Nige Wilkinson – COO – Cyberfort
The introduction of the Cyber Resilience Bill marks a defining moment in the UK’s approach to digital security. For years, regulation has focused on the most visible parts of the critical national infrastructure, but the digital economy has become far more interconnected and far more dependent on the unseen operators that keep it running.
By widening the scope to include data centres, managed service providers and a new class of critical suppliers, the bill recognises that resilience is shaped not only by the organisations at the forefront of service delivery but also by those embedded deep within the national supply chain.
This shift is an important one. Data centres and managed service providers are now fundamental to how business is conducted. They host the information that fuels decision making, the platforms that support essential public services and the systems that underpin national productivity. Yet the bill’s current definition of a critical supplier remains broad and, at present, untested.
The absence of clear consultation with the industry on what constitutes criticality leaves room for uncertainty. A data centre hosting low risk workloads could be treated in the same way as one supporting essential public services. For operators and investors alike, such ambiguity could influence future development decisions and impose new requirements that are not aligned with the risk profile of their services.
While the details of classification require further refinement, the intention behind the legislation is sound. Cyber threats increasingly exploit the gaps that exist between interconnected partners rather than focusing solely on direct targets. As organisations have matured their own defences, attackers have looked outward to the suppliers and service providers that form the operational backbone of modern businesses.
The bill acknowledges this reality. It places supply chain resilience at the forefront of regulatory attention and emphasises that security must be consistent from end to end if it is to be effective.
Training people is easy. Securing partners is harder
Employees are often highlighted as the main vulnerability within organisations, yet they are also the most addressable. People can be trained, educated and equipped to understand the nature of evolving threats. Supply chains, by contrast, are more complex.
They are formed of partners who do not always adhere to the same standards and who may have very different levels of maturity in their own security practices. Without shared expectations and a unified framework, individual resilience will never translate into ecosystem resilience. The new provisions for faster incident reporting and enhanced enforcement powers are therefore meaningful steps towards creating a more transparent and accountable operating environment. They encourage collaboration, raise the collective bar and help ensure that weaknesses cannot be hidden within the less visible layers of the digital infrastructure.
Resilience requires more than regulation
However, true cyber resilience cannot be guaranteed by regulation alone. It must become embedded within organisational culture. Some businesses are still not fully compliant with GDPR despite its introduction seven years ago. Compliance, by itself, does not create resilience.
It is the minimum threshold, not the desired state. The new bill risks becoming another set of obligations that organisations react to rather than a catalyst for genuine transformation. The success of the legislation will depend on whether businesses choose to act now to strengthen their security posture or wait until the obligation becomes unavoidable.
Cyber resilience is ultimately about safeguarding the data, systems, people and partnerships that underpin both economic stability and public trust. The bill sends a clear message that resilience is no longer a matter of choice but a shared responsibility. Those who begin preparing today will be best placed to thrive in a future where cybersecurity is not an operational consideration but a fundamental requirement for sustainable growth.
