The Cyber Security and Resilience (Network and Information Systems) Bill represents a significant step forward in the legislative and regulatory landscape for cybersecurity in the U.K. It is essential for the effectiveness of the Bill that the voices of industry and the cybersecurity workforce are listened to as the Bill develops.
To support this, ISC2 partnered with the Department for Science, Innovation and Technology (DSIT) to host an online roundtable on the Bill, bringing together ISC2’s members in the U.K. and policymakers to discuss the Bill and its potential impact on the cybersecurity profession and U.K. organizations. This enabled a strong, wide-ranging group of ISC2 members to directly voice the views and feedback of the cybersecurity profession directly to DSIT.
The Cyber Security and Resilience (Network and Information Systems) Bill
The Bill updates and expands the existing Network and Information Systems Regulations 2018, bringing more sectors into scope of these cybersecurity regulations, strengthening the role of regulators, expanding cyber incident reporting and strengthening the U.K.’s cybersecurity and resilience in response to national security threats.
It represents a significant change in the environment that cybersecurity professionals will operate in. DSIT understands this, and is therefore keen to work with ISC2, as the world’s leading cybersecurity membership body, to understand the impact of the legislation as currently drafted, along with future implementation guidelines.
The roundtable consisted of two parts: a presentation by DSIT, followed by a discussion with ISC2 members where feedback was provided.
The Bill Timeline
A structural theme emerging from the DSIT presentation was the long lead-in time between the Bill progressing through Parliament and the Bill’s ultimate implementation. This was a useful reminder that the structure of the legislation means that much of the proposed detail, such as specific security and resilience requirements, will be left to secondary legislation and regulator guidance.
DSIT emphasized that there will be further public consultations on implementation of the Bill. This means there will be several opportunities for ISC2 members and the wider cybersecurity community to get involved and ensure the legislation is effective.
Capacity and Skills
On the Bill itself, members raised feedback and concerns on a number of areas. A key piece of feedback was on the capacity both of regulated organizations and on regulators. This includes the cybersecurity skills of senior leaders, including board members, and the need to ensure senior cybersecurity leaders are certified and trusted.
It was pointed out by one member that the financial sector doesn’t just expect oversight but must demonstrate competence to regulators. This fed into concerns that boards across U.K. industry and critical national infrastructure still lack basic knowledge of cyber risks. Improving board-level cyber competence and awareness will be essential if the new regulatory regime is to be effective.
Skills shortages continually come up as a barrier to effective implementation. ISC2’s 2025 Cybersecurity Workforce Study reported that almost 88% of respondents experienced at least one consequence as a result of skills shortages, with 95% reporting at least one skills need in their organization. Further, skills shortages are the number one challenge in the U.K. for complying with regulations (47%).
Members also discussed the importance of enforcement, and of ensuring regulators have sufficient capacity to deliver on the aims of the Bill. Several members noted that fines under the Network and Information Systems Regulations 2018 were minimal, meaning poor security practices were not punished. There was a clear view from members that the new regime should both reward good cybersecurity practice and ensure negligence is met with meaningful enforcement action.
Expanding the Scope of the Bill
The expanded scope of the legislation, including bringing in data centres, critical suppliers and managed service providers (MSPs) also drew a lot of comment. In particular, the process and criteria for MSPs and critical suppliers falling under scope was of interest. Under the legislation as drafted, only medium and large MSPs will be regulated. However, some members pointed out that this might exclude MSPs that may be small in size but critical in their impact.
The expansion of the regulations to include critical suppliers was welcomed, but it raised questions about how to define criticality, and whether regulators would have enough insight into business supply chains to adequately designate an organization as a critical supplier.
Regulatory Alignment
Members were passionate throughout about wanting to focus their efforts on securing their organizations and the U.K. economy. They were therefore interested in any efforts to align U.K. regulations and compliance with other jurisdictions, such as the EU, to help remove regulatory duplication. DSIT emphasized that they are in dialogue with the European Union and member states on these matters.
This roundtable is just the latest step of ISC2’s engagement with the government on the Bill. ISC2 collaborated with DSIT prior to the Bill’s release, hosted a roundtable in parliament on the day of the Bill’s publication and appeared before the House of Commons Public Bill Committee to give oral evidence earlier this year. ISC2 will continue to engage members and DSIT to ensure the Bill is effective and contributes to a safe and secure cyber world.
With public consultation on implementation expected later this year, ISC2 members and the wider cybersecurity community will have further opportunities to help shape the future U.K. cybersecurity regulatory framework. Ensuring that regulation is effective and proportionate, and that is supports the development of the cybersecurity workforce will be essential to ensuring the Bill’s effectiveness.
ISC2 would like to thank the members who registered for the event, and who attended the online roundtable, volunteering their time to provide strong feedback to DSIT.
