Pictfor

Baroness Neville-Rolfe, UK Tech APPG Treasurer, welcomed attendees and opened the roundtable discussion on cyber security and resilience. The event, sponsored by Nominet and the Institution of Engineering and Technology (IET), brought together parliamentarians, industry leaders, cyber security experts and regulators to discuss the practical implications of the forthcoming Cyber Security and Resilience Bill and the broader challenges facing the UK’s digital resilience agenda.

She highlighted several key themes for discussion, including the relationship between national cyber resilience and economic growth, the practical impact of the forthcoming Cyber Security and Resilience Bill, the implications for businesses and critical infrastructure, the costs facing SMEs in complying with new requirements, the resilience of data centres and energy infrastructure, the role of AI in cyber security, and the growing need for cyber skills across the UK economy.

Baroness Neville-Rolfe then introduced Baroness Lloyd, Minister for the Digital Economy, who outlined the Government’s approach to strengthening the UK’s cyber resilience. The Minister stressed the scale of the cyber threat facing the UK, noting that cyber attacks are estimated to cost the economy billions annually and can have significant financial impacts on individual businesses.

The Minister explained that the proposed Cyber Security and Resilience Bill seeks to modernise and expand the existing regulatory framework established in 2018. She noted that the Bill would broaden the scope of regulation to include data centres, managed service providers, and other key digital infrastructure providers. She also highlighted proposals to strengthen regulators’ powers and capacity, including changes to enforcement mechanisms and penalties for non-compliance.

The Minister emphasised that the Government intends to retain a sector-led regulatory approach, allowing existing regulators with expertise in their sectors to oversee cyber resilience, while ensuring greater consistency through guidance and strategic coordination led by the National Cyber Security Centre (NCSC).

She added that the Government is also engaging with businesses outside the formal regulatory perimeter to encourage improved cyber practices across the wider economy. Alongside this, support for SMEs is being delivered through guidance from the NCSC and regional cyber resilience centres.

On skills, the Minister discussed the expansion of the CyberFirst programme into a broader “TechFirst” initiative, designed to encourage greater participation in cyber and digital careers, particularly among young people and women. She stressed the importance of building cyber capability across the whole workforce, from early education through to professional retraining and postgraduate study.

Jon Ellison, Director for National Resilience at the National Cyber Security Centre, then addressed the roundtable. He described the increasingly complex cyber threat landscape, highlighting the evolving capabilities of nation states, state-aligned actors, hacktivist groups, and criminal ransomware organisations. He noted that attacks are becoming more sophisticated and increasingly capable of targeting critical infrastructure.

Jon stressed that despite the growing sophistication of cyber threats, many successful attacks still exploit weaknesses in fundamental cyber practices. He argued that strong authentication, effective patch management, monitoring, and basic cyber hygiene remain essential to improving resilience.

He explained that the Cyber Security and Resilience Bill is intended to strengthen baseline cyber security standards across critical sectors, improve incident reporting mechanisms, and address systemic risks across supply chains and managed service providers.

Dr Graham Herries, speaking on behalf of the Institution of Engineering and Technology (IET), welcomed the Bill and stressed the importance of professionalism, clarity, and future-proofing within the regulatory framework. Drawing on his experience in industry, he noted that cyber security must not only focus on prevention, but also on resilience and recovery planning. He argued that businesses must prepare for breaches as an inevitability rather than a possibility.

Dr Herries also stressed the importance of professional accreditation and continuous training for cyber professionals, warning that the UK continues to face a longstanding shortage of engineers and technical specialists with the required cyber skills. He highlighted that the skills gap remains particularly acute for women entering engineering and cyber careers.

He further argued that cyber resilience requires a whole-systems approach, noting the increasing interdependence between sectors such as energy, healthcare, transport and food systems.

Jordan Carter, Head of Public Affairs at Nominet then provided a detailed perspective on the practical implementation of the Cyber Security and Resilience Bill, drawing on Nominet’s experience as a regulated Operator of Essential Services. He welcomed the Bill’s overall ambition to strengthen cyber resilience across the UK, while emphasising the importance of proportionate, clearly defined and non-duplicative regulation. He highlighted the need for clarity around reporting thresholds, Managed Service Provider definitions, and incident reporting requirements, particularly to ensure that regulators receive meaningful information without creating unnecessary burdens for industry.

Jordan also argued against duplication in cases where a business was regulated by more than one competent authority: “comply once, comply with all” was preferable for smaller organisations. He also expressed support for the information-sharing provisions being introduced through the Bill which could help promote interoperability between regulators.

Viscount Camrose, Shadow Science Innovation and Technology Spokesman in the House of Lords, questioned whether the key challenge facing cyber resilience was organisational negligence or a shortage of skilled professionals capable of implementing appropriate protections.

In response, the Minister stressed that cyber resilience must become a core governance issue for businesses rather than being treated solely as a technical function. She noted that strong board-level engagement and leadership are essential to identifying organisational risks and prioritising investment in resilience.

George Freeman MP highlighted the importance of maintaining agility within the UK’s cyber security framework. He warned against relying solely on legislation to address rapidly evolving technological threats and called for more dynamic regulatory approaches. He raised concerns around the security of sensitive UK data assets, including within the life sciences sector, and highlighted the growing importance of quantum technologies and quantum encryption. He suggested that the UK should consider establishing cyber and quantum “regulatory sandboxes” to support innovation and position the UK as a global leader in emerging cyber technologies.

Several contributors discussed the growing importance of cyber resilience for international confidence in the UK economy and financial system, particularly among overseas investors and sovereign wealth funds seeking secure jurisdictions for sensitive assets and operations.

David Reed MP, a member of the Shadow Defence Team, raised questions regarding the Government’s plans to reform the Computer Misuse Act and how these reforms would interact with the Cyber Security and Resilience Bill. He also highlighted the growing challenge posed by offensive cyber capabilities, noting that unlike traditional weapons systems, cyber tools are increasingly accessible and difficult to regulate. He questioned how the UK, alongside international partners, intends to respond to the rapid proliferation of offensive cyber capabilities globally.

The Minister confirmed that related reforms are being led by the Home Office and form part of wider national security considerations.

Discussion also focused heavily on the need for flexibility within the regulatory framework. The Minister, NCSC, and DSIT representatives stressed the importance of outcome-focused regulation rather than overly prescriptive compliance measures, arguing that organisations should be able to demonstrate resilience in ways appropriate to their operational context. Nominet expressed strong support for CAF-style frameworks, which had the added advantage of not providing adversaries with a checklist to undermine an organisation’s security.

Jon Ellison highlighted the NCSC’s support for cyber resilience testing facilities and adversary simulation schemes, designed to allow organisations to test technologies and resilience measures in realistic environments while supporting innovation and regulatory assurance.

Contributors also discussed the importance of “secure by design” principles. Jon Ellison explained that improving the inherent security of digital products and connected technologies would significantly reduce the cyber burden placed on organisations, particularly SMEs with limited resources and expertise.

Louise Speaight of PentenAmio highlighted the importance of supporting women returning to the workforce and those with transferable skills from other sectors, arguing that these groups represent an underutilised source of cyber talent.

Several attendees stressed the need to improve awareness and understanding of cyber threats among businesses and the wider public. Contributors noted that cyber resilience is fundamentally a behavioural challenge as much as a technical one and argued that businesses are more likely to invest appropriately when threats are communicated clearly and practically.

Maeve Walsh, Director of the Online Safety Act Network, suggested that the Bill should embed stronger “security by design” principles at its core, drawing lessons from the Online Safety Act and broader technology regulation.

In concluding remarks, Baroness Neville-Rolfe reflected on several key themes emerging from the discussion, including the importance of skills development, flexibility within the regulatory framework, avoiding duplication across regulators, and embedding security into products and systems from the outset. She noted the strong cross-sector support for the Government’s efforts to improve cyber resilience and emphasised the importance of maintaining the UK’s position as a global leader in cyber security innovation and services.

The roundtable concluded with thanks to the Minister, speakers, and attendees for their contributions to the discussion.