BCS MEMBERSHIP

Lady Smiling Nav

Join the global and diverse home for digital, technical and IT professionals.

CHARTERED IT PROFESSIONAL

CITP Logo (1)

CITP validates technical expertise and professional behaviours in the tech industry

STARTING YOUR IT CAREER

Girl With Braids Nav

Kick-start a career in IT, whether you're starting out or looking for a career change.

SOFTWARE TESTING CERTIFICATION

Man Writing

Over 100,000 professionals worldwide are certified with BCS.

ESSENTIAL DIGITAL SKILLS

Lady In Green Hijab Nav (1)

Improve your digital skills so you can get on in today's workplace.

EVENTS CALENDAR

Group Of People Smiling

View all of our upcoming events.

ARTICLES, OPINION AND RESEARCH

Man On Tablet

The latest insights, ideas and perspectives.

In focus

BCS MEMBERSHIP

CHARTERED IT PROFESSIONAL

STARTING YOUR IT CAREER

SOFTWARE TESTING CERTIFICATION

ESSENTIAL DIGITAL SKILLS

EVENTS CALENDAR

ARTICLES, OPINION AND RESEARCH

In focus

The upcoming Cyber Security and Resilience Bill was the subject of a keynote address by Nick Dodd, Head of Policy for the Bill, from the Department for Science, Innovation and Technology to the IT Leaders Forum.

During the opening webinar presentation, which was attended by over 100 BCS members, the point was made that public services, infrastructure and economy are being repeatedly targeted. The government’s rationale for introducing this Bill is to improve and expand the current regulations, the Network and Information Systems Regulations 2018, to proactively address this growing level of threat.

In addition, the presentation outlined the tools and guidance that have already been created by the government to aid organisations to ensure they can protect themselves.

These include:

  • Cyber Essentials, the government's certification scheme that helps organisations regardless of size improve their cyber resilience through key technical controls.
  • The Cyber Governance Code of Practice, so that boards and directors know what actions they need to take to better secure their organisations. 
  • The National Cyber Security Centre, which is a centralised resource for all such concerns – and which also works with organisations when they have suffered a major attack   

The three headline ‘case for change’ points of the government’s Bill are that:

  • The UK government views cybersecurity as central to national priorities such as economic growth, public service delivery, and national security.
  • There is a deteriorating threat picture, with increasing sophistication and frequency of cyberattacks, including high-profile incidents like last year’s London hospital and GP ransomware attack, which disrupted thousands of appointments and operations.
  • The government is responding by placing cybersecurity at the forefront of its legislative agenda.

The Bill is built on three main pillars of reform:
 
1. Expansion of Regulatory Scope

This is necessary to reflect the changes in technology and to expand the scope  of the regulations.  

  • It will bring managed service providers and potentially data centres into scope, reflecting their growing importance and vulnerability. Regulators will be able to designate critical suppliers, ensuring the most important suppliers to essential and digital services are subject to the regulatory regime.
  • The approach is targeted and proportionate, focusing on services deemed most critical to UK society and economy.
     

2. Empowering Regulators

  • The Bill proposes enhanced incident reporting, including:
  • Initial notification within 24 hours, alongside the current requirement for a full report in 72 hours. In addition, the NCSC should be copied in as soon as the regulators are notified. 
  • Broader definitions to capture more types of incidents (e.g., prepositioning, ransomware).
  • Requirements for digital and managed service providers to inform customers who are likely to have been impacted by an incident.
  • The government has committed to reform regulators’ cost recovery powers, improved clarity regarding information-sharing, and potentially introducing a statement of strategic priorities to ensure consistency across sectors.


3. Enabling Resilience via Future-Proofing and National Security Powers

This concerns strengthening the tools the government has to quickly respond to the changing threat landscape.  In a nutshell, these tools aim to make the government more agile and responsive in the face of dynamic cyber risks.

  • The Bill introduces future-proofing powers to allow updates to the NIS Regulations via secondary legislation, enabling faster responses to evolving threats.

The government is also considering national security powers that would allow the Secretary of State to direct regulated organisations or regulators to take action in response to urgent threats to national security. This, however, is not confirmed as a component of the Bill yet.

Engagement, Alignment, and Implementation Challenges

The government is committed to ongoing engagement with industry and stakeholders before and after the Bill’s introduction. BCS members, such as the Information Security Specialist Group and members of the IT Leaders Forum have been heavily involved in responding to government consultations. More information is available here.

The government is also keen to emphasis on alignment with international frameworks, particularly EU developments, while retaining UK-specific flexibility.

There was a lively response from the audience in the webinar chat, ably managed by the chair of the event, Gill Ringland, Secretary of the ITLF. 

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

Questions from the audience highlighted concerns around definitions, designation criteria, metrics for proportionality, and proactive vs. reactive approaches, indicating areas needing further clarity and guidance.

The UK’s proposed Cyber Security and Resilience Bill marks a major turning point for how organisations must approach digital risk. With stricter incident reporting deadlines, legally mandated security standards, and broader regulatory oversight, the Bill will require businesses of all sizes to rethink their approach to cyber and IT resilience.

What does this mean for businesses?  

BCS Fellow Dr Sam De Silva, Partner at the international law firm, CMS and chair of the BCS Law Specialist Group gave his presentation about how businesses should respond to the proposed changes.  He first addressed the radical changes to incident reporting and highlighted the following:

  • The Operational Impact of faster reporting: This compresses investigative, legal, and communications processes into a single working day—most organisations’ current playbooks are not prepared for this pace.
  • Action Point: Organisations must rehearse and automate incident response workflows now to meet these new deadlines.

Codification of Security Standards:

  • Legal Mandate: The proposed Bill plans to embed the National Cyber Security Centre’s Cyber Assessment Framework (CAF) and sector-specific codes of practice into law.
  • Compliance Shift: Falling short of these standards will move from being a “maturity gap” to a statutory breach—expect auditors and insurers to benchmark compliance line by line.
  • Action Point: Organisations should benchmark themselves against the CAF immediately; every gap is a future compliance risk.

Expanded Regulatory Scope and Challenges

  • Broader Remit: More sectors and supply chains will fall under regulatory supervision, with richer incident data required and potential interventions on national security grounds.
  • Resource Strain: Many sector regulators lack cyber expertise and will need to scale up rapidly.
  • Funding Model: Regulators may levy new fees to cover costs, but must balance this with not stifling investment, especially in cloud and data center sectors.
  • Consistency vs. Sector Nuance: Harmonizing approaches across sectors is challenging due to different threat models, requiring unprecedented inter-regulator cooperation.

What Businesses Should Do Now:

  • Map Critical Services and Supply Chains: Prepare detailed documentation as if you had to hand it over to a regulator tomorrow.
  • Rehearse Incident Notification: Test your ability to assemble facts, legal, PI, and executive approval within 24 hours—fix any process gaps.
  • Engage with Stakeholders: Work with suppliers, customers, and industry bodies to shape guidance before the Bill becomes law.
  • Early Preparation is Key: Those who prepare early will absorb the changes as an extension of good practice; those who wait will struggle to retrofit compliance.

Prevention better than cure

In his presentation Steve Sands, BCS Information Security Specialist Group Chair emphasised that companies have to take cyber security seriously.  

He said: “Success is entirely dependent on board, engagement and commitment, not just some sort of vague awareness. 

“A strong cybersecurity strategy will always start with a solid understanding of context and risks. What follows are all of the essential activities that are needed to protect the organisation from those risks.

“In my view, preventions is always better than cure, and strong defences are absolutely the best place to start. But we also need to recognise that despite our best efforts, stuff happens, systems fail. When that happens, it's the ability to detect, respond, and recover in a planned organised and timely manner. That's what makes the difference when the wheels come off.  Success depends on board engagement and commitment, not just IT awareness.”

The strong message from the session is that it’s clear that board-level engagement, proactive preparation, and a whole-organisation mindset are now essential—not just for compliance, but for safeguarding business continuity and public trust in an increasingly digital society.

Topics

Government policy Security / data / privacy

Related

Article

BCS at Labour Party Conference

Yesterday
Article

Gamifying cyber security awareness training

8 days ago
Article

Cyber awareness must include response readiness

15 days ago