. For many businesses, it is a good short checklist to review against existing arrangements.

Source: ICO five steps on AI-powered cyber threats

Noteworthy cyber incident and breach news reported since the last update

This information is provided to raise awareness of the causes of incidents and breaches, so preventative action can be taken to prevent similar breaches in your organisations. It may also be helpful to keep your awareness-raising materials up to date and build business cases for information security investment

ICO fine against South Staffordshire is a useful resilience lesson.

On 11 May 2026 the ICO announced a £963,900 fine against South Staffordshire Plc and South Staffordshire Water Plc following a major cyber-attack and data breach affecting over 633,000 people. The ICO highlighted long dwell time, weaknesses in access control, logging and monitoring, and patching or support gaps on legacy systems. For readers, the point is less the sector and more the pattern: long-running weaknesses in basic controls still turn cyber incidents into regulatory ones.

Source: ICO South Staffordshire fine

Environment

Legislative changes and Regulatory direction

Carbon Border Adjustment Mechanism continues to take shape.

The CBAM framework now has primary legislation in the Finance Act 2026, with secondary legislation and force-of-law notices continuing to be developed. The second technical consultation closed on 21 May 2026 and final secondary legislation is expected later in the year. Importers of affected higher-emissions goods should keep watching the detail, because the compliance burden will sit not just in tax treatment but also in data, evidence and supply-chain information gathering.

Source: CBAM policy summary; Finance Act 2026

Offshore wind environmental compensation reforms came into force on 21 May 2026.

The Government says the changes allow a broader range of ways for offshore wind developers to compensate for unavoidable environmental harm. For businesses involved in energy, infrastructure, planning or supply chains, this is another example of environmental controls being adjusted to support faster delivery while retaining formal mitigation requirements.

Source: Offshore wind environmental protection changes

Waste crime reforms are being tightened further.

DEFRA and the Environment Agency announced new reforms aimed at rogue waste operators, including tougher background checks, stronger enforcement powers, and requirements to display permit numbers in advertising and on vehicles. Legitimate operators may welcome the direction of travel, but should also expect closer checking of competence, authorisations and traceability.

Source: Waste crime reforms announcement

Environment Agency updates

The Environment Agency’s 2026/27 business plan points to faster permitting and more visible regulation. The Agency’s new business plan emphasises delivering new legislative requirements, preparing for emerging pressures, clearing permitting and enforcement backlogs, accelerating permit turnaround times and publishing more inspection reports. For regulated businesses, that combination suggests continued attention on responsiveness, transparency and faster-moving regulatory interactions.

Source: Environment Agency business plan 2026 to 2027; Strategic Policy Statement for the Environment Agency

Recent permit decisions show continued focus on PFAS and local nuisance controls. On 15 May 2026 the Environment Agency issued a permit variation for Angus Fire to introduce effluent treatment intended to reduce PFAS contamination risk. On 22 May 2026 it also tightened the Jameson Road landfill permit to reduce odour risk, including restrictions on waste accepted and new hydrogen sulphide monitoring requirements. Both updates are reminders that regulator expectations continue to sharpen around site-specific controls and evidence of compliance.

Source: Angus Fire permit variation; Jameson Road landfill permit variation

Health & Safety

Legislative changes and consultations

HSE’s RIDDOR consultation is the main health and safety development to note this period.

HSE has opened a consultation on possible legislative and non-legislative changes to the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013. Proposals include clarifying definitions, revising the list of dangerous occurrences, updating reportable diseases and broadening the range of registered health practitioners who can diagnose a reportable occupational disease. The consultation closes on 30 June 2026, so organisations with significant incident-reporting exposure may wish to review the proposals rather than waiting for later implementation.

Source: HSE RIDDOR consultation announcement; RIDDOR consultation page

Asbestos and ongoing compliance

HSE has kept the current asbestos control limit in place.

Following review, HSE has decided that the Great Britain asbestos control limit will remain at 0.1 fibres per millilitre over a 4-hour time-weighted average. HSE said there is currently no clear evidence that lowering the legal limit would improve outcomes, and warned that doing so would bring much more work into licensable activity with significant business cost. That does not lessen the importance of asbestos management; it simply means the regulator currently sees better compliance with the existing framework as the more effective route.

Source: HSE asbestos control limit review

Asbestos inspections continue, with familiar weaknesses still being found. HSE’s Global Asbestos Awareness Week messaging highlighted three recurring failings: no robust management plan, inadequate training and poor arrangements for work that may disturb asbestos-containing materials. For dutyholders, landlords and facilities teams, this is another prompt to check that asbestos information is current, actively reviewed and understood by contractors as well as internal staff.

Source: HSE inspectors checking asbestos management

Selected enforcement and prosecution news

Recent HSE prosecutions continue to centre on maintenance, guarding and ageing plant.

Recent May cases included a £350,000 fine after a corroded chemical tank collapsed, a £92,450 fine after a worker’s leg was amputated in a road milling machine, and a £129,000 fine after machinery contact caused partial finger severance. The common thread is straightforward: known equipment risks, access to dangerous parts and degraded assets still cause life-changing injury where controls are not maintained in practice.

Source: Chemical tank collapse prosecution; Road milling machine prosecution; Glasgow machinery incident prosecution

Offshore operators may also wish to note the Valaris 121 prosecution.

HSE’s May prosecution notice on the death of a worker on the Valaris 121 focused on an unsecured grate and later inspection shortcomings. For higher-hazard sectors, it is another reminder that inspection quality and assurance of critical safety components matter as much as having procedures on paper.

Source: Valaris 121 prosecution

If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants Ltd can help you with your Information Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch

As usual, this newsletter is intended as a ready-to-review monthly summary rather than legal advice. Source links are included with each item so that any points you wish to feature more prominently can be checked and expanded easily before circulation.

Here are some more helpful links which may be of use