ANALYSIS From May’s cyberattack on the Legal Aid Agency to the Foreign Office breach months later, cyber incidents have become increasingly common in UK government.

The scale extends far beyond these high-profile cases: the NCSC reports that 40 percent of attacks it managed between September 2020 and August 2021 targeted the public sector, a figure expected to grow.

Given this threat landscape, why does the UK’s flagship Cyber Security and Resilience (CSR) Bill exclude both central and local government?

Sir Oliver Dowden, former digital secretary and current shadow deputy PM, led calls in the House of Commons this week urging Labour to rethink its stance on excluding central government from the Cyber Security and Resilience (CSR) Bill.

“I would just urge the minister, as this bill passes through Parliament, to look again at that point, and I think there is a case for putting more stringent requirements on the public sector in order to force ministers’ minds on that point.”

The CSR bill was announced days into Sir Keir Starmer’s tenure as Prime Minister, aiming to provide an essential refresh of the country’s heavily outdated NIS 2018 regulations.

It proposed to bring managed service providers into scope, as was scheduled in 2022 before those plans fell by the wayside, and datacenters, among many other aspects.

Parallels can be drawn with the EU’s NIS2. However, the CSR bill’s scope is narrower, excluding public authorities, unlike the EU’s equivalent regulatory refresh.

Ian Murray, minister of state across two government departments and responsible, in part, for data policy and public sector reform, thanked Dowden for his suggestions and promised to take them on board.

In responding to the shadow deputy PM, Murray also pointed to the Government Cyber Action Plan, which it launched hours before the CSR bill was set for a second reading in the Commons.

This plan will ostensibly hold government departments to equal security standards as the CSR bill… just without any of the legal obligations.

Cynics may see it as a tool to quell any criticisms of the bill’s scope not extending to central government, all without making any hard security commitments.

As Dowden noted in the Commons on Tuesday, cybersecurity is a matter that is often deprioritized quickly in government. “I welcome the minister’s comments about the obligation on the public sector. However, I would caution him that, in my experience, cybersecurity is one of those things that ministers talk about but then other priorities overtake it. And the advantage of legislative requirements is that it forces ministers to think about it.”

“I do think that more pressure needs to be brought to bear on ministers in terms of their accountability for cybersecurity. I fear that if we don’t put this into primary legislation, it’s something that can slip further and further down ministers’ in-trays. Whilst [some] ministers may have a desire to address it, other, more pressing, immediate problems distract their attention.”

One could argue that if the government is serious about holding itself to the same standards as the critical service providers in scope of the CSR bill, it would just bring itself and local authorities also into scope.

Neil Brown, director at British law firm decoded.legal, told The Register: “The argument is that government departments will be held to standards equivalent to those set out in the bill, and so do not need to be included. This does not fill me with confidence.

“If the government is going to hold itself to standards equivalent to those set out in the bill, then it has nothing to fear from being included in the bill since, by definition, it will be compliant.”

Labour MP Matt Western, who also chairs the National Security Strategy joint committee, suggested that the CSR bill would not be a cure-all, but the first of many pieces of bespoke legislation the government will pass to improve national security.

This suggests the government is considering specific legislation to shore up public sector security further down the line. Perhaps this is wishful thinking.

• UK’s Cyber Security and Resilience Bill makes Parliamentary debut
• UK tech minister booted out in weekend cabinet reshuffle
• UK threatens £100K-a-day fines under new cyber bill
• Revamped UK cybersecurity bill couldn’t come soon enough, but details are patchy

Brown told us “separate legislation does not sound like a terrible idea,” and notes that existing UK telecoms law is separated for effect.

The Telecommunications (Security) Act 2021 and the Product Security and Telecommunications Infrastructure Act 2022, for example, both seek to improve security in the telco space, but target different organizations. Security requirements often differ between types of organization, so potentially reserving a public sector-specific cybersecurity bill could be the way to go.

Ministers’ plans also include a provision in the bill to introduce new legislative amendments as needed, to meet the demands of a rapidly shifting cybersecurity landscape, leaving behind the Brexit-related hindrances that delayed the previous NIS updates in the first place.

However, the likelihood of being able to deliver on effective legislative amendments at pace is uncertain.

Arguably, if the government wanted to do it correctly, it would carry out a comprehensive (and lengthy) industry consultation before pushing any amendments through the two Houses, another typically arduous process.

Whether this way of iterating on existing law could balance speed with comprehensiveness in unanswered.

For Brown, the approach taken by Labour – to legislate in smaller steps – seems like the smarter choice.

“My preference is to legislate little and often, iterating as needed, rather than trying to create one piece of legislation which is all things to all people,” he says. “Legislation inevitably entails compromise, and often reflects the divergent interests of numerous interested parties (including lobbying groups) – I look, for instance, at the Online Safety Act 2023. Smaller bills/acts, more targeted in scope, responding to a clearly-articulated problem statement, seems more sensible to me.

“As to whether the CSR would result in a better outcome than NIS2, I’m afraid I do not know.”

Given the scale of the cyber threat facing the UK’s public sector, failing to account for this in the CSR bill could open the government up to intense scrutiny.

The National Audit Office’s report into UK government security improvements in January 2025 laid bare the sorry state of its systems. Of the 72 most critical systems run by various departments, 58 were reviewed; auditors found a litany of security flaws across them and noted a staggeringly slow pace at which the issues were being addressed.

That is not an assessment which goes hand-in-hand with a public sector free from regular cyberattacks.

Each time a central authority, arm’s-length body, local council, or NHS trust is compromised, the government’s decision not to include the public sector within the scope of the CSR bill hands the opposition another opportunity to question its commitment to cybersecurity.

Labour does, at least, have some ammo to fire back if this scenario were to ever become reality, with the Conservatives having failed to enact the cybersecurity recommendations from its 2022 consultation, despite having had more than two years to do so.

Even with the government’s Cyber Action Plan, its reluctance to bring the public sector into the scope of its flagship cyber legislation fails to inspire any confidence that it has serious ambitions to improve security in this problem area. ®