Since the government’s announcement about the Cyber Security and Resilience Bill in the King’s speech last year, a lot has changed. The geopolitical scene has become more chaotic, with the new Trump administration challenging established international norms. The economy is struggling, and advancements in AI complicate our understanding of cybersecurity threats. In this fast-paced environment, what should guide the government’s thinking on this important legislation?
On April 1, 2025, the Department of Science Innovation and Technology (DSIT) released a policy statement on the proposed bill. It points to a major shift in the regulatory framework, aiming to align the UK with the EU’s NIS2 framework. The statement highlights the need to tackle specific cybersecurity challenges, even though it doesn’t detail what those challenges are. Nonetheless, it’s an important acknowledgment since the UK has specific vulnerabilities, particularly within the NHS and other government sectors, as noted in a National Audit Office report.
Our critical national infrastructure (CNI) faces growing threats amid a backdrop of geopolitical rivalry with countries like China and Russia. The bill must find ways to create a comprehensive cybersecurity framework that addresses these unique challenges.
Interestingly, the policy statement overlooks the financial services sector, a key part of our economy. Previous NIS regulations excluded financial services. Will the Cyber Security and Resilience Bill do the same? The sector boasts some of the strongest security standards, which could serve as a model for others.
There are positive elements in the proposals. The emphasis on supply chain resilience, inclusion of managed service providers under regulation, recognition of data centers as part of CNI, and a transparent incident reporting system are all significant steps forward.
However, the proposed model of “sectoral regulation” could lead to a fragmented landscape, with different approaches lacking an overarching strategy. To address this, the government plans for the Secretary of State to issue a periodic “statement of strategic priorities” to ensure consistency across sectors. The effectiveness of this strategy depends on extensive consultations with regulators and industry, making it both relevant and actionable.
The policy also envisions a bigger role for the Information Commissioner’s Office (ICO). The aim is to enhance its ability to identify and mitigate cyber risks before they become problems. But for the ICO to take on these new responsibilities, it will need more resources and clearly defined roles to avoid overlap with the NCSC and ensure it has the authority over sectoral regulators.
One of the more controversial proposals involves giving the Secretary of State “Henry the Eighth” powers to alter regulations and expand the regulatory framework to new sectors. The scrutiny of any changes remains unclear since they wouldn’t require an Act of Parliament. Such top-down approaches are often used in fast-evolving sectors, but it is crucial that these powers face proper examination.
The challenge lies in ensuring that efforts to improve cybersecurity regulation don’t become outdated before implementation. The framework must also strike a balance, promoting better cybersecurity without stifling innovation in the business ecosystem. Engagement from businesses of all sizes is essential for fostering compliance and understanding.
Finally, it’s important to recognize that legislation alone won’t solve all our cybersecurity issues. There must be a concerted effort to weave cybersecurity awareness and practices into the fabric of society, fostering a collective understanding of the threats we face and a shared commitment to combat them.
James Morris is the chief executive of the CSBR, a non-profit think tank focused on security and resilience policy in the UK. He has a background as an MP and previously chaired the All-Party Parliamentary Group for Cyber Security and Business Resilience.
