How to Improve the UK’s Cyber Security and Resilience Bill

Richard Holland, Quorum Cyber’s Field Chief Information Security Officer (Field CISO) gives his thoughts on how the UK’s Cyber Security and Resilience (Network and Information Systems) Bill could be strengthened to deliver measurable, real-world cyber resilience rather than compliance alone.

—

The Bill rightly seeks to improve cyber resilience across the UK, but in its current form it risks reinforcing a compliance-driven approach that has repeatedly failed to prevent serious disruption. Evidence from public-sector and regulated environments shows that organisations can be compliant with standards, certifications and audits while remaining unable to detect, respond to, or recover effectively from cyber-attacks.

Theory versus practice and operational outcomes

A central weakness of the Bill is that it does not distinguish clearly between resilience that is documented and resilience that is practised. Cyber resilience is an operational capability that must be exercised regularly under realistic conditions. Where this does not occur, organisations experience delayed detection, unclear decision-making and prolonged recovery during real incidents, even where policies and plans exist.

The Bill also places insufficient emphasis on operational outcomes. It does not require evidence that controls work under attack conditions, nor does it prioritise measurable indicators such as detection speed, response effectiveness or recovery capability. This risks incentivising organisations to optimise for audit success rather than for real-world resilience.

Cyber Essentials and framework complexity

Cyber Essentials and Cyber Essentials Plus are valuable baseline hygiene schemes, but evidence shows they are increasingly misinterpreted as indicators of resilience for medium and large organisations. The Bill does not currently address the false sense of assurance this creates or require proportionate, risk-based assurance at scale.

Framework complexity and recognising sector differences is another material risk. The UK already operates multiple overlapping cyber security frameworks without a coherent national approach and without sector-informed profiling. Furthermore, framework proliferation risks increasing administrative burden while diverting resources away from practical resilience improvements.

One case in point is the Scottish National SOC, which emerged around 2018 but evolved from a centralised SOC model towards federated, sector-led cyber resilience. This led to the MDR being unable to recognise the differences between each customer and it failed to pick up individual signals and signatures. It was, therefore, not capable of acting resiliently and safeguarding Scottish businesses and government organisations.

This suggests that resilience is better served when frameworks first recognise sector differences and operational reality, with common outcomes aligned where appropriate, rather than enforcing uniformity from the outset. The Act would therefore benefit from a clearer expectation that cyber security frameworks are applied proportionately and with explicit recognition of sector context as well as reducing the number of them and reduce complexity.

The Bill’s scope focuses on Critical National Infrastructure (CNI) and Managed Service Providers (MSPs), but does not sufficiently reflect systemic economic and societal impact. Cyber disruption affecting large retailers, logistics providers, and service platforms can have national consequences despite these organisations falling outside traditional CNI classifications.

Software supply-chain risk

A significant omission is software supply-chain risk. Modern software relies heavily on third-party and open-source components developed internationally. The Log4j vulnerability demonstrated how difficult it is for organisations to identify affected systems, trace dependencies, and ensure vulnerabilities are remediated at source. The Bill does not adequately address this systemic risk.

The EU Cyber Resilience Act

The submission also highlights the need for greater alignment with the EU Cyber Resilience Act, given the EU’s role as a major trading partner and defence collaborator, and for the Bill to reflect geopolitical realities where cyber- attacks are rapid, state-linked, and require swift defensive action.

The Bill underestimates the regulatory capacity required to oversee cyber resilience effectively, particularly as artificial intelligence (AI)-enabled attacks increase the speed and volume of incidents. Expanding regulatory responsibility without equivalent investment in specialist capability risks limiting the Act’s effectiveness.

The elephant in the room: AI

Finally, the Bill also does not explicitly address the cyber security risks introduced by AI. AI is already accelerating the speed, scale, and sophistication of cyber-attacks, while organisations are increasingly dependent on AI-driven security and operational systems. The absence of AI considerations creates a gap in the Bill’s ability to reflect the modern threat environment. Rather than introducing AI-specific compliance frameworks, the submission recommends that the Bill addresses AI risk through practised resilience. This includes requiring organisations to exercise AI-enabled attack scenarios, monitor AI-driven systems for abnormal behaviour, detect data poisoning or ethical bias, and demonstrate the ability to remediate, retrain or recover affected models safely.

My recommendations

As you can see, I feel very strongly about these points, and I’ve submitted evidence for the Select Committee on the UK Cyber Resilience Act. My submission concludes with clear recommendations to improve the Bill, including making practised resilience a statutory expectation, focusing regulation on measurable outcomes, reducing framework fragmentation, addressing software supply-chain risk, enabling rapid defensive action during incidents, and ensuring regulatory capability keeps pace with modern cyber threats.

Final thoughts

The Cyber Security and Resilience Bill is necessary and timely. However, without addressing practised resilience, systemic software supply-chain risk, geopolitical realities and regulatory capability, there is a risk that it prioritises compliance over capability.

Addressing these issues would materially strengthen the Bill’s ability to deliver durable improvements in UK cyber resilience and better protect the UK economy, public services and national security.