Cyber Security and Resilience Bill second reading and Cyber Action Plan announcement – What do Westminster’s latest moves mean for the UK cyber sector?
8 January 2026
On 6 January 2025, Westminster sent a clear signal that the UK’s cyber agenda is shifting from strategy and planning to practical implementation. On the same day that the Cyber Security and Resilience Bill cleared its second reading in the House of Commons, the government also unveiled its Cyber Action Plan, backed by £210 million to strengthen cyber defences and digital resilience across government departments and the wider public sector.
Taken together, these moves signal momentum from the government toward tightening the UK’s cyber regulatory framework and raising the baseline for cyber resilience across the economy. However, many may be unsure of what these mean for affected industries and sectors.
This article will explore what the Cyber Security and Resilience Bill’s second reading and the new Cyber Action Plan mean in practice – for the areas and organisations directly in their scope, for those in their ecosystems, and for the cyber industry more broadly that will be tasked with supporting businesses through the transition.
Cyber Action Plan
On the 6th January, as many in the sector awaiting the scheduled second reading of the Cyber Security and Resilience Bill, the government made a surprise announcement of its Cyber Action Plan, which set out plans to strengthen cyber defences and digital resilience across government departments and the public sector, backed by £210m of government funding.
The plan focuses on three key outcomes: clearer visibility of cyber risks, faster incident response, and stronger collective action so that no single organisation is left to manage the aftermath of an attack on their own. At its heart is a proposed ‘Government Cyber Unit’, which is expected to coordinate efforts and operations to implement the plan and measure its success.
Crucially, the Cyber Action Plan is designed to underpin the government’s broader digital transformation agenda within the public sector and government departments. This includes further digitisation of public services, improving the accessibility of online services, reducing virtual queues, and providing more centralised access to government resources and support. Through this, the government hopes to unlock up to £45bn in productivity savings across the public sector through this plan, hence the interest in improving cybersecurity and operational resilience.
The plan also introduces the new ‘Software Security Ambassador Scheme’, aiming to tackle software supply chain risk through a new, voluntary ‘Software Security Code of Practice’. This is effectively a best‑practice checklist for secure software development, with public sector suppliers expected to demonstrate alignment with these practices. Early ambassadors include Cisco, Palo Alto Networks, Sage, Santander and NCC Group.
Through the plan, government departments are expected to be held to standards equivalent to those set out in the Cyber Security and Resilience Bill. For those providing cyber security services to the public sector, this could signal an increase for risk assessment, incident response and monitoring solutions as departments look to meet milestones in the plan and modernise their systems securely.
Cyber Security and Resilience Bill second reading
Following the Cyber Action Plan announcement, the government’s Cyber Security and Resilience Bill cleared its second reading in the House of Commons, receiving a broadly positive reception in the House. This was largely expected for a measure aimed at updating and extending the UK’s cyber regulatory framework for a more connected and tech‑dependent economy.
Introducing the Bill, DSIT Minister of State Ian Murray made the case that cyber resilience is not only a security necessity, but also an economic growth issue. MPs focused their scrutiny on three questions: whether the Bill’s scope matches the risk landscape, whether it could create a disproportionate burden on businesses, and whether regulators will be equipped to enforce the new regime effectively.
Substantively, the Bill builds on the 2018 NIS regulations by bringing large load controllers, data centres and managed service providers into scope, and aims to ‘future-proof’ the legislation by including mechanisms to adapt the perimeter over time as technology and risks evolve.
A constructive debate, with three core concerns
A range of MPs took part in the debate, including Shadow teams and backbenchers. While the overall tone was constructive and MPs broadly welcomed the extension of regulations, much of the regulatory scrutiny centred around three areas:
1) Scope: does the Bill match the risk landscape?
One concern was whether the Bill truly takes a ‘whole‑of‑economy’ approach. MPs questioned if its scope covers the businesses and services most at risk and most economically damaging if hit by a cyberattack. They highlighted major private sector firms recently targeted by cyber incidents, such as Jaguar Land Rover, M&S and the Co‑op, that fall outside its remit.
While not classed as critical national infrastructure, disruption to these companies could trigger widespread supply chain issues, consumer impact, and broader economic damages. MPs also pointed to sectoral gaps, notably in financial services, which could fragment the national approach as different regimes run in parallel.
Finally, they scrutinised new ministerial powers offered to the DSIT Secretary of State to reclassify sectors as critical infrastructure, raising concerns around accountability and transparency.
2) Burden on business: necessary regulation or risking overreach?
The second major theme was the Bill’s burden on businesses, and whether the compliance model is proportionate.
A core concern was potential duplication. MPs noted that the Bill’s incident‑reporting and compliance duties may overlap with existing regulatory regimes, particularly the UK GDPR. For organisations already navigating multiple reporting and governance frameworks, the risk is that new obligations complicate pre-existing compliance without necessarily improving security outcomes.
MPs also raised the question of proportionality across company size. While the costs and operational changes implied by the Bill may be manageable for larger firms, there was concern that they could function as a de facto “operational tax” on SMEs. Opposition MPs viewed this as punitive, while carrying the perception that the bill did not go far enough to enforce board-level accountability.
3) Regulators: are they capable of enforcement?
The third set of concerns related to regulators, both in their ability to deliver the new regime and the risk of unintended consequences.
Firstly, MPs questioned whether regulators will have the resources and expertise needed to enforce the new responsibilities consistently. A particular issue raised was timing: additional funding is expected to arrive only after the Bill, leaving little support during the transition period before the Bill is implemented. Some fear that this gap could create uneven implementation, slow readiness, and inconsistent enforcement across sectors.
Secondly, MPs raised concerns about the funding regime for regulators. If regulators become reliant on fee income, MPs warned this could create perceived or real incentives to expand scope or increase supervisory activity in ways that may feel unfair or disproportionate.
Additional points to note
Furthermore, MPs stressed the point that legislation is only one part of improving national cyber defences. They stressed that the government needs to continue to hold industry to account through governance, encouraging them to take up effective cyber insurance by industry, promote cyber education, and improve skills, addressing the reality that individuals are often the weakest link.
In addition to these three key areas, there were also concerns around whether the legislation would keep pace with fast‑moving threats (AI‑enabled attacks, credential misuse) when many breaches now involve the use of compromised, but valid, credentials. In this way, there were questions around whether legislation would be enough to tackle what may be seen as effective governance/business culture failures.
Finally, there were concerns raised around data sovereignty, with many businesses reliant on the reliance on US hyper-scalers and calling for the consideration of supplier concentration and dependency as a strategic priority.
Next steps: Public Bill Committee on 3 February
The Bill now moves into the Public Bill Committee stage, where MPs will scrutinise it in more detail. The first session is scheduled for 3rd February 2025. Within this stage, there will be a call for evidence which will allow industry voices to contribute to this debate and shape the legislation going forward. CBN is considering submitting evidence to the committee
If you’d be interested in hearing more about what’s to come with the Cyber Security and Resilience Bill, CBN will be discussing the Bill at our January Members Meeting in London, on Wednesday, 21st January, 4:30pm – 7:30pm. Alongside our deep dive into the Bill, this event will also consist of a roundtable style discussion to help shape our priorities for 2026.
If you’d like to join us for our members meeting, please head to cb-network.org/join-us/.
Otherwise, feel free to drop us a message at secretariat@cb-network.org.