Key Takeaways:
- The UK’s Cyber Security and Resilience (CSR) Bill excludes central and local government, despite the growing threat of cyberattacks on the public sector.
- The National Cyber Security Centre (NCSC) reports that 40% of attacks it managed between September 2020 and August 2021 targeted the public sector.
- The CSR bill aims to update the country’s outdated NIS 2018 regulations, but its scope is narrower than the EU’s equivalent regulatory refresh, NIS2.
- The government’s Cyber Action Plan aims to hold government departments to equal security standards as the CSR bill, but without any legal obligations.
- Critics argue that the government’s decision not to include the public sector in the CSR bill’s scope undermines its commitment to cybersecurity and leaves it open to scrutiny.
Introduction to the Cyber Security Threat
The UK government has faced a growing number of cyberattacks in recent years, with high-profile incidents including the May 2020 cyberattack on the Legal Aid Agency and the Foreign Office breach. The scale of the problem extends far beyond these isolated incidents, with the NCSC reporting that 40% of attacks it managed between September 2020 and August 2021 targeted the public sector. This trend is expected to continue, making it increasingly important for the government to take robust measures to improve cybersecurity.
The Cyber Security and Resilience (CSR) Bill
The CSR bill was announced in 2022, aiming to provide an essential refresh of the country’s heavily outdated NIS 2018 regulations. The bill proposes to bring managed service providers and datacenters into scope, among other aspects. However, its scope is narrower than the EU’s equivalent regulatory refresh, NIS2, as it excludes public authorities. This decision has been criticized by some, who argue that the government should be held to the same standards as critical service providers.
Calls for Inclusion of Central Government
Sir Oliver Dowden, former digital secretary and current shadow deputy PM, has led calls for the government to rethink its stance on excluding central government from the CSR bill. Dowden argued that cybersecurity is often deprioritized in government and that legislative requirements are necessary to force ministers to think about it. Ian Murray, minister of state, responded by pointing to the Government Cyber Action Plan, which aims to hold government departments to equal security standards as the CSR bill without any legal obligations.
The Government Cyber Action Plan
The Government Cyber Action Plan was launched hours before the CSR bill was set for a second reading in the Commons. The plan aims to hold government departments to equal security standards as the CSR bill, but without any legal obligations. Critics have argued that this plan is insufficient and that the government should be held to the same standards as critical service providers. Neil Brown, director at British law firm decoded.legal, told The Register that the government’s argument that it will hold itself to standards equivalent to those set out in the bill does not fill him with confidence.
Separate Legislation for Public Sector Security
Labour MP Matt Western suggested that the CSR bill would not be a cure-all, but the first of many pieces of bespoke legislation the government will pass to improve national security. This suggests that the government is considering specific legislation to shore up public sector security further down the line. Brown argued that separate legislation does not sound like a terrible idea, noting that existing UK telecoms law is separated for effect. However, the likelihood of being able to deliver on effective legislative amendments at pace is uncertain.
Conclusion and Future Prospects
The UK government’s decision not to include the public sector in the CSR bill’s scope has been criticized by some, who argue that it undermines the government’s commitment to cybersecurity. The National Audit Office’s report into UK government security improvements in January 2025 laid bare the sorry state of its systems, with 58 of the 72 most critical systems run by various departments found to have security flaws. The government’s reluctance to bring the public sector into the scope of its flagship cyber legislation fails to inspire confidence that it has serious ambitions to improve security in this problem area. As the cyber threat facing the UK’s public sector continues to grow, it remains to be seen whether the government will take robust measures to improve cybersecurity and protect its citizens’ data.