Geo Focus: The United Kingdom
    ,
    Geo-Specific
    ,
    Legislation

    Despite Political Upheaval, Stronger Critical Infrastructure Rules See Wide Backing

    Mathew J. Schwartz (euroinfosec) •
    July 10, 2026    

    Not Dead Yet: Backers Pine for Elusive UK Cyber Bill
    Image: Nigel J. Harris/Shutterstock

    British supporters of long-touted, much-previewed cybersecurity legislation say they’re optimistic the bill will advance through Parliament, despite the country’s frequent leadership changes.

    See Also: How Payment Service Directive (PSD2) is Changing Digital Banking – Are You Ready?

    The Cyber Security and Resilience (Network and Information Systems) Bill, formally introduced to Parliament in November 2025, is designed to strengthen the ability of the nation’s critical national infrastructure to fend off cyberattacks and rapidly recover from incidents.

    If the bill makes to King Charles III this year, its provisions would come into force in 2027 and 2028. “We’re about halfway through the legislative process. There’s still some really good stuff in that bill, but there’s some challenges that are coming along the line,” said James Morris, a former U.K. member of Parliament who’s the chief executive of British nonprofit think tank Center for Cyber Security and Business Resilience.

    The House of Lords is scheduled to review the bill again on July 14. “We’re in a ‘wait and see’ moment,” said Sanjana Mehta, associate vice president for advocacy at ISACA, a global, non-profit professional association for IT and digital trust professionals. “Meaningful scrutiny will really begin when Parliament returns from its summer holiday in September,” she said.

    By then, the country likely will have a new prime minister – its sixth in 10 years – with odds heavily favoring Labour MP Andy Burnham. He’s expected to appoint a new swath of government ministers. Whether they would seek to alter the scope or provisions of the bill remains to be seen.

    “In setting out his platform for leadership, Andy Burnham has already spoken about the need for greater tech sovereignty and resilience, as well as his ambitions to rewire routes into employment so that technical courses are viewed on par with traditional higher education pathways,” Mehta said.

    In a London Times op-ed on Wednesday, Burnham committed to “building a Britain that is more resilient,” citing the need to learn from nation-state attacks targeting healthcare and the hack attack last year against Jaguar Land Rover, which took a $2.5 billion bite out of Britain’s economy.

    “We can simultaneously defend our national security, protect and grow our economy and make our nation stronger,” he wrote.

    Amends Existing NIS Regulations

    The CSRB primarily amends Britain’s Network and Information Systems Regulations 2018, which covers transport, energy, drinking water, health and digital infrastructure, as well as several types of online service providers, including cloud computing services, marketplaces and search engines.

    The legislation would expand the regulatory ambit to include data centers, large load controllers, managed service providers and critical suppliers to regulated organizations. All covered entities would be required to report major incidents to a sector regulator, as well as to the nation’s incident response lead, the National Cyber Security Center and within 24 hours, with a full report due within 72 hours.

    Many of the proposed changes are recommendations produced in 2022 from a review led by the previous, Conservative-led government. They’re also informed by, but less expansive than, the EU’s NIS2 Directive. Adopted in 2022, NIS2 updated Europe’s NIS rules to require member states to develop a cybersecurity strategy that details and enforces policies for supply-chain security, vulnerability management, and cybersecurity education and awareness across critical sectors, and expanded the scope of sectors that must comply.

    Cross-Party Backing

    Modernizing and future-proofing British cybersecurity and resilience law has wide backing.

    “While political change always comes with the risk of pause, hiatus or temporarily diverted attention, we have traditionally seen that cyber is a helpfully apolitical issue,” said Katharina Sommer, director of government affairs and analyst relations at consultancy NCC Group, based in Manchester, England. “So we are optimistic that timescales for the bill’s journey, adoption and entry into force will not slip by much.”

    Further fuel for change: organizations are grappling with how to govern their use of artificial intelligence tools, as well as how to address AI sovereignty concerns, which comprise resilience questions at both an organizational and national level (see: ISACA Survey: AI Adoption Is Rising, Visibility Is Not).

    “The general feeling seems to be that the ‘Mythos moment’ should be capitalized upon as senior executives are actively seeking answers to how cyber resilience needs to be redefined in the AI age, and policymakers are actively interested in having a national conversation about cyber, emphasizing that cybersecurity is economic and national security, and should be how organizations are run nowadays,” Sommer said.

    The speed with which everything continues to change is itself a challenge. “So it’s got the classic dilemma of trying to create legislation in a very, very fast-moving technology environment,” with many parliamentarians expressing increased concern especially over the risk AI might pose to critical infrastructure, CSBR’s Morris told ISMG at last month’s Infosecurity Europe conference in London (see: Why UK Cyber Law Struggles to Keep Pace With AI).

    Share.

    Comments are closed.