The UK Cyber Security and Resilience Bill places direct accountability for cyber risk on boards and senior executives — not just IT teams. Organisations that treat this as a technology compliance exercise will be exposed; those that treat it as a governance imperative will be positioned to pass scrutiny and avoid penalties of up to £17 million or 4% of global turnover.

For UK CEOs, CFOs, NEDs, and board members at mid-to-large organisations, the central question is no longer whether your organisation has a CISO. It is whether your board can demonstrate active, documented oversight of cyber risk as a material business risk — and whether your governance framework would survive regulatory examination.

What Does the Bill Actually Require of UK Boards?

The Cyber Security and Resilience (Network and Information Systems) Bill, currently progressing through Parliament, updates and extends the original NIS Regulations 2018. Its central shift is structural: cyber security is reframed from a technical obligation to a boardroom governance matter. The Cyber Governance Code of Practice, published by the Department for Science, Innovation and Technology (DSIT) in April 2025, had already clarified expectations ahead of primary legislation — and boards should be operating against it now.

Under the Bill, boards and senior leaders face three core obligations. First, active oversight: directors must demonstrate they are governing cyber risk, not just receiving reports about it. Second, resource allocation: the board must ensure that adequate investment, people, and processes are in place to deliver resilience. Third, incident accountability: in the event of a significant breach, regulators will examine what the board knew, when it knew it, and what action it took.

According to the House of Commons Library research briefing on the Bill, the scope of organisations covered is also expanding — moving beyond essential services and digital infrastructure to include a broader set of supply chain and managed service providers. Boards with complex third-party ecosystems should treat supplier cyber risk as in-scope, not a delegated concern.

Executive Action:

• Commission a board-level review of your current cyber governance framework against the DSIT Cyber Governance Code of Practice before secondary legislation sets formal thresholds.
• Ensure your board agenda includes a standing cyber risk item — not just an annual briefing — with clear metrics reported by your CISO or equivalent.
• Map your material third-party suppliers and confirm that cyber resilience requirements are embedded in contracts and reviewed regularly.

Why Are Boards Being Held Accountable — and Not Just Technical Teams?

The regulatory shift reflects a decade of evidence that technical controls alone do not prevent significant breaches. The incidents that cause the most damage — the MOD payroll contractor breach, the ransomware attack on the British Library, the NHS Synnovis disruption — share a common thread: governance failures upstream of the technical failure. Boards either lacked visibility, failed to allocate resources to known risks, or did not have clear incident escalation protocols in place.

Internationally, the direction of travel is consistent. The EU’s DORA regulation (Digital Operational Resilience Act), which took effect in January 2025, places direct accountability on management bodies of EU financial services firms for ICT risk. The SEC’s cybersecurity disclosure rules in the US have required public companies to disclose material cyber incidents within four business days since 2023. The UK Cyber Security and Resilience Bill follows this trajectory — with the expectation that board accountability should be the norm, not the exception.

Research from the UK government’s Cyber Security Breaches Survey 2025 found that only 30% of UK businesses have a formal cyber security strategy, and fewer than one in five boards receive regular cyber risk reporting. These figures illustrate how significant the governance gap remains — and why the incoming legislation treats board accountability as a structural necessity rather than an aspirational standard.

Executive Action:

• Review board minutes from the last 12 months: could you demonstrate to a regulator that cyber risk received appropriate strategic attention? If not, establish that record now.
• Consider whether your board composition includes sufficient technical literacy — not to replace specialist advice, but to ask the right questions of it. This is an increasingly material factor in NED appointments.
• Benchmark your current cyber governance posture against ISO 27001 and the NCSC Cyber Assessment Framework, both of which will inform regulatory expectations under the Bill.

How Should Executive Teams Prepare Before the Bill Becomes Law?

Secondary legislation defining sector thresholds, specific obligations, and enforcement timelines is expected from mid-2026, with phased implementation running into 2027. This creates a narrow window for organisations to build governance capability rather than scramble to demonstrate it under regulatory scrutiny.

The organisations that will navigate this well are those that treat readiness as a governance project owned at executive level — not a compliance exercise delegated to IT or legal. That means the CFO needs to understand the financial risk model for a significant cyber incident, including the potential penalty scale (up to £17 million or 4% of global turnover, aligned with UK GDPR-style enforcement). The CEO needs to own the incident response framework and have tested it. The General Counsel needs to ensure that regulatory disclosure obligations — including the Bill’s likely incident reporting requirements — are built into response protocols.

INFORMD has been tracking the Cyber Security and Resilience Bill’s progress through Parliament as a priority governance development for UK senior executives. The combination of expanded scope, meaningful penalties, and explicit board accountability makes this one of the most significant pieces of legislation affecting UK boardrooms in the current Parliament. Boards that treat it as a technology upgrade project will be caught out. Those that treat it as a governance imperative will be prepared.

Executive Action:

• Task your Company Secretary or General Counsel with producing a gap analysis between current practice and the Cyber Governance Code of Practice — this should be a board agenda item within the next 60 days.
• Run a tabletop incident response exercise at board level in the next quarter. Regulators will expect evidence that the board has tested its response, not just approved a policy document.
• Engage your D&O (Directors’ and Officers’) insurance broker now to understand how the Bill’s expanded liability provisions may affect your coverage and renewal terms.

What Does the Bill Mean for CISOs and Their Relationship With the Board?

For Chief Information Security Officers, the Bill creates an opportunity that many have long sought: board-level visibility and a structural mandate for their function. But as the cybersecurity community is increasingly recognising, simply being in the boardroom is not the same as being understood. CISOs who communicate in technical language rather than risk language — who talk about vulnerabilities rather than business exposure — will continue to find themselves marginalised in strategic discussions.

The CISO’s most important capability shift in 2026 is translating cyber risk into the language of financial exposure, regulatory liability, and strategic continuity. Boards respond to material risk quantification, not threat actor taxonomies. CISOs who can model the financial impact of a plausible incident scenario — drawing on frameworks like FAIR (Factor Analysis of Information Risk) — will command the board-level engagement that the new legislation requires both sides to demonstrate.

Executive Action:

• If your CISO does not currently attend board meetings, establish a quarterly direct briefing format with a defined template: top risks, residual exposure, resource requirements, and key decisions needed from the board.
• Work with your CISO to produce a cyber risk quantification model — even a high-level financial exposure estimate for two or three plausible incident scenarios — to anchor board-level risk discussions in commercial reality.

INFORMD provides intelligence briefings for senior business leaders across technology, finance, strategy, and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Explore our full library of executive briefings or speak to our team.

Stay ahead. Subscribe to INFORMD’s executive briefing at informd.co.uk/services.

Frequently Asked Questions

When will the UK Cyber Security and Resilience Bill become law?

The Bill is currently progressing through Parliament and secondary legislation defining sector thresholds and specific obligations is expected from mid-2026. Phased implementation is likely across 2026 and 2027. Boards should not wait for Royal Assent to begin preparing — the DSIT Cyber Governance Code of Practice already sets the standard against which governance will be judged.

What are the penalties for non-compliance with the Cyber Security and Resilience Bill?

Proposed penalties align with the UK GDPR enforcement model: fines of up to £17 million or 4% of global annual turnover (whichever is higher), alongside the ability for regulators to recover investigation costs. The enforcement regime is expected to be risk-based and proportionate, but significant incidents that expose governance failures are likely to attract meaningful regulatory attention.

Does the Cyber Security and Resilience Bill apply to all UK businesses?

Initially, the Bill expands the scope of the existing NIS Regulations, which cover operators of essential services and relevant digital service providers. Secondary legislation will define thresholds — but the scope is expected to be broader than the current NIS framework, with managed service providers and supply chain organisations explicitly included. Organisations outside the formal scope should still note that major customers and regulated counterparties will increasingly require evidence of cyber governance capability.

How does the UK Cyber Security and Resilience Bill compare to DORA and EU requirements?

The EU’s Digital Operational Resilience Act (DORA), which took effect in January 2025, imposes prescriptive ICT risk management and testing obligations on EU financial services entities, with direct management body accountability. The UK Bill follows a similar governance philosophy — board accountability, incident reporting, and resilience testing — but is designed for the UK’s broader economy rather than financial services specifically. UK financial services firms subject to DORA via their EU operations should treat the two frameworks as complementary, not duplicative.