The Cyber Resilience Bill Isn’t About Security. It’s About Survival.

The UK government is developing the Cyber Resilience Bill as the next step in strengthening how the country protects essential services from cyber disruption. It builds on NIS, but it pushes things further, both in scope and in expectation.

At its core, this is about something quite simple. Not whether organisations look secure on paper, but whether they can keep operating when things start to go wrong. The bill is about building resilient businesses, not throwing security hurdles in front of the organisation, but instead getting the organisation to understand how it needs to operate better.

For a long time, we have treated cyber security as a control problem. Put the right controls in place, align to a framework, pass an audit, and we tell ourselves the risk is managed. In practice, that has been enough to get by.

This Bill shifts that thinking. And if we are honest, it asks a far more uncomfortable question. Can you actually stay in control when those controls start to fail?

Most organisations are still heavily optimised for prevention. We invest heavily in security tooling that is about remediating the attacks coming into the organisation. That makes sense, up to a point.

The reality is that failure is no longer hypothetical. It happens. Regularly. The rhetoric of “assume breach” is coming home to roost. What matters now is how you behave when it lands on your doorstep.

Resilience is not about what you have. It is more about how well you can effectively get back operational.

This is not just a tougher version of what already exists. There is compliance galore already around cyber security. But the real change is now you have to prove it, and the compliance is now not something you opt in to.

Pointing at a policy no-one read and ticked boxes on a compliance schedule the board passively engaged with are no longer going to cut it. The focus is now on the organisation being able to:

For most organisations, the aspiration has always been that “Yes, we can do this” but in practise … not so much, or at best – partially.

A Critical Window to Prepare

There is also a small but important window right now. The Bill is not live yet. You have time, but not much of it. Moments like this are rare. You have the chance to get ahead of the intent rather than scramble to meet the letter of the law later.

Join our upcoming webinar ‘Operate Under Pressure: Making Sense of the Cyber Resilience Bill’. Secure your place today →

The broader policy direction is already taking shape through things like the Cyber Governance Code of Practice and the emerging Cyber Security and Resilience Pledge. They are not regulation, at least not yet, but they are a clear signal of where expectations are heading.

It is worth paying attention to that now. Think of it as early sight of the exam paper. Volunteer to do something now so that when the Bill is passed, you will at least be on the right pathway.

Organisations that use this time to test their response, understand their dependencies, and improve how decisions are made will find that compliance almost becomes a by-product. Those that wait will be left trying to retrofit capability while under scrutiny.

This is where it lands for the boardrooms. Awareness on its own is not going to cut it. The focus shifts to judgement.

If cyber risk is not translated into operational and financial impact, those decisions slow down at exactly the wrong time.

Detection is not the real issue, we can do this pretty well on the coal face of cyber teams. However, incidents were always going to happen. All good incident responders will tell you that understanding what is actually happening, aligning people quickly, and communicating clearly while the picture is still incomplete. That is where control is either maintained or publicly lost. Sure, technology helps, but it does not eliminate hesitation.

There is still a lingering belief too that risk can be transferred through contracts. It cannot. If a critical supplier fails, the operational impact still sits with you. For those affected by Solarwinds in 2020, most had done due diligence. However, few of the 18,000 affected organisations actually understood the impact of supply chain failure. The question is not whether the supplier breached an SLA, it is whether you designed for that possibility. This just became a big data problem.

You can outsource a service, but you do not outsource the impact when it fails. Strip it back, and the Bill exposes a fairly stark gap. Many organisations are good at demonstrating compliance. Far fewer have shown they can operate effectively under stress.

So the takeaways are not complex, but they are not especially comfortable either.

Use the time you have now. Because once this is live, you are no longer getting ahead. You are catching up. So maturity testing, compliance with meaning, assessment frameworks – these are already in your organisation. Use them to bring together the plans you have and find those gaps that, ultimately, would have ceased operations anyway.

And ultimately, everything comes back to a simple question:

If a serious cyber incident disrupted your operations tomorrow, would you still feel in control of what happens next?