Proposed Cyber Security and Resilience Bill addresses low security guidance uptake amid heightened threat
On 1 Apr 2025, the UK Government provided further details about its proposed Cyber Security and Resilience Bill (CSRB).
The announcement provides further details on the proposed working of the CSRB. The bill was originally announced as part of the Government’s legislative programme in July 2024 [LINK]. A ministerial announcement [LINK] was accompanied by a blog from National Cyber Security Centre (NCSC) head of resilience Johnathon Ellison [LINK].
Details included in the announcement:
More entities – including data centres, managed service providers (MSPs), and key digital supply chain actors – would be regulated as critical infrastructure.
Regulator oversight is being strengthened, with best practice frameworks reinforced, and more stringent requirements for cyber incident reporting.
The bill would enable Government to update regulations without legislating, to address changing technology and threats.
A proposal for new executive powers for Government to facilitate quicker responses to cyber threats, including the authority to direct regulated entities and regulators to take action for national security purposes.
Strategic context: rising threat and insufficient adoption of security measures
The proposals come amid repeated warnings from NCSC CEO Richard Horne of a “clearly widening gap” between the threat level and the country’s defences [LINK].
On the defensive side, there have been repeated statements of concern from NCSC and other government officials about the number of organisations that are not implementing basic cyber security protections, as set out in NCSC guidance [LINK]. The ministerial statement notes that “[r]esilience is not improving at the rate necessary to keep pace with the threat” [LINK].
Statements from serving and former government officials in 2025 have consistently emphasised the historically high threat level facing the country’s critical infrastructure. The ministerial statement from 1 April describes the threat as “unprecedented” [LINK]. Founding NCSC CEO Ciaran Martin recently warned that the threat posed by China was “significantly more serious than at any point in the digital age” [LINK].
Assessment: targeting critical actors amid low uptake
The proposed bill would impose additional compliance requirements on a narrowly targeted group of entities. The investment necessary to meet those requirements will vary substantially depending on organisations’ current security posture, but are likely to be substantial for some.
Proposals in the bill to allow the government to introduce new requirements without recourse to legislation will create a degree of uncertainty, yet it is unlikely that any specific future requirements will be surprising to industry.
Indeed, the proposed legislation is relatively conservative. Rather than ‘lifting all boats’, the objective of the bill appears to be to provide the state with a means to act in cases where key players in the digital ecosystem are not adopting security measures proportionate to their criticality.
Outlook: questions over future policy direction
The proposed bill may drive behaviour change in entities newly classified as critical infrastructure. However, the range of policy options available to the UK government to drive further adoption of cyber security guidance appear increasingly limited.
Future policy efforts may therefore focus on promoting resilience in the case of the prolonged loss of access to digital systems, potentially framing this as a civil defence issue rather than one of cyber security. This would align with a broader rebasing of government narratives on defence post the release of the forthcoming Strategic Defence Review [LINK].
A perception that efforts to encourage greater adoption of cyber security measures had stalled would also add impetus to calls for the UK government to manage risk through increased efforts to reduce the threat posed by malign cyber actors. This is the apparent direction of travel in the US, where proponents of greater use of offensive cyber operations have been appointed to key government positions [LINK]. A more openly offensive approach would provide a point of alignment between the US and UK, amid an increasingly transactional approach to alliance politics [LINK].
What you should do now
Companies should rapidly assess whether they are likely to fall into the scope of the legislation’s expanded definition of critical infrastructure.
Managed service providers and other entities likely to fall under the scope of the bill should begin building processes to demonstrate that their security practices align with NCSC guidance on best practice.
The NCSC’s Cyber Essentials ‘Pathways’ pilot [LINK] provides an indication of how companies can demonstrate good security practices without strictly aligning to NCSC guidance.
Organisations currently or likely to be classed as critical infrastructure should begin incorporating the draft bill’s requirements into exercises within their table-top and live-play exercise regime.
All organisations should review their assessment of cyber security risk to determine whether it reflects the heightened threat assessment outlined by current and former UK officials.
All organisations should review and exercise their plans for business continuity in the scenario of a total and sustained loss of digital systems. Where plans do not exist they should be developed at pace.
Tyburn St Raphael is a security boutique. Our experts come from UK government, military, and academic backgrounds and have decades of experience in delivering intelligence-led investigations and solutions. We provide technical expertise, advice, and training designed to develop best security practices and enhance cyber resilience with impactful exercises to businesses, including one of the world’s largest private equity houses. We also support entities through digital crises, including ransomware, fraud, and online threats. We can be contacted via info@tyburn-str.com.
