The UK’s Cyber Resilience Act: A Field CISO’s Perspective on the Future of Digital Accountability

Following the open letter to FTSE350 companies informing them that cyber risk is the board’s responsibility, the first reading of the Cyber Resilience Act (Bill 2025) took place on 19th November 2025 in the House of Commons.

The Bill will modernise and expand the UK’s cyber-regulatory framework, ensuring that all organisations critical to the economy and society adopt robust and consistent resilience standards.

The legislative shift

This Bill strengthens and replaces parts of the NIS Regulations 2018, aligning the UK with global resilience standards while extending regulation to new digital sectors. It reflects the government’s recognition that cyber resilience underpins both national security and economic stability.

This will also bring the UK into line with the EU Cyber Resilience Act (CRA), which came into force in December 2024 to ensure stronger cyber resilience across the 27 member states of the EU. The UK’s Cyber Resilience Act does the same for Britain and Northern Ireland.

Collaborating with the EU

Furthermore, the European Union Agency for Cyber Security (ENISA) has become a Common Vulnerability and Exposure (CVE) Numbering Authority (CNA). This means that it’s now authorised to contribute information and intelligence to the global common vulnerability and exposure (CVE) programme.

The strengthening of legislation and collaboration between the UK and the EU means that together they have become a collective powerhouse.

Who is affected?

The Bill expands scope to include:

Operators of Essential Services (OES) – energy, transport, water, health, telecoms, and public sector.
Data Centres – classified as essential where IT load is equal to or greater than 1MW.
Relevant Digital Service Providers (RDSPs) – cloud platforms, online marketplaces, search engines.
Relevant Managed Service Providers (RMSPs) – IT outsourcers, Security Operation Centres (SOCs), and managed security service providers (MSSPs).
Digital Infrastructure – Internet exchange points, domain registries, and key hosting providers.
Critical Suppliers – vendors whose failure could disrupt essential or digital services.

What compliance entails – and what should CISOs do?

Organisations will be required to:

Implement “appropriate and proportionate” measures to secure their systems.
Report cyber incidents promptly (initial notification within 24 hours and full detail report including impacts and mitigations within 72 hours).
Maintain documented governance, testing, and supplier assurance.
Align operations to the forthcoming Code of Practice and regulator guidance.

The British Secretary of State has the power to enact Codes of Practice, however they haven’t been released yet, but they will likely build on pre-existing frameworks, for example, the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF), ISO 27001 / ISO 22301 and NIST.

The strongest candidate is CAF and I suspect that showing alignment to this will be the highest priority, particularly for any organisation linked to the public sector, critical national infrastructure or a managed service provider. We also have to keep an eye on the EU here too – their version of the act is a focus on security by design rather than a code of practice. However, this is simply another way of saying aligning to best practice.

Both Acts are risk based, focused on outcomes and recovery with fast reporting to limit the impact as much as possible. The important thing to remember, if you’re an organisation with European reach, is to double check if you’re aligned to both Acts.

The NCSC CEO, Richard Horne, was very keen to state: “Time to Act”. As a CISO, I recommend you think about the following:

Do the basics really well – Vulnerability managements, patch management, access management, immutable backups, managed detection and response (MDR) and endpoint detection and response (EDR).
Assess maturity – Use CAF or ISO 27001 as benchmarks.
Review supply-chain contracts for resilience clauses and data obligations.
Develop incident reporting processes in line with the 24/72-hour requirement.
Ensure risk registers are aligned with assets and they are reported and owned by the board.
Practice resilience and recovery – failover test and recover the backups from scratch.

Enforcement and accountability

With the Act in force, government regulators will gain powers to:

Conduct audits and impose enforcement notices.
Recover regulatory costs.
Issue fines up to £17M or 4% of global turnover.

I believe the regulator will act in the same way as the Information Commissioner’s Officer (ICO) for the UK Data Protection Act, based on the balance of risk and understanding the actions to recover and how to respond to best protect Personally Identifiable Information (PPI) for people as much as possible.

What else should we think about?

The UK Cyber Resilience Act is designed to strengthen cyber security health across the UK, focusing on managed service providers and public sector aligned organisations, which means most organisations will need to be compliant to the act in some form. This is a huge welcome and much needed legislative change.

This Act is more than compliance – it’s a recognition that resilience is the new security. Your organisation will no longer be judged on when it’s been attacked, but on how quickly it can recover.

Organisations that act early will not only be compliant – they’ll be trusted.

If you would like to contact me to discuss any of these points, then feel free to get in touch via LinkedIn . Alternatively, you can contact us to find out more about any of our end-to-end cyber security services.