Does the new Cyber Security and Resilience Bill go far enough?

“Necessary”, “long-overdue”, and “could go further”. These are just a few reactions from cybersecurity experts to the new Cyber Security and Resilience Bill, announced by the Government this week.

The bill, to be introduced later this year, will see round 1000 Managed Service Providers (MSPs) and IT suppliers forced to meet more robust cybersecurity requirements.

Jon Mort, CTO at digital transformation specialist The Adaptavist Group said the bill indicates an increasing recognition that current resilience strategies are not fit for purpose.

“It should also be the necessary push that some organisations need to do the right thing; the gap between should do and have to do is closed,” he said.

“The government absolutely needs to get on the front foot with cybersecurity. Deeply embedding good security is not easy, and can’t be done effectively with only a vendor solution. Processes and procedures need to catch up. We’re already behind; the government and their suppliers need to catch up as cybersecurity threats and attacks are becoming more widespread and harder to counter. New AI capabilities are causing a renaissance in ever more sophisticated social and automated attacks, and our nation’s cyber defences need to be state of the art.

“So this is only one piece of the puzzle. True resilience requires a concerted effort across organisations, regulators and governments, and should not be treated as just a compliance exercise, but a deeply embedded practice.”

Bill “could go further” says cybersecurity firm

For some, the bill will be a wakeup call – for others, it’s a long overdue formal recognition of the role service providers have been playing for years, said Lee Driver, VP of managed security services at UK cloud provider Ekco.

He said the bill “is expected and long overdue particularly as more critical infrastructure is being compromised.

“While this is the first time service providers are being formally brought into the scope of regulation, it reflects a direction of travel that’s been clear for some time,” he said. “The NCSC has already issued guidance for MSPs, and certifications like ISO 27001 and Cyber Essentials have become standard benchmarks. This proposal simply formalises what many providers already acknowledge: that they play a critical role in the UK’s cybersecurity posture and must be held to consistently high standards.”

Carla Baker, senior director, government affairs UK&I at Palo Alto Networks said that while the new bill is welcome, the cybersecurity vendor believes the government could go further to protect the UK by including the public sector in the scope of the legislation.

“The NAO report published in January found that 58 critical government IT systems independently assessed in 2024 had “significant gaps in cyber-resilience”. It also showed the government did not know how vulnerable at least 228 ageing and outdated “legacy” IT systems were to cyberattacks. In his first speech as NCSC CEO, Richard Horne, reflected these concerns, warning that the severity of risk facing the UK is being widely underestimated.”

As a result, she said, “The government can no longer afford to sit on the sidelines and solely focus on pushing security obligations onto industry. Recent high profile public sector cyberattacks have demonstrated exactly why the government must do more to enhance its own resilience and lead by example. The time to act is now.”

John Nolan, UK & Ireland MD at IT distributor Westcon-Comstor, said it makes sense to bring MSPs and other supply chain partners into the scope of the regulations.

“While the increased regulatory burden represents a challenge to the UK’s MSPs in terms of additional costs and compliance requirements, it’s also an opportunity. By demonstrating leadership when it comes to complying with the legislation, MSPs can showcase their expertise to customers and strengthen relationships in the process, positioning themselves – to use the government’s phrase – as ‘trusted and reliable partners in the cybersecurity landscape’.”