What does the new Cyber Resilience Bill mean for consumers?
The new Cyber Resilience Bill aims to minimise cyberattacks – but what does it mean for you?
Parliamentary legislation tends to be slow-moving and rarely makes the headlines, however well-meaning it may be.
Few readers will be familiar with the Security of Network & Information Systems (NIS) Regulations 2018, which promised to boost network and IT security against malicious actors.
Equally few readers will be familiar with the Cyber Security and Resilience Bill which is currently ambling through Parliament.
Despite having been announced in the 2024 King’s Speech, politicians are only just giving a first reading to a bill which aims to do pretty much the same as the NIS regulations.
Indeed, it’s perhaps indicative of the latter’s failure to reduce levels of UK-targeted cybercrime that the new Bill is deemed necessary.
National Cyber Security Centre data shows cyberattacks against the UK almost trebled year-on-year in 2025, with 18 separate incidents categorised as having the potential to impact essential services.
However, it’s debatable whether the Cyber Resilience Bill will do any more than previous endeavours like the Product Security and Telecommunications Infrastructure Act of 2022.
Stand and deliver
On paper, the new Act should reduce the cyberattacks whose victims in 2025 ranged from Marks & Spencer to three separate London councils within the space of a few weeks.
In particular, it’ll focus on protecting vital public services including water and energy suppliers, health services and transport networks.
It will encompass everything from IT helpdesks to the UK’s burgeoning collection of data centres, as well as EV charging point and heating appliance operators.
Third-party suppliers will face increased paperwork in terms of risk assessments, data protection and network security, plus more onerous reporting requirements.
This is the point where consumers may notice a difference, since they must be notified of any data centre or digital service provider attack – even one that’s only potentially significant.
Companies failing to meet these statutory requirements will incur turnover-based penalties.
This should ensure a better response than Ticketmaster managed in 2024 after a major data theft occurred, when the company repeatedly failed to inform customers about the breach.
To give the Cyber Resilience Bill extra teeth, it was confirmed last week that over £200 million would be provided to run a new Government Cyber Unit.
This will offer rapid responses to both Government departments and the wider public sector, perhaps mindful of the Royal Borough of Kensington and Chelsea’s data loss last month.
Again, while consumers may not immediately reap the rewards of increased investment in cybercrime prevention, we’ll all benefit if less data is lost to hacks and breaches.
Everyone from sole traders to small business owners can harness the NCSC’s Cyber Action Toolkit, launched last October to protect vulnerable firms against common cyber threats.
Similarly, companies of any size can sign up to the government-backed Cyber Essentials certification scheme, automatically bundling in cyber liability insurance.
Is any of this going to reduce cybercrime?
Cybercrime is rarely perpetrated by British citizens, so domestic legislation can only achieve so much.
Most incidents reported by the NCSC last year were either driven by nation states with a vested interest in undermining the UK, or criminal gangs who are also mainly overseas.
Many of these are regarded as Advanced Persistent Threat actors – well-funded groups who constantly seek vulnerabilities in our national infrastructure and IT systems.
On a consumer level, time-honoured advice still applies in terms of protecting your personally identifiable information (PII) and optimising domestic cybersecurity:
- Avoid using simple passwords more than once, opting for a password manager utility if it becomes too difficult to store abbreviated shortcuts in a journal or Bookmarks list.
- Reset the password on wireless routers, which is the default route into your domestic (and often corporate) security network.
- Install antivirus software on desktop computers with automatic updates enabled, and always allow operating systems, apps and utilities to update when they ask to.
- Ignore suspicious unsolicited communications, never share PII unless you’re confident the recipients need it, and don’t transmit confidential data via insecure public WiFi.
