UK government excludes itself from flagship cyber law, raising doubts

TL;DR

The UK’s Cyber Security and Resilience (CSR) Bill excludes central and local government from its legal scope, with ministers saying a separate Cyber Action Plan will hold departments to equivalent standards without statutory force. Critics and some MPs warn that removing legal obligations for the public sector risks weak accountability amid frequent cyber incidents and documented security shortcomings.

What happened

The government’s flagship Cyber Security and Resilience (CSR) Bill, announced early in the new administration, proposes updates to the UK's ageing NIS 2018 framework and brings in entities such as managed service providers and datacentres. However, the draft excludes central and local government from the law’s coverage. Ministers have said a newly published Government Cyber Action Plan will require equivalent security standards for public bodies, but it will not impose legal obligations. Opposition figures and security lawyers expressed concern in the House of Commons that without statutory duties ministers may deprioritise cybersecurity. Lawmakers pointed to a consistent pattern of attacks against public organisations — a National Cyber Security Centre statistic cited roughly 40% of incidents it handled over a 12-month period targeted the public sector — and a National Audit Office review noting widespread flaws and slow remediation across many critical government systems. Debate continues about whether the public sector should be brought into the CSR bill or addressed through separate legislation.

Why it matters

• Public-sector organisations have been a frequent target of cyber incidents, raising the stakes for government resilience.
• Non-statutory commitments make it harder to hold ministers and departments accountable if security lapses continue.
• An independent audit found widespread flaws in critical government systems and slow fixes, suggesting systemic risk.
• Differences between the CSR bill and international regulatory models (such as the EU’s NIS2) could affect consistency of protections.

Key facts

• The CSR bill aims to update the NIS 2018 framework and bring managed service providers and datacentres into scope.
• Central and local government are excluded from the CSR bill’s legal scope.
• Ministers launched a Government Cyber Action Plan that they say will hold departments to equivalent standards without creating legal obligations.
• The National Cyber Security Centre reported that around 40% of attacks it handled between Sept 2020 and Aug 2021 targeted the public sector.
• The National Audit Office reviewed 58 of 72 critical systems and reported numerous security flaws and slow remediation.
• Former digital secretary Sir Oliver Dowden and other MPs urged that the public sector be reconsidered for inclusion in the bill.
• Legal practitioners warned that promising equivalent standards without statutory duties does not inspire confidence.
• Officials included a mechanism in the bill to introduce further legislative amendments to respond to evolving cyber threats.

What to watch next

• Whether ministers will revise the CSR bill to bring central and local government into its legal scope — not confirmed in the source.
• How the Government Cyber Action Plan will be implemented in practice and whether it will match the effectiveness of statutory requirements — not confirmed in the source.
• Any future, targeted public-sector cybersecurity legislation that follows the CSR bill and its expected timing — not confirmed in the source.

Quick glossary

• CSR Bill: The UK Cyber Security and Resilience Bill proposed to refresh post-2018 cybersecurity rules and extend obligations to certain private-sector entities.
• NIS2: An EU-level update to network and information security rules that broadens the scope of organisations subject to cybersecurity obligations.
• Managed Service Provider (MSP): A third-party company that remotely manages a customer's IT infrastructure and/or end-user systems.
• National Cyber Security Centre (NCSC): The UK authority responsible for providing cyber advice and handling major incidents.
• National Audit Office (NAO): An independent public body that audits central government departments and reports on the state of public finances and systems.

Reader FAQ

Why has the government excluded central and local government from the CSR bill?
Not confirmed in the source.

Will the Cyber Action Plan legally bind departments to the same standards as the CSR bill?
Ministers say the plan will hold departments to equivalent standards, but it will not impose legal obligations.

Are government systems known to have security problems?
Yes. The National Audit Office reviewed most of the 72 most critical systems and reported multiple security flaws and slow remediation.

Could the public sector be covered by separate legislation instead?
Some MPs and legal experts suggested targeted future laws for the public sector are possible, but timing and scope are not confirmed in the source.

CYBER-CRIME UK government exempting itself from flagship cyber law inspires little confidence Ministers promise equivalent standards just without the legal obligation Connor Jones Sat 10 Jan 2026 // 09:29 UTC ANALYSIS From May's cyberattack…

Sources

• UK government exempting itself from flagship cyber law inspires little confidence
• UK government admits years of cyber policy have failed …
• Cyber Security and Resilience (Network and Informatio
• Who's at stake? The (non)performativity of “stakeholders” in …

Related posts

• USDA suspends federal financial awards to Minnesota and Minneapolis amid review
• CDC staff ‘blindsided’ as federal child vaccine schedule is unilaterally changed
• Betterment App Sent Users a Crypto Scam Notification Asking for $10,000