The Cyber Security and Resilience Bill Sets Ambition – Now It Needs Clarity

Bobbi Keating highlights several gaps in the legislation that the government should close

They say good things come to those who wait. But that’s not necessarily true of cybersecurity regulation. CISOs in critical infrastructure (CNI) sectors have been waiting for a new version of the outdated NIS Regulations for many years. What they have finally got, pending parliamentary tweaks and approval, is likely to fall short in several key areas.

Without clearer requirements and broader coverage, the legislation is unlikely to move the dial far enough on national cyber resilience. Its vaulting ambition must be accompanied by greater precision.

As it stands

At the time of writing, the Cyber Security and Resilience Bill (CSRB) was set to bring several new categories of organisation into scope, beyond the sectors (energy, health, transport, drinking water, and digital infrastructure) covered by its 2018 predecessor. These are: managed service providers (MSPs), data centres, large load controllers (e.g., EV charging networks), and digital service providers. It will also enable regulators to define specific companies as ‘critical’ suppliers, even if they’re niche outfits like Synnovis.

These so-called operators of essential services (OES) will need to manage supply chain risk more proactively, with new duties to be defined in secondary legislation. They will also have to meet “proportionate and up-to-date security requirements” set out in the NCSC’s Cyber Assessment Framework (CAF).

There will be a wider scope for reportable incidents, to include events “capable of having a significant impact on the provision of an essential or digital service”. And stricter requirements for reporting those incidents to the NCSC – via new 24- and 72-hour deadlines. There will also be new powers for regulators to assess cyber risk proactively, and tougher penalties for serious offences, potentially hitting 10% of turnover.

What the Bill gets right

This is all good news, even if we have been waiting since the King’s Speech in 2024 for the Bill to be introduced to parliament. It’s especially heartening to see supply chain risk and CNI finally being treated as frontline issues. Most serious breaches we see today begin not with a direct hit on a critical service, but an attack on a trusted supplier, inherited access or poorly monitored third-party relationships.

“The bill before parliament has the potential to reset how cyber resilience is treated nationally”

The foregrounding of the CAF to become a quasi-national standard for thousands of organisations is also promising. A more consistent baseline across critical sectors should help reduce the fragmented approaches to risk we often see. If implemented properly, this will create space for more meaningful discussions about detection, identity security and recovery readiness rather than surface-level compliance.

Importantly, the Bill also recognises that cyber risk is systemic. Compromise does not stay contained. This shift in thinking is long overdue.

Risk not readiness

The problem with the legislation as it stands is not ambition, but precision. It brings MSPs and ‘critical suppliers’ into scope without clearly defining where responsibility sits across modern operating models. In reality, UK organisations rely on layered delivery chains. Identity, monitoring, response, and recovery are often shared among internal teams, MSPs, MSSPs, cloud platforms, and software vendors.

By pushing security and resilience requirements into secondary legislation, the CSRB leaves CISOs planning for compliance without knowing what they’re actually being asked to implement. Controls, reporting thresholds, assurance models and liability are all undefined. This matters. When incidents strike, unclear accountability delays decisions, complicates disclosure and slows recovery.

There is also a risk of uneven outcomes. Larger organisations will likely overcompensate to protect themselves, while smaller counterparts struggle even to interpret what compliance means. This will weaken the ecosystem rather than strengthening it.

Mind the security gap

The Bill also falls too short on scope. It might tighten oversight of traditional CNI, but it leaves major government services and many large enterprises unaddressed. That’s despite clear evidence that these organisations are heavily targeted, and that there are major security gaps across Whitehall. The government recently acknowledged that it won’t meet its own target for achieving cyber resilience by 2030.

Resilience cannot be selective. A modern cyber framework should be shaped by real targeting behaviour, not legacy sector boundaries. Widening the scope of the CSRB would reduce fragmentation and improve overall defensive posture across the UK.

What happens next

If these deficiencies are not addressed, we may well see organisations default to defensive compliance rather than genuine capability building. Documentation might improve. But outcomes will not.

“Unclear accountability delays decisions, complicates disclosure and slows recovery”

The Bill before parliament has the potential to reset how cyber resilience is treated nationally. But to do so, it must be treated as a shared national concern rather than a sector-specific obligation. The current uncertainty surrounding key security requirements must be resolved.

It’s a promising sign that parliament recently issued a call for written evidence to the cybersecurity community. It wants professional input to ensure the legislation reflects operational reality, avoids unnecessary regulatory burden, strengthens supply chain trust, and supports effective cyber resilience.

Much now rests on what our peers propose. And how far the government is prepared to listen and act.

---

Bobbi Keating is vice president of the UK & Ireland at TrendAI, a business unit of Trend Micro. She has held senior roles across Trend Micro, MTI Technology, SCC and CDW, working closely with organisations in sectors including utilities, retail and financial services. She is known for combining leadership with a strong coaching mindset, helping teams outperform while delivering measurable customer impact.

---