The UK government has introduced the Cyber Security and Resilience Bill to Parliament, marking a significant development in national cyber policy. The new legislation focuses on strengthening protections for critical national infrastructure, such as healthcare, energy, water, and transport, amid increasing cyber threats targeting major organisations.
Economic impact
The move comes in a year marked by high-profile attacks against UK companies, including Jaguar Land Rover, Marks & Spencer, and Harrods. These incidents have inflicted estimated losses surpassing GBP £2 billion on the national economy. The Bill introduces requirements such as 24-hour incident reporting and stricter controls on supply-chain partners.
“Today, the Cyber Resilience Bill arrives in the wake of a slew of attacks on major UK companies – among them Jaguar Land Rover, M&S, and Harrods, costing the UK economy over £2 billion this year. The Bill’s new measures, including 24-hour incident reporting and tighter supply-chain controls, recognise the severity of the threat now facing UK organisations. Cyberattacks are unfolding quickly and too widely for delayed or fragmented responses,” said Jonathan Trayers, Director, Ekco.
“I hope this legislation will prompt closer coordination across the private sector and help create a culture where resilience is planned, tested and continuously improved. For organisations that rely on managed service providers, the Bill raises expectations around trust and transparency.”
“It reinforces the need for real plans in place and treating resilience as something you build, not buy. The Bill sends a clear message that cybersecurity is now a board-level issue. If you rely on digital infrastructure, you’ve got to take responsibility for keeping it safe,” said Trayers.
Critical infrastructure
The new law aims to protect essential public services from disruptive attacks. There is concern, however, that this could shift the focus of cybercriminals toward private sector targets, especially small and medium-sized enterprises (SMEs), which make up over 99% of UK businesses.
“Strengthening cyber resilience across critical national infrastructure is a huge step forward for the UK. Protecting services like healthcare and energy is vital for both a functioning economy and society. Yet in the interconnected digital economy we now operate in, cyber vulnerabilities at any organisation can spiral into critical issues, ” said Lee Johnson, Chief Technology Officer & Chief Information Security Officer, Air IT Group.
“As cybercriminals find it harder to breach the public sector, many will turn their attention to the private sector, especially SMEs. These businesses make up vast swathes of the UK economy, yet many don’t have the in-house expertise or resources to keep pace with increasingly sophisticated threats.”
“Unless SMEs increase their cyber maturity, we risk creating a two-tier system where the most vital services are protected, but where many smaller-scale businesses are seen as better targets by bad actors,” said Johnson.
Supply chain risk
The Bill also highlights the complexity of modern supply chains that support critical UK services. New provisions expand regulatory oversight to service providers and suppliers whose products and operations underpin essential systems.
“The introduction of the Cyber Security and Resilience Bill (CSRB) is a welcome step towards strengthening and protecting the UK’s critical national infrastructure (CNI). Crucially, an area it focuses on is the complex nature of supply chains that support CNI. It’s easy for organisations to fall into the trap of thinking of their ‘supply chains’ in the narrow terms of those immediately connected to them,” said Ric Derbyshire, Principal Security Researcher, Orange Cyberdefense.
“By bringing new classes of service providers into scope, from managed service providers and data centre operators to suppliers whose goods and services support critical systems, the CSRB broadens the reach of national cyber regulation. This shift encourages organisations involved in CNI to recognise that security and resilience rely on an interdependent ecosystem, rather than a simple chain. The bolstered oversight and reporting powers introduced through the Bill represent a significant step-change in accountability.”
Continuous resilience
The Bill’s emphasis on supply chain security as well as compliance requirements highlights the need for holistic, ongoing strategies to manage operational risk.
“Closing the supply chain gap is the linchpin of the Cyber Security and Resilience Bill. Essential services rely on sprawling supplier networks, and attackers know it. Designating these providers as critical and enforcing security standards is a strong start, but compliance and penalties alone won’t stop advanced threats,” said Marc Jones, Regional Director UK & Ireland, Armis.
“True resilience demands a proactive cybersecurity strategy that provides the contextual awareness to see, protect and manage the entire attack surface in real-time – from every single connected asset in an environment to every dependency within the supply chain. By combining real-time asset intelligence, continuous vulnerability management and AI-powered threat detection and remediation, organisations can take control of their cyber risk, protect operations and ensure business continuity.”