Cyber Resilience – What Does It Entail?

The Cyber Security and Resilience Bill
Following the fallout last year, from the CloudStrike sensor failure that led to significant outages worldwide, we wrote a piece questioning whether we are truly addressing Cyber challenges. Subsequently, the UK introduced The Cyber Security and Resilience Bill, which was debated in Parliament in 2025. This legislation seeks to enhance the UK’s cyber defences and bolster resilience across essential services, infrastructure, and digital offerings. It will revise current cyber security regulations, including the NIS Regulations, and broaden the scope of protected digital services and supply chains.
The primary goal of this bill is to safeguard the UK’s digital economy, positioning it as one of the most secure in the world while protecting services, supply chains, and citizens. Additionally, it aims to enhance our cyber resilience and stimulate growth and prosperity. With an expanded scope, it encompasses a wider array of essential digital services beyond those currently covered by the NIS regulations and builds upon them. The bill includes mandatory reporting requirements and emphasises the UK’s Critical National Infrastructure (CNI).
Ministerial Policy Statement
You can read more about it here: https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement.
Relationship with EU Regulations
Although the UK’s Cyber Security and Resilience Bill is tailored for the UK, it draws inspiration from the EU’s Cyber Resilience Act (CRA) and the NIS2 Directive. The CRA emphasises cybersecurity for products with digital elements, whereas the UK’s legislation focuses on fostering overall resilience within its digital ecosystem. Furthermore, it aims to align with principles found in the NIS2 Directive adopted by the EU in 2024.
How will SMEs navigate this?
In the cybersecurity sector, there has long been a divide between product vendors and those of us focused on services. After three decades in this industry, I’ve repeatedly observed that product sales often prevail. Why? Because selling services is more challenging with a longer sales cycle compared to quicker product sales. People prefer to see a quick if not immediate return, on their investment; they like tangible products doing their job even if they don’t fully grasp how they function or whether they’re suited for their needs.
Risk Management
A risk managed approach remains vital. This principle hasn’t changed over my 30 years in the field. However, this bill makes it even more critical due to potential penalties for non-compliance. The focus should be on People, Process, and then Technology. I often reference Bruce Schneier, a Harvard scientist and thought leader in cybersecurity. He states, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” Essentially, understanding your risks begins with identifying your cyber assets, not just hardware or software but your data and your ability to maintain system access for staff and customers when needed.
Once you recognise your assets, you must identify potential threats to them and assess how vulnerable you are to those threats. Threats combined with vulnerabilities equal risk, the risk to your business if things go awry.

Having completed this assessment you can assign a risk score to each asset aiming to manage that risk down to an acceptable level, known as risk appetite. This will vary from business to business or even asset to asset; for instance, you wouldn’t assign the same risk level to a revenue-generating system as you would to an admin-only system lacking personal data.

This may sound daunting and costly; hence many businesses avoid it or only partially implement it. However, without a comprehensive assessment, it’s challenging to ensure that you are allocating your limited budget toward appropriate protections in key areas. You need to determine potential damage from failures and explore ways to mitigate that damage. While consulting a lawyer after a crisis is one option, wouldn’t it be wiser to prevent or reduce issues before they escalate?
Recent Comments