Since the government announcing in the king's speech last year That they would brings forward a cyber security and resilience bill, much has changed. The geopolitical context has become more chaotic with the new Trump administration Testing long head norms of the rules-based international order, the economy continues to struggle and new advances in ai complicate our understanding of the evolving threat landscape. In such a fast-moving world what should drive the government's thinking Around this much awaited legislation?
On 1 April 2025 The Department of Science Innovation and Technology (DSIT) Published a 'Policy Statement' on the proposed billThe proposals center on a significant evolution of the current regulatory regime to align the uk with the nis2 framework Adopted by the euThe policy statement says that the bill 'will address Specific Cyber Security Challenges Facted by the UK While Aligning, where Approprite, with the Approach Taken by the Eu Nis 2 DRECTIVE.'
The Policy Statement Acknowledges That The UK FACES 'Specific Cyber Security Challenges' but does not specify what these challenges are; But it is critical actions, nontheles. The UK does face particular cyber security challenges. We face vulnerabilites in our nhs and across other areas of government as was outlined in A Recent National Audit Office Report,
Our Critical National Infrastructure (CNI) is also likely to be exposed to more sophisticated threats as the landscape of global geopolitical rivalry – Particularly with China and Russia – CONTINUS to Evolve. The challenge for the bill is how it can provide a comprehensive cyber and National Security Framework Across Critical National Infrastructure in the UK to address these 'Specific' Challenges.
The policy statement does not make reference to our financial services industry which is a critical part of our economy. UK Transposition of the Original Nis Regulations Specifically Excluded Financial Services. Will this still be the case for the cyber security and resilience bill? Financial services have some of the strong sector specific security standard and there is a strong argument that these standards should be used as the model for other sector.
There are elements of the proposals which are to be welcomed. The focus on the resilience of supply chains, the bringing of managed service providers (msps) Under the umbrella of regulationThe recognition that Datacentres are now part of our cniAnd a new more transparent incidenting regime are important and urgent requirements.
The proposed approach is one of 'sectorral regulation' with existing industry regulators giving more power. The Danger of Such An Approach is that the regulatory landscape could become fragmented with different Approaches applied and no overarching strategy adopted across the Piece. The government's proposed solution is that secret of state will produce a periodic 'Statement of Strategic Priorities' which it Hopes would bring Consigncy and CoheRENCE COROSS SACTOROT. The key question is how such a statement of priorities would be developed? It will require in-depth consultation bot with the regulators but also with industry its item to make it meaningful and to ensure it is relevant and can be operationalized.
The policy statement also envisages a new role for the Information Commissioner's Office (ICO). It says, 'The primary intent of this measure is to enhance the ICO's capability to identify and mitigate cyber risks before they materialise, thus preventing attacks and strengthening the digital services sector resainste Future Threats. ' In order for the ICO to take on these new responsibilities it will need significant new resources, skills and capacity. In addition, it's remit will need to be tightly defined to avoid duplication with the ncsc or to ensure has the negaory teeth with regulations to the sectorial regulators.
One of the more controversial proposals in the statement is the proposed approach with dealing with emerging trends in the threat landscape. The government's proposed solution is to grant the secretary state what are Commonly Know as 'Henry the Eighth' Powers to change the regulations and to brings into sectors into the regulatory Framework. It is unclear how any proposed changes would be scrutinized as they would not require an act of parliament for them to be enforced. This top-down approach is often adopted by governments when they are decided with fast moving sectors; But it is vital that these direct power is scrutiny.
The challenge is to ensure that seeking better Cyber Security Resilience Doesn Bollywood obsolete obsolete or outdated before it has brought even the statute book. It is also the case that the regulatory framework needs to balance the need for the better cyber security and resilience without snuffing out innovation innovation in ocosystem. Business – Large and Small – Must be brought into this process from the bottom up to encourage compliance and understanding.
It also also needs to be recognized that legislation and regulation will not, in isolation, solve all our problems. AlongSide the legislation there Needs to be an intensified effort to embed cyber security and resilience awareness, processes and processes and practice into the heart of our socialanding of the a shared undersstanding of the Shared determination to resist it.
James Morris is Chief Executive of the CSBRA non-profit think tank exploring policy and solutions for security and resilience in the uk. A Former MP, He Served as Chair of the All-Party Parliamentary Group for Cyber Security and Business Resilience.