In May, King Charles outlined 37 bills that put digital infrastructure, cybersecurity and trust in public digital services at the centre of the UK’s plans. The raft of new bills have been designed to strengthen the UK’s defence against cyber threats as attacks such as the Jaguar Land Rover incident – believed to have cost an estimated £1.9 billion – continue to have an impact on the economy.

The key proposal was the introduction of the Cyber Security and Resilience Bill, which has been in the making for a year. This was presented alongside a new National Security (State Threats) Bill, introducing legislation to tackle the growing threat from nation state entities and their proxies.

The speech made it clear cybersecurity is a significant issue on the UK national agenda. What does that mean for UK businesses and CISOs?

National Significance

 Experts say the King’s Speech shows the UK is increasingly seeing cybersecurity as a national security issue.

The King’s Speech reinforces a clear shift in UK cybersecurity policy. “Resilience is becoming a matter of national security, not just IT best practice,” says Stew Parkin, global CTO, Assured Data Protection.

Chris Newton-Smith, CEO at IO, agrees. He thinks the King’s Speech represents “the most cyber-focused legislative programme the UK has seen in a decade”.

“Four of the Bills directly touch information security, digital infrastructure and national cyber resilience, with further implications extending into energy, healthcare and critical national services,” he points out.

The legislative programme shifts the question from "are we compliant?" to "are we resilient?"  according to Newton-Smith.

The proposed Cyber Security and Resilience Bill is particularly significant, he says. “It reflects the recognition that voluntary frameworks and guidance alone have not delivered security improvements at the pace required by today’s threat landscape.”

Other Measures

As well as the Cyber Security and Resilience Bill, the speech confirmed several adjacent measures that security leaders should be aware of and track, says Phil Bindley, field chief information security officer at Intercity.

The first, as part of the National Security Bill, is a reform of the Computer Misuse Act 1990, which predates the modern web and has long been criticised for exposing legitimate security researchers to legal risk.

Reforms of this Act aim to provide clearer legal cover for vulnerability research and penetration testing, while handing law enforcement new tools, including a proposed Cyber Crime Risk Order, explains Bindley.

The Regulating for Growth Bill is another change. Notably, there was no standalone AI Bill, instead the government is embedding AI within sector-specific reform. This Bill introduces cross-economy “sandboxing” powers that let businesses test new technologies in controlled regulatory environments, says Bindley.

The government has also outlined a voluntary Cyber Resilience Pledge. Running in parallel to legislation, this asks organisations to commit to board-level oversight of cyber risk, adoption of the Cyber Governance Code of Practice, director training via the National Cyber Security Centre (NCSC), registration for the NCSC Early Warning service, and Cyber Essentials certification across their supply chains.

Direction Of Travel 

Strip away the individual bills, and a consistent trajectory emerges, says Bindley: “The UK is moving from voluntary best practice towards mandatory, enforceable security standards, backed by tighter scrutiny of operators and their supply chains.”

Given the never-ending struggle between cybersecurity teams and attackers, the direction of travel is “always going to be towards greater accountability, greater scrutiny, and shorter timeframes,” says Raluca Sacenau, CEO of Smarttech247. “Regulation cannot predict every possible new attack or attack vector. But it can ensure that organisations have the right processes in place; are sharing information responsibly; and are aware of their place in the broader economy.”

New technologies are inevitably a moving target for regulation. While not specifically mentioned in the King’s Speech, they will be crucial concerns for new bills, says Sacenau: “Whether how to defend against them, how to use them, or how to power them. The most important fact is that any regulation needs to focus on processes and best practices, not the technology itself. For instance, mandating patch timelines that are fast enough to stop AI-accelerated exploits. And encouraging post-quantum encryption so businesses aren’t left racing to catch up with more powerful attacks.”

CISO Response 

Regardless of the speech itself, leaders should be following cybersecurity best practice: “Hope for the best, prepare for the worst,” says Sacenau. “The details of any regulation are less important than making sure organisations are prepared for evolving threats.”

For instance, “is patch management fast enough to outpace AI-powered attacks?” she asks. “And are identities rigorously protected and policed as phishing attacks move beyond email and messaging? Are ransomware strategies updating as attackers move beyond simple ransom to outright extortion or state-sponsored disruption? Are you confident that all your supply chain is protected to the same standard?”

To prepare specifically for the Cyber Security and Resilience Bill, Parkin advises taking into account more stringent requirements around risk management, incident reporting, operational resilience and third-party assurance. “Regulators and customers are increasingly expecting organisations to demonstrate – not simply claim – that they are secure and recoverable.”

Yet the first priority for CISOs should be readiness, not compliance, says Tom Pepper, partner at Avella Security. “The 24-hour reporting requirement sounds manageable, until you're in the middle of a live incident. Most organisations should start by gap-analysing against the Cyber Security and Resilience Bill and asking a simple question: Could we provide a meaningful update within 24 hours? For many, the answer is no.”

With resilience continuing to dominate the national agenda, above all, security shouldn’t forget the human factor, says Sacenau. “Often the best asset an organisation can have is a cybersecurity team that is experienced, adaptable, and can meet the demands of new regulation, technologies and threats.”

Kate O'Flaherty Cybersecurity and privacy journalist