The Cyber Security and Resilience Bill – what institutions need to know

How the CSRB raises the bar on cyber resilience

The Cyber Security and Resilience Bill has its origins in the need to bring the UK’s approach to cyber security in line with the EU’s updated, wide-ranging cyber security regulation, known as NIS2.

Ensuring the UK aligns with the EU is essential to reduce trading friction, but the CSRB goes further, extending the scope of which services and sectors need to be regulated and aiming to strengthen the resilience of the UK economy by setting clearer expectations around cyber security best practice.

I recently spoke at BETT UK 2026 about the implications of the CSRB for institutions and the wider sector. Here are some of the thoughts I shared.

The importance of the CSRB to the HE, FE and research sectors

While raising awareness of cyber security remains important, the impact of breaches is now well understood. High-profile attacks on organisations such as M&S, the Co-op and Jaguar Land Rover (JLR) have shown that the consequences extend far beyond the affected organisation.

The Office for National Statistics stated that a 0.1 per cent drop in GDP for the quarter was attributable to the JLR incident alone – equivalent to around £2 billion wiped off the balance sheet.

In that context, education and research contribute around £280 billion annually, according to research studies from Universities UK and the 157 Group of FE colleges.

By acting now, institutions can prepare for the wider implications of the CSRB while strengthening their cyber posture and helping to protect the wider economy.

First, take stock

We are often asked where to invest first, and our answer is always to get the fundamentals right: understand what you have and what you need to protect. Most universities already have Cyber Essentials or Cyber Essentials Plus in place. The next step is to ensure that it is operating effectively within the institution, and then to assess how well that is reflected across its supply chain.

If measures such as risk registers, business continuity plans and disaster recovery plans are absent or not up to standard, now is the time to address those shortcomings.

Ensure cyber security is at the top of the agenda

The recent UK government Cyber Security Breaches Survey found that only 27% of businesses now have a board member explicitly responsible for cyber security, down from 38 per cent three years ago.

While awareness is generally stronger in education and research, cyber risk must be raised regularly at board level, with senior leaders taking a proactive, top-down approach to CSRB preparation.

Identify which digital services are critical

The CSRB does not mandate specific standards or frameworks, as these will be determined by secondary legislation. However, we do know the NCSC Cyber Assessment Framework is likely to be promoted heavily, placing greater importance on identifying ‘critical’ digital services as the primary focus.

What counts as critical will vary by institution. Core connectivity services are universally critical, while priorities will differ between research-intensive and teaching-focused institutions. Reaching agreement on these definitions requires inter-departmental co-operation and senior-level engagement to keep preparations focused and proportionate.

See preparation for CSRB as an opportunity

It’s no secret that strengthening cyber resilience involves investment. However, it’s important not to overlook the opportunities a sector-wide response can bring.

For example, regulators will be able to collect incident data, understand vulnerabilities and feed that information back so organisations can target investment sensibly. The costs of dealing with incidents and breaches may be shared, along with intelligence about emerging or evolving threats.

A common format for incident reporting could reduce overheads, and improved incident data could itself prove to be a valuable research asset. There could also be knock-on benefits, such as a reduction in cyber security insurance costs.

The role of Jisc in cyber resilience and CSRB preparation

Our team is actively involved in CSRB discussions with the Department for Science, Innovation and Technology (DSIT), including helping to define the ‘playing field’ of where and how regulation may be applied.

Key to this process is our highly active cyber security community group, which has grown to more than 2,800 members and is a diverse network of security professionals from across the sector who provide valuable insights into best practice and drive collaboration.

More broadly, Jisc members benefit from Janet, the UK’s most secure, high-capacity network, and have access to our security operations centre (SOC), which represents the gold standard in proactive threat prevention and response for the sector. Organisations must meet minimum cyber security standards before they can be onboarded to the SOC - a process which in itself strengthens their cyber security posture in preparation for the CSRB.