TL;DR
The UK’s Cyber Security and Resilience (CSR) Bill excludes central and local government from its legal scope, with ministers saying a non‑statutory Cyber Action Plan will apply the same standards. Critics and auditors say removing legal obligations for the public sector undermines accountability amid repeated breaches and documented security failings.
What happened
The government’s CSR Bill, introduced as an update to the 2018 NIS framework, excludes public authorities including central and local government from its statutory requirements. Ministers have responded to concerns by pointing to a new Government Cyber Action Plan launched just hours before the bill’s second reading, which they say will hold departments to comparable standards but without the force of law. The bill does widen obligations for some private-sector actors, bringing managed service providers and datacentres into scope, and includes a mechanism for future legislative amendments. Opposition and industry figures pushed back in Parliament, arguing that without mandatory duties the public sector could deprioritise cybersecurity. Recent oversight reports add weight to those concerns: the NCSC has recorded a large share of attacks on the public sector, and a National Audit Office review found widespread flaws across the government’s most critical systems and slow remediation of those issues.
Why it matters
- Public-sector organisations have been a frequent target of cyberattacks, increasing the risk to public services and citizen data.
- Removing government from the bill means departments would face guidance rather than legally enforceable standards.
- Non‑binding plans can be deprioritised by ministers, reducing accountability compared with statutory obligations.
- Independent audits have already flagged extensive security weaknesses and slow fixes in critical government systems.
Key facts
- The CSR Bill is intended to refresh the UK’s NIS 2018 rules and parallels aspects of the EU’s NIS2 but excludes public authorities from its scope.
- Ministers say the Government Cyber Action Plan will hold departments to equivalent standards, but that plan is not a statutory obligation.
- The bill proposes bringing managed service providers and datacentres into regulatory scope.
- Sir Oliver Dowden and other MPs urged reconsidering the exclusion of central government during Commons debate.
- Ian Murray, a minister of state, acknowledged those concerns and directed attention to the Cyber Action Plan.
- The NCSC reported that 40% of the attacks it handled between September 2020 and August 2021 targeted the public sector.
- The National Audit Office reviewed 58 of 72 most critical government systems and reported numerous security flaws and slow remediation.
- The bill includes a power to introduce further legislative amendments to respond to a changing cyber landscape.
What to watch next
- Whether ministers will amend the CSR Bill to bring central and local government into statutory scope — not confirmed in the source
- If or when the Government Cyber Action Plan will be converted into binding legal requirements — not confirmed in the source
- The emergence of any separate, targeted public‑sector cybersecurity legislation later in this Parliament — not confirmed in the source
Quick glossary
- CSR Bill: The UK Cyber Security and Resilience Bill proposed to update existing network and information security rules and set new obligations for selected organisations.
- NIS 2018: An earlier UK transposition of EU rules on the security of network and information systems, establishing baseline cybersecurity requirements.
- NIS2: An EU directive that broadened the scope and tightened rules for cybersecurity across member states; often used as a comparison point for national reforms.
- National Audit Office (NAO): An independent public body that audits government departments and reports on the efficiency and effectiveness of public spending and systems.
- Managed service provider (MSP): A third-party company that manages IT services for other organisations, increasingly subject to cybersecurity regulation due to supply-chain risk.
Reader FAQ
Does the CSR Bill exclude central and local government?
Yes. The CSR Bill does not place statutory obligations on public authorities, including central and local government, according to the reporting.
Will government departments face the same standards anyway?
Ministers say the Government Cyber Action Plan will hold departments to equivalent standards, but that plan is not a legal obligation.
Has the government’s cyber security been independently criticised?
Yes. The National Audit Office found multiple security flaws across many of the government’s most critical systems and noted slow progress on fixes.
Will the public sector be added to the bill later?
Not confirmed in the source.
CYBER-CRIME 5 UK government exempting itself from flagship cyber law inspires little confidence Ministers promise equivalent standards just without the legal obligation Connor Jones Sat 10 Jan 2026 // 09:29 UTC ANALYSIS From May's…
Sources
- UK government exempting itself from cyber law inspires little confidence
- UK government admits years of cyber policy have failed …
- X pulls Grok images after UK ban threat over undress tool
Related posts
- PDF metadata reveals removed domestic NRO ground‑station names in Snowden files
- Iran’s internet blackout shows new precision and could be prolonged
- ICE Gains Tools to Track Every Phone in a Neighborhood, Report Says