The Department of Science, Innovation and Technology (DSIT) has brought out a Cyber Security and Resilience Policy Statement. It details what’s proposed in the Cyber Security and Resilience Bill, due to be laid before Parliament later this year and as announced in the July 2024 King’s Speech.
As for context, DSIT says that the UK is ‘facing unprecedented threats to our critical national infrastructure’.
Jonathon Ellison, Director of National Resilience at the UK official NCSC (National Cyber Security Centre) welcomed the publication. He said that the legislative proposals ‘offer a real opportunity to tackle the increasing acceleration and diversification of cyber threats to UK critical sectors’.
The CyberUp Campaign said that while the statement takes important steps in aligning the UK’s cyber regime with the EU’s Network and Information Systems Directive (NIS2), it fails to address one of the most pressing vulnerabilities: the outdated Computer Misuse Act 1990 (CMA). Campaigners call the Act outdated and complain it criminalises much of the critical research that cybersecurity professionals need to carry out.
The statement notes that the Network and Information Systems (NIS) Regulations 2018 are the UK’s only cross sector cyber security legislation; and the Bill will align, ‘where appropriate, with the approach taken in the EU NIS 2 directive’. The Bill will bring into scope MSPs (managed service providers) and data centres. The Bill will introduce a two-stage reporting structure which will require ‘regulated entities’ to notify their regulator and also inform NCSC of a significant incident no later than 24 hours after becoming aware of that incident, followed by an incident report within 72 hours.
Powers
The data protection watchdog the ICO will ‘adopt a proactive, rather than reactive, approach to assessing the cyber security capabilities of digital services’. Also proposed are ‘new executive powers for government to enable swift and decisive action in response to cyber threats’; and the power ‘to direct a regulator to take action when it is necessary for national security’.
Comments
Anthony Young, CEO of the cyber firm Bridewell, said: “The Cyber Resilience Bill is looking to extend what is classified as critical infrastructure, bringing MSPs, digital service providers and supply chain more into scope and aligning closer to NIS2 in Europe. The scope on incident reporting is also being increased to notification within 24 hours and reporting within 72 hours of a much wider definition of incidents. The new bill will ensure that we are not only looking at what used to be considered “traditional CNI organisations” but also those organisations that are essential to keep them running. Supply chain attacks have been increasing over the last ten years and therefore having a bigger focus on the supply chain is a positive move for UK CNI. Increasing incident reporting requirements will also improve our visibility and intelligence of cyber attacks across the UK.”
Colette Kitterhing, Vice President of Netskope UK and Ireland, said: “The Cyber Security and Resilience Act (CSRA) will have a compliance cost, but this must be viewed in balance against a reduction in the risk of cyber attacks, due to improved resilience within the supply chain, more secure software products and connected devices, greater risk awareness, and more accountable suppliers. With cyber attacks and data breaches only becoming more common, and high profile cases showing the impact on public services of weaknesses in the private organisations that serve them, supply chain security must be at the top of the agenda.”
Etay Maor, Chief Security Strategist at Cato Networks, described the Bill as a necessary evolution in regulatory thinking: ‘it acknowledges that cyber threats aren’t just increasing – they’re industrializing’. He said: “This bill is a necessary course correction. When attackers hit London hospitals by compromising an MSP, it wasn’t just a breach, it was a failure in how we delegate trust. MSPs aren’t just supporting players; they have privileged access, deep integration, and wide operational reach. Treating them like passive vendors ignores the fact that when one falls, the blast radius is massive. Including them in the regulatory framework isn’t overreach, it’s essential risk management.
“While the Bill rightly focuses on MSPs and data centers, it must also anticipate the impact of AI. The 2025 Cato CTRL Threat Report reinforces this, as it highlights not just the expansion of attack surfaces but the evolution of attack techniques themselves, especially in the realm of generative AI.”
And Camellia Chan, CEO and co-founder of X-PHY called the Cyber Security Resilience Bill great in theory, but to combat the growing cybersecurity threat, you need more than just frameworks and regulations. “You need innovation. Otherwise, it’s only a matter of time before we see a major CNI incident the UK might not recover from – whether that be on the NHS, the national power grid or something else.
“It is crucial that organisations, IT providers and data centres proactively assess security gaps and address them with innovative and proven tools. CNI cannot afford to rely on traditional software security such as firewalls and VPNs. These reactive, static and human-centric methods can be too easily manipulated, exploited by Zero Day attackers or weakened by human error. To ensure security across the entire attack life cycle, a holistic approach that detects cyber threats, responds to them and can recover data in the unfortunate event of an attack is necessary. A combination of software and hardware solutions with self-learning AI is the best way to do this. And if the UK don’t? CNI will be attacked and there will likely be drastic consequences.”
Minister says
DSIT Secretary of State Peter Kyle said: “Economic growth is the cornerstone of our Plan for Change, and ensuring the security of the vital services which will deliver that growth is non-negotiable. Attempts to disrupt our way of life and attack our digital economy are only gathering pace, and we will not stand by as these incidents hold our future prosperity hostage.
“The Cyber Security and Resilience Bill, will help make the UK’s digital economy one of the most secure in the world – giving us the power to protect our services, our supply chains, and our citizens – the first and most important job of any government.”
