Since the government announced in the King’s speech last year that it would bring forward a Cyber Security and Resilience Bill, much has changed. The geopolitical context has become more chaotic with the new Trump administration testing long-held norms of the rules-based international order, the economy continues to struggle and new advances in AI complicate our understanding of the evolving threat landscape. In such a fast-moving world what should drive the government’s thinking around this much awaited legislation?
On 1 April 2025 the Department of Science Innovation and Technology (DSIT) published a “policy statement” on the proposed bill. The proposals centre on a significant evolution of the current regulatory regime to align the UK with the NIS2 framework adopted by the EU. The policy statement says that the bill “will address specific cyber security challenges faced by the UK while aligning, where appropriate, with the approach taken by the EU NIS 2 Directive”.
The policy statement acknowledges that the UK faces “specific cyber security challenges” but doesn’t specify what these challenges are; but it is critical acknowledgement, nonetheless. The UK does face particular cyber security challenges. We face vulnerabilities in our NHS and across other areas of government as was outlined in a recent National Audit Office report.
Our critical national infrastructure (CNI) is also likely to be exposed to more sophisticated threats as the landscape of global geopolitical rivalry – particularly with China and Russia – continues to evolve. The challenge for the bill is how it can provide a comprehensive cyber and national security framework across critical national infrastructure in the UK to address these “specific” challenges.
The policy statement does not make reference to our financial services industry which is a critical part of our economy. UK transposition of the original NIS regulations specifically excluded financial services. Will this still be the case for the Cyber Security and Resilience Bill? Financial services has some of the strongest sector-specific security standards and there is a strong argument that these standards should be used as the model for other sectors.
There are elements of the proposals which are to be welcomed. The focus on the resilience of supply chains, the bringing of managed service providers (MSPs) under the umbrella of regulation, the recognition that datacentres are now part of our CNI, and a new more transparent incident reporting regime are important and urgent requirements.
The proposed approach is one of “sectoral regulation” with existing industry regulators given more powers. The danger of such an approach is that the regulatory landscape could become fragmented with different approaches applied and no overarching strategy adopted across the piece.
The government’s proposed solution is that the Secretary of State will produce a periodic “statement of strategic priorities” which it hopes would bring consistency and coherence across sectors. The key question is how such a statement of priorities would be developed? It will require in-depth consultation both with the regulators but also with industry itself to make it meaningful and to ensure it is relevant and can be operationalised.
The policy statement also envisages a new role for the Information Commissioner’s Office (ICO). It says, “The primary intent of this measure is to enhance the ICO’s capability to identify and mitigate cyber risks before they materialise, thus preventing attacks and strengthening the digital services sector against future threats.”
In order for the ICO to take on these new responsibilities it will need significant new resources, skills and capacity. In addition, its remit will need to be tightly defined to avoid duplication with the NCSC or to ensure has the necessary teeth with regards to the sectoral regulators.
One of the more controversial proposals in the statement is the proposed approach with dealing with emerging trends in the threat landscape. The government’s proposed solution is to grant the Secretary of State what are commonly known as “Henry the Eighth” powers to change the regulations and to bring more industry sectors into the remit of the regulatory framework. It is unclear how any proposed changes would be scrutinised as they would not require an Act of Parliament for them to be enforced. This top-down approach is often adopted by governments when they are faced with fast-moving sectors; but it is vital that these directive powers are given proper scrutiny.
The challenge is to ensure that seeking better cyber security resilience regulation doesn’t become obsolete or outdated before it has even reached the statute book. It is also the case that the regulatory framework needs to balance the need for the better cyber security and resilience without snuffing out innovation in our business ecosystem. Business – large and small – must be brought into this process from the bottom up to encourage compliance and understanding.
It also needs to be recognised that legislation and regulation will not, in isolation, solve all our problems. Alongside the legislation there needs to be an intensified effort to embed cyber security and resilience awareness, processes and practice into the heart of our society with a shared understanding of the threat and shared determination to resist it.
James Morris is chief executive of the CSBR, a non-profit think tank exploring policy and solutions for security and resilience in the UK. A former MP, he served as chair of the All-Party Parliamentary Group for Cyber Security and Business Resilience.
