Critiquing the UK’s Cyber Security and Resilience Bill

Cyber-attacks are no longer an abstract risk discussed in board papers or crisis simulations. They are a persistent and damaging feature of the UK’s economic and public life. Over the past year alone, incidents affecting major retailers, manufacturers and transport operators have disrupted services, halted production and eroded public trust. In the most serious cases, cyber-incidents have contributed to real human harm. Against that backdrop, the government’s Cyber Security and Resilience Bill, introduced following the 2024 King’s Speech, is both timely and necessary. It reflects a growing recognition that the existing regulatory framework is no longer sufficient for the threat landscape the UK now faces.

 

The bill is intended to update the 2018 Network and Information Systems Regulations in response to increasingly frequent and sophisticated attacks. It expands the scope of regulation to include managed service providers, certain digital service providers and load controllers, organisations that play a growing role in managing electrical demand through smart infrastructure. It also introduces the concept of critical supplier designation, designed to address supply chain weaknesses that have repeatedly been exploited, including in high-profile attacks on healthcare providers that had severe consequences for patient care.

 

There is no question that parts of the bill move in the right direction. But there are also clear weaknesses that risk limiting its impact unless they are addressed as the legislation progresses.

 

Where the bill creates uncertainty

One of the most significant issues is a lack of clarity around who, exactly, falls within scope. The definitions of managed service providers and certain digital service providers are imprecise, and the criteria that will be used to designate an organisation as a critical supplier remain unclear. Much of the detail that will determine how the bill operates in practice has been deferred to secondary legislation.

 

From a policy perspective, this may offer flexibility. From an operational perspective, it creates real uncertainty for organisations that are trying to prepare. CISOs are expected to anticipate new obligations, justify investment and build programmes that will stand up to regulatory scrutiny, yet they do not yet have a clear view of the standards they will be held to or whether their organisation will be directly regulated.

 

That uncertainty matters because the timelines implied by the bill are unlikely to be forgiving. Once secondary legislation is finalised, compliance expectations are likely to move quickly. Organisations that have delayed preparation because they were unsure whether they were in scope may find themselves under pressure to close significant gaps in a short period of time.

 

There is also ambiguity in how the bill describes expected security outcomes. References to having regard to the “state of the art” in managing cyber-risk sound sensible, but they are not especially helpful without further interpretation. What constitutes state of the art varies widely depending on sector, size, risk profile and available resources. Without clearer guidance, there is a risk of inconsistent enforcement and confusion over what good looks like in practice.

 

What the bill gets right, and where it must go further

Despite these shortcomings, the bill does introduce several welcome changes. The decision to strengthen oversight of critical national infrastructure and the supply chains that underpin it reflects the reality of modern attacks. Threat actors increasingly target shared service providers and third parties precisely because of the downstream impact they can achieve. Bringing more of that ecosystem into scope is a necessary step.

 

Stricter incident reporting requirements are also a positive development. The introduction of a 24 hour initial report followed by a more detailed submission within 72 hours will improve situational awareness and help regulators respond more effectively to systemic risk. Enhanced enforcement powers, including turnover based fines, send a clear signal that cyber-security failures can no longer be treated as a cost of doing business. Where privately owned organisations are effectively custodians of essential infrastructure, profit motives should not be allowed to undermine resilience.

 

The expansion of the Cyber Assessment Framework as a reference point for compliance is another sensible move. The framework provides a structured approach to governance, risk management and technical controls, and offers organisations a common language for discussing cyber-security maturity. Aligning with it is likely to become an important way for regulated entities to demonstrate due diligence if an incident occurs.

 

However, the bill’s overall scope remains too limited. Most notably, government departments and many public sector bodies remain largely outside direct regulation. This is a missed opportunity. Public services have been repeatedly disrupted by cyber-incidents in recent years, and voluntary codes of practice have not consistently delivered the improvements needed. While the bill allows for the possibility that the public sector could be brought into scope at a later date, relying on delegated powers and future action leaves significant risk unaddressed in the meantime.

 

The same is true for large enterprises in highly targeted sectors that fall outside the current definition of critical national infrastructure. Recent attacks on manufacturers and retailers have shown that cyber-disruption has direct economic consequences. Official figures have already linked cyber-incidents to reduced output and slower growth. With cyber-attacks estimated to cost the UK economy billions of pounds each year, resilience should be viewed as an economic imperative as much as a security concern.

 

For organisations that are clearly in scope, the message is straightforward. Preparation needs to start now. Incident response plans should be reviewed and exercised to meet accelerated reporting timelines. Supply chain exposure needs to be mapped and understood. Internal assessments against the Cyber Assessment Framework should be underway, with gaps identified and addressed before regulators begin formal enforcement.

 

For organisations that are not currently covered by the bill, complacency would be a mistake. Cyber-attacks do not respect regulatory boundaries, and the direction of travel is clear. As incidents continue and their impact becomes harder to ignore, pressure for broader and more robust regulation will only increase. Organisations that wait to be compelled before acting are likely to find themselves reacting to crises rather than managing risk.

 

The Cyber Security and Resilience Bill represents a long-overdue attempt to modernise the UK’s approach to cyber-security regulation. It brings welcome improvements and aligns parts of the system more closely with international best practice. But it is not yet ambitious enough. Without clearer definitions, faster certainty on requirements and a much wider scope that includes public sector services and major economic players, it risks falling short of its stated aim.

 

Cyber-resilience cannot be achieved by regulating only part of the ecosystem. Attackers will always look for the weakest link. If the UK is serious about reducing the frequency and impact of major cyber-incidents, the net needs to be wider, the expectations clearer and the urgency greater. The bill opens the door. It now needs to go further.

 

---

 

Jonathan Lee is Cyber Strategy Director at Trend Micro

 

Main image courtesy of iStockPhoto.com and fotoVoyager