Imagine a government writing its own rules, especially when it comes to cybersecurity. Sounds risky, right? The UK government is facing heavy criticism for exempting itself from its own landmark Cyber Security and Resilience (CSR) Bill. This move has sparked a debate about whether the government is truly committed to protecting itself and its citizens from increasingly frequent cyberattacks.
From the May cyberattack targeting the Legal Aid Agency, which compromised sensitive data, to the later breach at the Foreign Office, it's clear that cyber incidents are becoming commonplace within UK governmental bodies. And these high-profile cases are just the tip of the iceberg. The National Cyber Security Centre (NCSC) reports that a staggering 40% of the attacks it managed between September 2020 and August 2021 were aimed at the public sector. Experts predict this number will only climb higher, painting a concerning picture of the UK's vulnerability.
So, with this clear and present danger looming, why would the UK's flagship Cyber Security and Resilience (CSR) Bill specifically exclude both central and local government? That's the question echoing throughout the halls of Parliament and cybersecurity circles.
Sir Oliver Dowden, a former digital secretary and now a leading voice in the opposition, passionately urged the Labour government to reconsider this exclusion. He emphasized the need for stricter requirements on the public sector to force ministers to prioritize cybersecurity. His point? Without legal teeth, cybersecurity can easily be pushed to the back burner when other urgent matters arise.
The CSR Bill, introduced shortly after Sir Keir Starmer took office as Prime Minister, aims to modernize the UK's outdated 2018 Network and Information Systems (NIS) regulations. It sought to bring managed service providers and data centers under its scope, among other essential updates. This was actually planned in 2022, but those plans never materialized.
Comparisons are naturally being drawn to the EU's NIS2 directive, a similar effort to bolster cybersecurity across the continent. But here's where it gets controversial... Unlike its EU counterpart, the UK's CSR Bill deliberately excludes public authorities. This difference raises eyebrows and fuels concerns about the government's commitment to its own security.
Ian Murray, a minister responsible for data policy and public sector reform, responded to Dowden's concerns, promising to consider them. He also pointed to the government's newly launched Cyber Action Plan, unveiled just before the CSR Bill's second reading in the House of Commons. This plan supposedly commits government departments to the same security standards outlined in the CSR Bill.
And this is the part most people miss... The Cyber Action Plan lacks any legally binding obligations. Cynics might see it as a way to deflect criticism without making any real, enforceable security commitments. Is it a genuine effort to improve cybersecurity, or just a PR move to appease critics?
Dowden himself warned that cybersecurity often gets deprioritized in government, despite initial enthusiasm. He argued that legislative requirements are crucial to keep ministers focused on this critical issue. "I fear that if we don't put this into primary legislation, it's something that can slip further and further down ministers' in-trays," he stated, highlighting the risk of good intentions fading away in the face of more immediate crises.
A simple solution, some argue, would be to simply include the government and local authorities within the scope of the CSR Bill. If the government truly intends to hold itself to the same standards as critical service providers, why not make it official?
Neil Brown, a director at the British law firm decoded.legal, expressed his skepticism, stating, "The argument is that government departments will be held to standards equivalent to those set out in the bill, and so do not need to be included. This does not fill me with confidence. If the government is going to hold itself to standards equivalent to those set out in the bill, then it has nothing to fear from being included in the bill since, by definition, it will be compliant."
Labour MP Matt Western suggested that the CSR Bill is just the first step in a series of legislative efforts to improve national security, hinting at future legislation specifically targeting public sector security. But is this a realistic prospect, or just wishful thinking?
Brown believes that separate legislation for the public sector isn't a bad idea. He points to existing UK telecoms law as an example, where different acts target different organizations within the industry. This approach recognizes that security requirements can vary significantly between different types of organizations. Perhaps a dedicated public sector cybersecurity bill could be the most effective way to address the unique challenges faced by government entities.
The government's plan also includes provisions for future legislative amendments to the CSR Bill, allowing it to adapt to the ever-evolving cybersecurity landscape. This aims to avoid the delays that plagued previous NIS updates. However, the effectiveness of this approach remains to be seen. Can the government truly balance speed and comprehensiveness when making these amendments? The process of consulting with industry experts and navigating the parliamentary process can be lengthy and complex.
Brown favors a more incremental approach, legislating in smaller steps and iterating as needed. He believes that large, all-encompassing legislation often leads to compromises and reflects the conflicting interests of various stakeholders. Smaller, more targeted bills that address clearly defined problems are, in his view, a more sensible approach.
Given the scale of the cyber threat facing the UK's public sector, the decision to exclude it from the CSR Bill could expose the government to intense scrutiny. A 2025 report by the National Audit Office revealed significant security flaws in the government's systems and a slow pace of addressing these issues. This paints a stark contrast to the idea of a public sector free from regular cyberattacks.
Every time a government agency, local council, or NHS trust is compromised, the government's decision not to include the public sector in the CSR Bill provides ammunition for the opposition to question its commitment to cybersecurity. The Conservatives, too, have faced criticism for failing to implement cybersecurity recommendations from a 2022 consultation, despite having ample time to do so.
Even with the Cyber Action Plan in place, the government's reluctance to bring the public sector under the umbrella of its flagship cyber legislation raises serious doubts about its commitment to improving security in this critical area. Do you think the government's Cyber Action Plan is enough, or should they include the public sector in the CSR Bill? And what are the potential consequences of leaving the public sector out? Share your thoughts in the comments below!
