The UK government’s Cyber Security and Resilience Bill (CSRB) was finally published in November 2025, and the language in which it was launched showed that the government sees the bill in the context of hardening Britain’s national security and economic resilience.
Since the bill was first mooted in the King’s Speech in 2024, we have seen a significant and radical change to the threat landscape we face. High profile attacks on some of our most well-known companies has shown the vulnerabilities at the heart of our critical national infrastructure and economic life. The rapid acceleration in the use of artificial intelligence (AI) has also changed the rules of engagement.
The bill attempts to create a new and updated regulatory framework. It also gives the government through the secretary of state significant new overarching powers to determine the priorities of the regulators, intervene to protect national security and to widen the scope of the regulations if circumstances change. A substantial portion off the bill is dedicated to enshrining these ‘Henry VIII’ clauses. In a fast-changing environment it is necessary for the government to be able to act swiftly to protect national security. However, the other powers of direction in the bill need scrutiny as it embarks on its parliamentary journey. The danger with these top-down powers is that industry may feel that regulation is being done to them rather than being shaped by them.
The bill also envisages significant new regulatory powers for the Information Commissioner’s Office (ICO) including for example the regulation of managed service providers. The new role for the ICO will require new skills and resources for it to be able to perform its regulatory functions. The regulatory structure created by the bill is a complex tapestry. Sectoral regulators in combination with the secretary of state, the ICO, Ofcom and the National Cyber Security Centre (NCSC) among others will determine the success or failure of the new updated regulatory environment. There is a danger of what might be called regulatory contestation as regulators jockey for position in the new landscape.
One other area of concern is the absence of any reference to financial services in the bill. The assumption is that as under the previous regulatory regime financial services will be excluded and will continue to be regulated under its own framework. As the bill undergoes further scrutiny in its public bill committee it will be important to understand how the government envisages the bill interacting with regulations impacting on banks and other financial services infrastructure.
Notwithstanding a variety of concerns many measures in the bill are to be welcomed. However, in order for the new legislation to achieve its objective we need to ensure that businesses large and small are engaged in the vitally important effort to harden our security and resilience. This means government and industry working in partnership to improve standards. Industry needs to be engaged as a participant in the new regulatory landscape not a passive recipient.
We also need a whole of society effort to improve our cyber security and resilience. Citizens also need to understand their role in this fight as we deal with increasingly complex threats to hour way of life. The legislation is just one part of this effort.
James Morris is chief executive of the UK’s cyber security and business resilience policy centre, the CSBR.
Read more on Regulatory compliance and standard requirements
