"CISOs should act now": Preparing for the UK Cyber Security and Resilience Bill
"The urgency of this bill is justified, given the financial impact of disrupted operations and downtime on the country."
Following a year of relentless cyber attacks against some of the UK’s biggest brands, it’s no surprise that cybersecurity countermeasures have become a leading government priority.
Despite the clear and significant impact that such attacks can have on the economy, the UK hasn’t had an updated cybersecurity law since NIS1 was implemented in 2018.
This put the country behind other regions, such as the EU, which has brought into force NIS2 and DORA in 2024 and 2025, respectively. Strong, clear, and enforced cybersecurity regulation is essential for economic growth and stability.
The Cyber Security and Resilience Bill is one initiative to address this gap and improve the country’s security posture.
It was first mentioned in the King’s Speech at the State Opening of Parliament in July 2024. Whilst steady progress was being made behind the scenes, we reached a major milestone on its path to becoming law in November 2025, when it was introduced in Parliament.
In June, Westminster also announced the Cyber Growth Action Plan, which aims to strengthen the UK’s cyber security sector and improve protection of digital infrastructure.
In October, key members of Parliament, including Peter Kyle, Rachel Reeves and Liz Kendall, wrote to FTSE350 companies to warn about the impact of cyber attacks and encourage them to make cyber security a board responsibility. Then, on 12th November, the Cyber Security and Resilience Bill had its first reading in Parliament, shortly followed by the second reading on 6th January, meaning it is now at committee stage.
The urgency given to this matter is justified, given the financial impact that disrupted operations and downtime within the UK’s key industries has on the country as a whole.
Compliance without chaos
The current draft of the Bill follows similar best practices to frameworks such as NIS2 and DORA, introducing measures like stricter incident reporting, fines for non-compliance, and an expanded scope covering sectors such as critical national infrastructure and managed service providers. It will also echo the EU Cyber Security Act, and EU Cyber Resilience Act.
However, as it makes its way through Parliamentary approval, we can expect it to be tweaked. For example, the manufacturing sector is not currently covered by the regulation, but following the impact of JLR’s downtime on the economy, it is increasingly likely that we may see the act expanded to include sectors or industries that could or indeed have had an impact on the UK economy.
READ MORE: Tech is increasing systemic risk by accelerating bank runs, Bank of England warns
As the Cyber Security and Resilience Bill has only just begun to move through Parliament, it is unlikely to be written into law until the latter half of this year at the earliest. A two-year compliance period often follows, but companies must not become complacent. Cyber resilience is a critical business issue, not just a tick-box compliance exercise. In short, why wait?
Although the Bill currently only covers essential infrastructure sectors such as energy, transport, water, healthcare, and their critical suppliers, e.g., IT, digital infrastructure, data centres, and managed service providers, cyber resilience is important for any business, regardless of sector and compliance mandates. Every organisation should be confident in its ability to withstand an attack, recover quickly and cleanly, and keep downtime to a minimum.
Even if fines for non-compliance won’t be in place for a couple of years, CISOs across all sectors should act now to improve their security standing. Whilst there may be slight amendments to the Bill, its overall objectives are unlikely to change significantly, so using the first iteration or addressing the best practices laid out in NIS2, DORA, or the various EU CSAs will help build a stronger security posture and put businesses in good standing when the Bill is enforced.
The key to cyber resilience
A critical element of achieving cyber resilience is knowing your Minimum Viable Company (MVC) – the essential systems needed to stay operational and that should be prioritised in recovery. It is usually only at the point of attack that this is considered, at which point it’s too late.
What makes up the MVC varies between every business, but common priorities are authentication and identity management services, finance, payment and operational systems, essential communication platforms, and base IT systems including security tooling. The idea is that in the event of an attack, organisations know which systems make up their MVC and have a tried and tested plan to quickly, safely and securely recover them. This will keep downtime to a minimum by enabling operations to continue to at least some extent.
READ MORE: Trust, transparency and innovation: The evolving role of the CIO
Another key component of an MVC strategy is having a clean environment to recover into. Threat scanning and anomaly detection technology gives organisations the confidence that the systems they need to recover haven’t been infiltrated. Cloud-based cleanrooms then provide the secure environment to recover into. Ultimately, by having all parts of a MVC strategy planned, tested and ready to go at any moment, organisations can maintain continuous business even amidst a crisis.
It is continuous business – the ability to withstand whatever is thrown your way and maintain operations – that is the essence of true cyber resilience, and which the Cyber Security and Resilience Bill aims to achieve. By following best practices laid out in the Bill and similar frameworks, all organisations can be resilient, regardless of upcoming compliance mandates.
Mark Molyneux is Field CTO, Northern Europe, at Commvault
