The UK government’s Cyber Security and Resilience Bill represents a critical step in addressing the growing cyber risks faced by organisations today. As cyberattacks become more frequent and impactful, with incidents such as the NHS pathology disruptions in London, it is clear that cybersecurity must be a top priority. Many experts view the government’s decision to prioritise cybersecurity as a positive and necessary move. While the UK is arguably catching up to the European Union’s stricter cyber regulations, the intent behind the bill is broadly welcomed, even if some details remain unclear.
The general approach of the bill—expanding the scope of regulations to cover more digital services and supply chains, empowering regulators to enforce cybersecurity measures, and increasing the mandate for incident reporting—has received support. Experts agree that such measures can help reduce risk and improve the security of critical infrastructure. However, they also caution that regulation alone cannot eliminate cyber threats. Effective enforcement, robust cybersecurity practices across organisations, and resilient infrastructures are essential components of a comprehensive defense.
One area where experts believe the bill could go further is in addressing the issue of over-reliance on single suppliers within critical national infrastructure. Recent IT outages, although not cyberattacks, have highlighted the potential risks of this dependency. A cyberattack targeting a major platform provider could have even more far-reaching consequences, causing widespread disruption. Therefore, experts recommend that the bill also focus on resilience, particularly in mitigating the risks posed by dependence on single vendors, which can expand the attack surface for adversaries.
For small- and medium-sized businesses (SMBs/SMEs), there is concern about the potential for overly burdensome compliance obligations. Given that many of these smaller organisations form part of public service supply chains, ensuring their cybersecurity is crucial. Experts suggest that while regulations should apply to SMBs proportionately, they should also be clearly communicated to prevent confusion. Many of these organisations may need to seek third-party assistance to bridge the country’s cybersecurity skills gap, but simplifying compliance processes will make it more manageable for them.
As for the UK “playing catch up” with the EU, many experts acknowledge that the previous government failed to update its Network and Information Systems (NIS) regulations in a timely manner, allowing other nations to move ahead. While the new bill is a step in the right direction, there is hope that the government will continue to evolve regulations to keep pace with the fast-changing cyber threat landscape.