The UK's Cyber Security and Resilience Bill excludes central and local government from mandatory security requirements despite 40% of national cyberattacks targeting public bodies, relying instead on voluntary standards that critics warn lack enforcement teeth.
Cyberattacks against UK public institutions have escalated from high-profile breaches at the Legal Aid Agency and Foreign Office to systemic threats, with the National Cyber Security Centre confirming 40% of managed incidents targeted the public sector between 2020-2021. Yet in a controversial move, the government has exempted itself from the very legislation designed to fortify national defenses—the Cyber Security and Resilience (CSR) Bill currently progressing through Parliament.
The CSR Bill, introduced as an overhaul of the outdated Network and Information Systems (NIS) Regulations 2018, expands obligations to managed service providers and data centers, aligning partially with the EU's NIS2 Directive. Crucially however, unlike the EU framework, it excludes all public authorities from its scope. During parliamentary debates, former Digital Secretary Sir Oliver Dowden warned that excluding government bodies removes legal pressure to prioritize cybersecurity: "Legislative requirements force ministers to think about it... without this, it slips further down ministers' in-trays as more immediate problems distract them."
In response, Minister Ian Murray pointed to the newly launched Government Cyber Action Plan, promising "equivalent standards" to the CSR Bill without binding legal obligations. This voluntary approach has drawn sharp criticism from legal experts and digital rights advocates. Neil Brown, director at decoded.legal, stated: "If the government will be compliant with the standards anyway, inclusion in the bill poses no risk. Their reluctance suggests they aren't confident about meeting those standards consistently."
The exemption carries significant implications:
Accountability Gap: Public sector entities face no fines under the CSR Bill's penalty regime—which imposes £100,000 daily fines on non-compliant critical infrastructure providers—despite handling citizens' most sensitive health, legal, and financial data.
Compliance Double Standard: While private MSPs must implement risk assessments, incident reporting, and security audits under threat of financial penalties, equivalent measures for government remain optional and unenforceable.
Systemic Vulnerabilities: A January 2025 National Audit Office review found security flaws in 58 of 72 critical government systems, with slow remediation rates. Voluntary standards historically fail to drive urgent reform in such environments.
Regulatory Fragmentation: Proposals for future public-sector-specific legislation remain speculative. As Brown notes, "Smaller targeted bills can be effective," pointing to telecom security laws, but delays risk leaving vulnerabilities unaddressed during legislative limbo.
The government's stance contradicts its own threat assessments while creating a two-tiered system where citizen data held by the state receives weaker protection than commercially held information. This exemption not only invites continued cyber targeting but erodes public trust in digital governance—a critical liability when 89% of UK citizens express concern about public sector data security in YouGov surveys. With cyberattacks on the rise, the government's self-exemption may prove a costly gamble with national resilience.
Comments
Please log in or register to join the discussion