CSRB: Strengthening cyber-resilience in the UK?

The House of Commons Public Bill Committee concluded its examination of the Cyber Security and Resilience Bill (CSRB) at the beginning of March this year.

 

The Bill is the most significant piece of cyber-security legislation set to be introduced into the UK since the 2018 NIS Directive, and its aim is to modernise and improve the resilience and cyber-security of the UK’s most critical services.

 

The Bill comes at a time of increased cyber-attacks on Critical National Infrastructure (CNI), many of which were not anticipated when the 2018 NIS Directive was drafted.

 

Over the last eight years, the digital landscape has transformed significantly.

 

Once air-gapped, CNI environments are now routinely internet-connected, while critical organisations operate across increasingly complex supply chains, creating a web of third-party dependencies and expanding an attack surface.

 

This situation was clearly demonstrated in the Synnovis cyber-attack of 2024. When Synnovis, a pathology supplier to the NHS, was attacked, the impacts were severe – directly hitting citizens and putting lives at risk.

 

The CSRB has been designed to safeguard critical infrastructure and its supply chain against events like these in the future.

 

However, when looking at other events that directly impacted the UK, it’s safe to say they haven’t all been malicious.

 

2024 was also tainted by the mass CrowdStrike outage, which brought multiple critical sectors across the UK to a standstill, while 2025 also saw Heathrow, Europe’s busiest airport, suffer a costly closure because of a major power outage caused by a fire at a nearby electrical substation.

 

When considering the focus of the CSRB, despite its aim to improve resilience, it could be argued that a more holistic approach to critical infrastructure resilience is needed, which considers all hazards.

 

The EU CER Directive

While the CSRB is in the process of being formally introduced in the UK, mirroring aspects of the EU’s Network and Information Systems 2 (NIS 2) Directive, there is another EU Directive being transposed into legislation – the Critical Entities Resilience (CER) Directive.

 

It focuses more broadly on resilience, with an increased lens on protecting CNI from physical events which originate outside of the cyber-security realm.  This is all too topical given concerns over increasing geopolitical instability and hybrid warfare.

 

The CER Directive strengthens the physical protection of essential services against all-hazards, and it mandates that EU Member States identify critical entities operating within 11 pre-defined sectors, ensuring they have robust incident-prevention measures in place. It also recognises cross-sector and cross-border dependencies.

 

Energy grids, data infrastructure, transport networks and supply chains are deeply interconnected across Europe. A disruption in one jurisdiction can rapidly cascade into another, as we saw with the failure of the electrical grid across the Iberian peninsula in April 2025. The Directive therefore encourages collaboration and information sharing between states to strengthen resilience.

 

Importantly, the Directive emphasises service resilience rather than system resilience.

 

Together the CER and NIS 2 Directives provide an all-hazards approach to safeguarding CNI, covering everything from outages to natural disasters to cyber-attacks.

 

The scale and scope of CER is illustrated in Ireland’s recently released National Strategy on the Resilience of Critical Entities. That strategy also makes reference to the need for close co-operation between Ireland and the UK on resilience matters, recognising all too clearly the dependency on gas, electricity and shipping between the two countries.

 

However, in the UK, there is no comparable statutory resilience framework that mirrors the CER Directive’s all-hazards approach.

 

Gaps in UK resilience frameworks

The UK’s resilience model rests largely on the Civil Contingencies Act and sector-specific regulatory regimes.

 

The Civil Contingencies Act prioritises emergency preparedness, response and business continuity for key services within the UK, but given it was drafted in 2004, it predates the highly interconnected digital landscape that many critical organisations operate in today.

 

While it provides a strong foundation for emergency response and crisis coordination, it does not establish a unified statutory framework for identifying, designating and governing critical entities under a modern, all-hazards resilience lens, while taking into account the complex supply chains which can impact the resilience of key services.

 

The Government’s 2025 Resilience Action Plan detailed an intent to address these issues.

 

It set out three core ambitions: continuously assessing UK resilience to better target resources; strengthening the core public sector resilience system; and promoting a whole-of-society approach to preparedness. The Plan emphasised coordination, improved data sharing and clearer governance structures.

 

However, the Action Plan stops short of imposing baseline resilience standards or mandating comprehensive cross-sector risk assessments linked directly to operator obligations. While it demonstrates ambition, it relies largely on guidance rather than enforceable requirements.

 

Closing the gaps

The UK has an opportunity to close this gap before the next major disruption exposes systemic weaknesses.

 

Clearer formal designation of critical entities would strengthen accountability and reduce ambiguity. Operators should understand precisely why they are considered nationally critical, for which essential services, and what resilience obligations follow.

 

Resilience planning should extend beyond cyber-security controls to include physical infrastructure dependencies, supply chain risk and cascading failure scenarios, while national risk assessments should more explicitly inform operator-level obligations.

 

Structured cross-border collaboration also remains essential. The UK’s energy, transport and digital systems remain interconnected with European infrastructure. Alignment of information-sharing mechanisms would enhance collective situational awareness and response.

 

Finally, if resilience is framed as a national security priority, it must translate into minimum standards and oversight, and ultimately into investment decisions and hard choices over priorities and funding mechanisms.

 

Guidance alone will not deliver measurable improvement.

 

Driving CNI resilience in the UK

The UK has taken important steps to strengthen security across critical infrastructure with the CSRB, but true resilience is broader than just cyber.

 

Despite its stated aim of strengthening both cyber-security and resilience across UK CNI, the Bill in its current form primarily advances cyber-security, leaving broader resilience issues under-addressed.

 

If the UK is serious about improving national resilience, it must move beyond a predominantly cyber-centric model and adopt a more comprehensive, all-hazards approach to critical infrastructure resilience.

 

Otherwise, when disruption occurs, systemic fragility will continue to expose essential services, with direct consequences on citizens and the economy.

 

---

 

David Ferbrache is managing director at Beyond Blue

 

Main image courtesy of iStockPhoto.com and leolintang