In recent weeks, the UK government has announced the introduction of its new Cyber Security and Resilience Bill.
The bill aims to strengthen cyber defences for organisations that fall within the scope of critical national infrastructure (CNI), including the NHS, energy, water and transport sectors, ultimately making these industries more resilient to increasing cyber threats. This comes at an important time: KnowBe4’s 2025 Phishing By Industry Benchmarking Report revealed that critical national infrastructure organisations across the UK and Ireland are being increasingly targeted by nation-state actors. Legislation to fight this couldn’t be more vital.
The new legislation is an overhaul of existing British cyber defences for critical infrastructure and services.The bill, expected to receive Royal Assent in 2026, updates and reforms the UK’s Network and Information Systems Regulations (NIS) 2018.
With compliance pressures and national resilience hanging in the balance, what does the bill mean for organisations deemed CNI in the UK?
Why this and why now?
Cybercrime, especially that targeting critical sectors, comes with huge costs and real world repercussions. The 2024 Synnovis hack, for example, is thought to have caused over 11,000 disrupted medical appointments and procedures, resulting in estimated costs of £32.7 million. It is also thought that the attack directly contributed to the death of a patient. This underscores the very real and devastating impact of cybercrime on the wider public.
The Cyber Security and Resilience Bill aims to prevent major disruption (like cancelled NHS appointments, for example) in the event of a cyberattack and protect the UK economy at the same time. It is estimated that cyberattacks are costing nearly £15 billion annually – a stark statistic.
However, reforming the security of CNI organisations is no small feat. Many of the organisations impacted by this legislation run on legacy systems, with a transient and busy workforce which are juggling competing pressures. This presents legislators with a challenge: how to reform for a more resilient workforce, whilst also changing the ingrained habits of a sector that isn’t necessarily used to change.
Simplifying the Bill: Key Takeaways
When it comes to how this will affect organisations within scope, there are some major changes. These include:
- Mandatory incident reporting: If a major cyberattack occurs, affected organisations must report within 24 hours, with a full report expected within 72 hours.
- Regulators can designate “critical suppliers”: Organisations deemed critical suppliers (like those serving NHS or water firms) will be forced to adopt minimum security standards.
- Stronger enforcement: Turnover-based penalties for serious breaches, making non-compliance costlier than investing in security proactively and preemptively.
- Regulation of medium/large IT service providers: IT service providers (like MSPs, for example) that serve critical organisations will be required to meet strict cybersecurity requirements, including the mandatory reporting of serious incidents, and have recovery plans in place.
- New powers for the Technology Secretary: The Technology Secretary will be able to district essential organisations (like NHS trusts) to strengthen monitoring and isolate high-risk systems when national security is at risk.
The Cyber and Resilience Bill formalises what the industry has long recognised: human risk is a critical infrastructure risk. Organisations must now understand behaviour, design security around real work conditions, measure human risk continuously and report it at board level. This marks a significant shift for Human Risk Management, elevating it from a peripheral training activity to a strategic, data-driven discipline at the heart of organisational resilience.
What does this mean for the board?
The UK’s new cyber legislation – and its headline-grabbing potential £17m fine for non-compliance – is a clear signal that regulators now expect boards to treat cyber resilience as an enterprise-level issue. Cyber is no longer an operational problem delegated to IT. Instead, it is a governance obligation with financial, operational and reputational consequences.
For boards, the message is twofold. First, regulators finally have the teeth to enforce meaningful change. Second, compliance cannot be achieved through policy alone. Many critical infrastructure organisations run on heavily customised legacy systems. In these environments, workarounds are rarely wilful negligence. In many cases they are often the only way employees can keep essential services running. If mandates ignore this reality, organisations risk sliding into a tick-box approach that satisfies auditors but fails to build real resilience.
Boards therefore need to push for security strategies grounded in how work actually happens. That means asking whether technology, processes and controls are helping people do the right thing or unintentionally pushing them towards insecure shortcuts. It also means ensuring the workforce is treated as a partner in security, not a threat to be managed. Staff must feel able to report issues without fear of blame and to contribute to the design of workable processes.
How can organisations get ahead of meeting the requirements?
The secure option needs to be designed to be the easiest option. When security introduces friction, people naturally find ways around it. When security is intuitive, low-effort and embedded in day-to-day workflows, compliance becomes the default behaviour. The Cyber and Resilience Bill effectively pushes organisations toward this human-centred approach, rewarding those that minimise friction and understand the behavioural reality of their workforce. Boards and decision makers should therefore look for investment cases that prioritise usability alongside technical robustness.
In short, the new legislation raises the stakes, but it also presents an opportunity. By championing a human-centred, operationally realistic approach to cyber resilience, boards can move beyond compliance and build a security culture that actually works under real-world pressure.
