Here’s a startling fact: the UK government has exempted itself from its own flagship cyber law, the Cyber Security and Resilience (CSR) Bill. But why would the very entity responsible for national security exclude itself from such critical legislation? This move raises serious questions about accountability and commitment to safeguarding the nation’s digital infrastructure. Let’s dive deeper into this controversial decision and explore what it means for the future of UK cybersecurity.
From the high-profile cyberattack on the Legal Aid Agency in May 2025 to the Foreign Office breach later that year, the UK government has been no stranger to cyber incidents. But here’s where it gets even more concerning: the National Cyber Security Centre (NCSC) reports that 40% of cyberattacks it managed between September 2020 and August 2021 targeted the public sector—a figure expected to rise. Given this alarming trend, why does the CSR Bill exclude both central and local government from its scope?
This exclusion hasn’t gone unnoticed. Sir Oliver Dowden, former digital secretary and current shadow deputy PM, recently urged Labour in the House of Commons to rethink this stance. He argued that the public sector should face more stringent cybersecurity requirements to ensure ministers prioritize this critical issue. And this is the part most people miss: Dowden pointed out that cybersecurity often takes a backseat in government priorities, and legislative requirements are essential to keep it front and center.
The CSR Bill, announced shortly after Sir Keir Starmer became Prime Minister, aims to modernize the UK’s outdated NIS 2018 regulations. It proposes to include managed service providers and datacenters, among other entities, but notably leaves out public authorities. This contrasts sharply with the EU’s NIS2 directive, which does cover public bodies. Is the UK government playing catch-up, or is this a deliberate oversight?
In response to criticism, the government launched the Cyber Action Plan, which promises to hold departments to similar security standards as the CSR Bill—but without legal obligations. Is this a genuine effort to improve security, or a PR move to silence critics? Cynics argue it’s the latter, as it lacks the teeth of enforceable legislation.
Neil Brown, director at British law firm decoded.legal, sums it up: “If the government is going to hold itself to standards equivalent to those set out in the bill, then it has nothing to fear from being included.” Yet, the government’s reluctance to do so raises doubts about its commitment. Labour MP Matt Western suggests the CSR Bill is just the first step in a series of bespoke legislation, but is this wishful thinking, or a realistic roadmap?
The National Audit Office’s 2025 report paints a grim picture of the UK government’s cybersecurity posture. Of 58 critical systems reviewed, auditors found widespread vulnerabilities and slow progress in addressing them. How can the government credibly protect citizens when its own systems are so vulnerable? Each cyberattack on a public sector entity further undermines trust and gives the opposition ammunition to question the government’s priorities.
The Conservatives’ failure to implement cybersecurity recommendations from their 2022 consultation adds another layer of skepticism. Even with the Cyber Action Plan, excluding the public sector from the CSR Bill sends a troubling message. Is the government serious about cybersecurity, or is it merely paying lip service?
Here’s a thought-provoking question for you: If the UK government truly wants to lead by example, why not include itself in the very legislation it’s championing? Share your thoughts in the comments—do you think this exclusion is a strategic oversight, or a deliberate move to avoid accountability? The debate is far from over.
