As cyber threats escalate and public sector systems remain vulnerable, the UK government is moving to modernise its cybersecurity regulations. With ransomware attacks on critical services and legacy IT systems exposing deep-rooted risks, the proposed Cyber Security and Resilience Bill aims to strengthen defences, improve incident reporting, and safeguard the infrastructure underpinning Britain’s digital future.

Even as technology advances and security tightens, cyber attacks are incredibly common, with the Cyber Security Breaches Survey 2025 finding that almost half of businesses (43 per cent) reported having any kind of  cybersecurity breach or attack within the last year. Although a decrease from 2024 figures (50 per cent), these figures are still high.

The threat to the government, or the public sector in general, is therefore severe, and advancing at a rapid rate. In 2024, the National Audit Office found that 58 critical government IT systems independently assessed in 2024 had significant gaps in cyber resilience, and the government does not know how vulnerable at least 228 ‘legacy’ IT systems are to cyber attack. As for the wider public sector, where terabytes upon terabytes of human data are stored, the threat also looms.

NHS
On 3rd June 2024, several NHS organisations, primarily based in South East London, were affected by a ransomware attack. Synnovis, a pathology partnership between SYNLAB, Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust and King’s College Hospitals NHS Trust, was hit by a ransomware cyber-attack, stealing data and halting blood tests in South East London. Russian group Qilin later published almost 400GB of data stolen from Synnovis.

This cyberattack on the NHS has not been the first and will not be the last. In 2017, the NHS was one of several victims of a global ransomware attack known as ‘WannaCry’, which targeted computers running Windows by spreading a self-replicating worm that encrypted data and demanded ransom payments in the Bitcoin cryptocurrency. The attack disrupted over a third of England’s NHS trusts, cancelling over 6,900 NHS appointments, and costing the NHS around £92 million.

Critically, WannaCry’s effect on the NHS also had political implications. Many NHS trusts were using computers running Windows XP, an operating system first released in 2001 that Microsoft stopped supporting in 2014, 
and that the government had stopped paying for a cybersecurity package for in 2015, which led to a Guardian article in 2017 entitled: ‘The ransomware attack is all about the insufficient funding of the NHS.’ Then-health secretary Jeremy Hunt was accused of refusing to act on a critical note from Microsoft, the National Cyber Security Centre and the National Crime Agency, that might have been able to prevent the attack.

Following the attack, NHS Digital refused to foot the £1 billion bill to meet the Cyber Essentials Plus standard, which is a certification to show an organisation has  cybersecurity protection. The WannaCry ransomware attack revealed critical holes in NHS’ cybersecurity, and outlined the need for adequate government investment in cyber protection.

Ransomware attacks are a particular onerous threat for the public sector, due to the large swathes of data hackers are able to get their hands on and use as leverage for financial reward. Just last year, Leicester City Council were hit by a cyberattack, where the ransomware group responsible published 1.3 terabytes of data online and forced the council to shut down its IT systems and phone lines temporarily.
 

Security of Network and Information Systems Regulations
In 2018, the Security of Network and Information Systems Regulations (NIS Regulations) were introduced, which provided legal measures to boost the overall level of security of network and information systems of both digital and essential services. These regulations currently cover five sectors (transport, energy, drinking water, health and digital infrastructure) and some digital services such as online marketplaces, online search engines, and cloud computing services. Twelve regulators are responsible for implementing these regulations.

As part of the government’s £2.6 billion 2022 National Cyber Strategy under the Johnson Conservative government, two Post-Implementation Reviews in 2020 and 2022 found that these regulations, although promoting positive change, were not thorough nor extensive enough.

Following a 2022 consultation, several recommendations to the NIS regulations were made, including giving the government power to amend NIS regulations in future to ensure they remain effective and improving cyber incident reporting to regulators. These changes, as well as several others, were implemented under the Sunak Conservative government. Starmer’s Bill, set to be introduced to Parliament this year, comes off the back of the NIS regulations.

Cyber Security and Resilience Bill
First announced as part of the King’s Speech last July, the Bill will modernise the NIS Regulations to keep up to date with rising cybersecurity threats. The current NIS Regulations, inherited from EU law, have now been superseded in the EU and require an urgent update should the UK wish to ensure their infrastructure and economy is not comparably more vulnerable.

The Bill makes changes to existing regulations, such as expanding the remit of said regulation to protect more digital services and supply chains, which are an increasingly more vulnerable entrance for would-be attackers. The Bill attempts to fill a gap in defences to prevent similar attacks to that on public health services, like the ransomware attack last year.

Additionally, the Bill would ensure that regulators were able to implement essential cyber safety measures, including potential cost recovery mechanism to provide resources to regulators and providing powers to investigate potential vulnerabilities before they escalate.

The Bill will also ensure that organisations adhere to reporting incidents to give government better data on cyber attacks, including where a company has been held to ransom. This is to help improve understanding of the threats and alert us to potential attacks by expanding the type and nature of incidents that regulated entities must report.

The importance of  cybersecurity
The tighter measures are to defend the public sector from a rapidly shifting cyber landscape, in which cyber criminals continue to advance their technologies and improve the effectiveness of their strategies. Cyber attacks, or attempted cyber attacks, are rife, with the 2024 Cyber Breaches Survey revealing that half of the participating businesses reported some form of  cybersecurity breach in the past twelve months. 

Cybersecurity, quite critically for the government, enables prosperity and growth, through allowing businesses to expand and attract investment. In 2024, Howden found that cyber attacks have cost UK business £44 billion in the last five years, with half of UK businesses (52 per cent) having experienced at least one cyber attack in the past five years.

Peter Kyle, secretary of state for department for science, innovation and technology, said: “At the core of our proposals is this government’s number one mission: economic growth. Growth is the only route to creating new jobs and putting more money in working people’s pockets. But there is no growth without stability. By securing the digital infrastructure upon which a growing number of our businesses depend, we can deliver the stability they need to innovate and invest.

“Every business I have spoken to has said the same thing: we need agile, pro-innovation regulation that is designed for the digital world we live. Change has never been needed more.

“Together, we can grow our economy, rebuild our public services, and deliver a more secure, resilient and prosperous digital future for Britain.”