The Cyber Security and Resilience Bill Explained

Introduction

Cyberattacks in the UK have surged by around 130% in recent years, ranging from minor system breaches to large-scale incidents affecting retailers, manufacturers and critical infrastructure. The financial and operational damage has run into the billions of pounds.

In response, the government introduced the Cyber Security and Resilience (CSR) Bill in November 2025. The Bill is intended to modernise the UK’s cyber regulatory framework by strengthening oversight of organisations operating in critical sectors. But while its ambitions are broad, its scope is not.

What the CSR Bill is trying to do

At its core, the CSR Bill aims to enhance national cyber resilience by imposing higher baseline security standards on operators of essential services, including sectors such as energy, transport and healthcare.

The government has also framed the reforms as an economic signal. A stronger cyber regime, it argues, presents the UK as a safer environment for business and investment. However, these objectives have attracted criticism around who the Bill does not apply to.

The public-sector gap

One of the most contentious aspects of the CSR Bill is the exclusion of much of the public sector from mandatory compliance.

From a legal perspective, this raises questions about consistency and proportionality in risk-based regulation. The Bill applies narrowly to organisations designated as operators of essential services and does not automatically extend to public bodies even where those bodies process vast volumes of highly sensitive personal and legal data.

This sits uneasily with the reality of modern cyber risk. Public-sector institutions are frequent targets, often due to legacy IT systems and the nature of the information they hold.

Why this matters in practice

The cyberattack on the Legal Aid Agency illustrates the risk.

The breach went undetected for several months and resulted in the exposure of confidential data relating to legal aid applicants, including financial information and details of criminal matters. It highlighted the vulnerability of public legal services and raised concerns about whether existing regulatory frameworks adequately protect individuals whose data is handled by state institutions.

While public bodies remain subject to data protection obligations under the UK GDPR and oversight by the Information Commissioner’s Office, these regimes are primarily concerned with personal data governance rather than proactive cyber resilience.

The CSR Bill, by contrast, is designed to impose preventative security standards, reporting obligations and regulatory oversight. Excluding public-sector organisations from these requirements creates a regulatory imbalance, where private operators are subject to stricter cyber obligations than public bodies performing equally sensitive functions.

What happens next

Industry leaders have already raised concerns. Emma Philpott, CEO of the IASME Consortium and Cyber Essentials Partner to the National Cyber Security Centre, has called for mechanisms to extend cyber protections beyond the sectors currently covered by the Bill.

Similar views have been expressed by senior digital leaders, including Shaukat Ali-Khan, who has advocated for tailored regulatory frameworks to address the specific risks faced by education and public-service organisations.

For lawyers and law students, the implications are practical. Advising clients following a cyber incident will often turn on whether an organisation falls within the statutory definition of an operator of essential services — a classification that remains narrowly drawn.

Where organisations handling sensitive legal and personal data fall outside that definition, uncertainty follows for both clients and advisers. As cyber threats continue to grow, the effectiveness of a framework that excludes key public-sector bodies is now under serious scrutiny.