The Cyber Security and Resilience Bill, introduced to Parliament in November 2025 and currently undergoing its second reading in the House of Commons, represents a significant modernization of the United Kingdom's cybersecurity framework.
However, a notable and controversial gap in its scope has prompted intensifying debate among lawmakers, industry experts, and security professionals: the deliberate exclusion of both central and local government from mandatory provisions despite their acknowledged status as prime targets for sophisticated cyberattacks.
The Current Threat Landscape
The threat facing the UK public sector is neither theoretical nor marginal. Between September 2020 and August 2021, the National Cyber Security Centre (NCSC) reported that approximately 40 percent of the cyber incidents it managed due to their potential severity targeted public sector organisations.
This figure is expected to grow as threat actors increasingly recognise the strategic value of disrupting government services and the critical infrastructure they depend upon.
Recent incidents underscore this vulnerability. In May 2025, the Legal Aid Agency fell victim to a cyberattack, followed by a Foreign Office breach months later. In November 2025, a coordinated ransomware attack struck three London councils—the Royal Borough of Kensington and Chelsea, Westminster City Council, and Hammersmith and Fulham Council—causing immediate disruption to telephone systems, online services, and public-facing platforms.
By early January 2026, investigations confirmed that hundreds of thousands of residents' personal details had been stolen. The Synnovis pathology service attack in 2024, which halted blood testing and forced cancellations of surgeries across London, resulted in patient deaths and severe harm, demonstrating the direct human cost of gaps in public sector cybersecurity.industrialcyber
The National Audit Office's January 2025 report found that of 58 critical government IT systems independently assessed in 2024, multiple fundamental security controls—including asset management, protective monitoring, and incident response planning—operated at low levels of maturity across departments.
Additionally, at least 228 legacy IT systems remain in use by government departments, with the government acknowledging it does not know how vulnerable these systems are to cyberattack. The report concluded that "the cyber threat to UK government is severe and advancing quickly" and that "government must act now to protect its own operations and key public services."industrialcyber
The Bill's Scope and Government Justification
The Cyber Security and Resilience Bill significantly expands the scope of cybersecurity regulation compared to its 2018 predecessor, bringing managed service providers, data centres, and a broader range of essential and digital service providers into scope for the first time.
The legislation imposes stringent requirements on these entities, including 24-hour early alerts for cyber incidents and comprehensive reporting within 72 hours, with penalties reaching £17 million or 10 percent of daily turnover.
Yet central government, local authorities, and the wider public sector remain explicitly excluded from these mandatory provisions. The government's justification is that departments will be held to standards equivalent to those in the bill through the Government Cyber Action Plan, a £210 million initiative launched alongside the bill in January 2026.
Under this plan, a new Government Cyber Unit will coordinate risk management and incident response across departments and the wider public sector, with clear targets and standards to be established by April 2027.
Arguments in Favour of Public Sector Coverage
The case for including government in the bill rests on several foundations. First, the comparison with the European Union's NIS2 Directive is instructive. The NIS2 Directive, which became enforceable across the EU in October 2024, explicitly designates public administration as an essential entity sector, requiring government organisations to implement enhanced security measures, conduct regular risk assessments, and report serious incidents.
This approach reflects a recognition that government services are not merely business operations but critical infrastructure upon which citizens depend for access to benefits, taxation, healthcare, and essential services.
Second, the principle of accountability argues strongly for legislative inclusion. As Neil Brown, director at British law firm decoded.legal, observed: "If the government is going to hold itself to standards equivalent to those set out in the bill, then it has nothing to fear from being included in the bill since, by definition, it will be compliant." The argument that legislation will be unnecessary if standards are already being met appears circular and strategically hollow.
Sir Oliver Dowden, former digital secretary and current shadow deputy PM, articulated this during parliamentary debate: "The advantage of legislative requirements is that they force Ministers to think about it. I do think that more pressure needs to be brought to bear on ministers in terms of their accountability for cybersecurity."gov
The political reality of prioritisation provides additional weight to this argument. Government priorities shift rapidly; cybersecurity, while frequently discussed in ministerial statements, is subject to displacement by more pressing immediate concerns. A legal obligation embedded in primary legislation creates a durable enforcement mechanism that voluntary commitments cannot replicate.
Without legislative teeth, the Cyber Action Plan remains vulnerable to gradual deprioritisation and underfunding as budgetary pressures mount—a pattern exemplified by the previous Conservative Government's failure to implement cybersecurity recommendations from its own 2022 consultation despite having more than two years to do so.
Third, the practical vulnerability of critical national systems demands comprehensive regulation. The British Library's October 2023 ransomware attack, attributed to the Rhysida gang, resulted in catastrophic service disruption and remains ongoing. The library has spent £600,000 on recovery and expects to spend considerably more.
Multiple NHS trusts have experienced service interruptions following supply chain compromises. The pattern is clear: failures in one organisation create cascading impacts across the wider ecosystem. When the government remains outside the regulatory framework governing critical service providers, a significant vector for attack and exploitation persists.
Fourth, public sector organisations hold vast volumes of sensitive citizen data—tax records, health information, welfare details, and personal identifiers. The Kensington and Chelsea incident alone affected hundreds of thousands of residents.
Cybersecurity regulation for entities holding such data should operate consistently regardless of public or private ownership. The data protection imperative is non-negotiable.
Arguments Against Legislative Inclusion
The government and some analysts argue that separate, tailored legislation may be more appropriate than incorporating government into the CSR Bill. Labour MP Matt Western suggested that the CSR Bill represents the first of many pieces of bespoke legislation the government will pass to improve national security, implying that public sector-specific legislation may follow.
The rationale centres on the principle that security requirements often differ between organisational types and sectors; separate legislation specifically designed for government structures and responsibilities might be more effective than a one-size-fits-all approach.
Additionally, some legal experts contend that smaller, targeted bills iterating as needed may be preferable to large, comprehensive legislation reflecting multiple interests and compromises—as evidenced by the Online Safety Act 2023.
This approach potentially allows more agile legislative responses to rapidly evolving threats without the delays inherent to comprehensive legislative overhauls.
The Risk of Regulatory Abstinence
However, the case against legislative inclusion rests primarily on procedural arguments rather than substantive security rationale. The government has not articulated a security-based reason why central government, local authorities, and NHS trusts should not be subject to the same legal obligations as private companies running parallel critical services.
If anything, the gap creates perverse incentives: regulated private sector providers may argue for lighter touch enforcement given that their government counterparts operate without legal obligations whatsoever.
The government's £210 million Cyber Action Plan is welcome but remains vulnerable to the very problem it was designed to address.
As the National Audit Office found, accountability structures have "failed to achieve the right level of resilience." Voluntary frameworks, however well-funded, cannot compel political will across departments with competing priorities or generate the urgency that legal enforcement mechanisms create.
Moreover, the government's approach of iterating with future legislation creates unnecessary delay. Each cyber incident affecting a council, NHS trust, or government department will prompt renewed parliamentary scrutiny and accusations that the government is exempting itself from standards it imposes on others.
Rather than providing certainty and clarity, the current approach generates ongoing controversy and offers opposition parties repeated opportunities to question the government's cybersecurity commitment.
International Precedent and Best Practice
The international regulatory landscape provides guidance. The United States, through the Federal Information Security Management Act (FISMA), mandates that federal agencies develop, document, and implement information security programmes according to defined standards.
This reflects a recognition that government agencies operate critical infrastructure and therefore require the same regulatory oversight as private operators of essential services.
The EU's approach through NIS2 is more direct: public administration bodies are classified as essential entities and subject to identical requirements as other critical sectors.
Member states have not established separate frameworks for government—the directive applies uniformly. This consistency reduces regulatory complexity and eliminates arguments that public bodies operate to different standards.
A Path Forward
The question whether the UK cyber resilience bill should cover the public sector ultimately rests on a straightforward proposition: if cybersecurity is critical to national resilience and public safety, then legal obligations should apply uniformly across all organisations managing critical functions and sensitive data, regardless of public or private ownership.
The government's articulation of "equivalent standards" without legal obligation creates a substantively weaker position than legislative inclusion would provide. The pattern of cyber incidents affecting public sector organisations demonstrates that voluntary frameworks have not prevented compromises causing direct harm to citizens and disruption to essential services.
The National Audit Office's finding that government accountability structures have failed suggests that incremental improvements in governance alone will not suffice.
The Cyber Action Plan can exist alongside, rather than instead of, legislative inclusion. There is no inherent conflict between government-specific operational standards and subjection to the CSR Bill's mandatory requirements.
Conversely, waiting for separate legislation creates a window of regulatory uncertainty in which public sector vulnerabilities remain unaddressed by binding legal obligations.
As cyber threats accelerate and government digitisation proceeds, the coherence and completeness of the regulatory framework will increasingly matter. A flagship cybersecurity bill that exempts the organisation ultimately responsible for critical national infrastructure appears incomplete and strategically inconsistent.
The cumulative weight of evidence—from threat assessments to incident history to international precedent—suggests that legislative inclusion would strengthen the bill's effectiveness and affirm the government's genuine commitment to the cybersecurity transformation it has publicly committed to deliver.
