The CSR Bill Has Cleared Report Stage. Good Security Was Already the Answer.
Compliance

The CSR Bill Has Cleared Report Stage. Good Security Was Already the Answer.

23 June 20267 min read

On the 2nd of September 1666, a fire started in a bakery on Pudding Lane and burned for four days. By the time it was out, it had destroyed 13,200 houses, 87 churches, and most of the medieval City of London. Roughly 70,000 of the city's 80,000 inhabitants were left homeless.

In the aftermath, the architect Christopher Wren drew up a plan for rebuilding London using a geometric layout - wide streets, open plazas, a city designed for movement and light and, implicitly, for fire to not spread so easily. Others proposed similar plans using uniform grids. Comprehensive solutions to a comprehensively understood problem.

Property rights were too complex, disputes too entangled, and the commercial pressure to rebuild quickly too great. Ultimately, London was rebuilt more or less on its old medieval street plan.

But building standards changed. The Rebuilding of London Act 1666, and the legislation that followed it, mandated for the first time that houses be built of brick or stone rather than timber. Streets had to be wider. Party walls had to reach specified heights. None of these requirements were technically new. The knowledge that timber buildings caught fire and that narrow streets turned blazes into infernos had been available for centuries. What the Act did was convert known good practice into enforceable baseline.

The Cyber Security and Resilience Bill clearing report stage is intended in the same spirit for UK cyber security.

The Bill does not tell you anything your CISO did not already know

This is worth saying plainly, because the volume of compliance commentary surrounding the Bill can create the impression that it introduces new technical knowledge. It does not.

The security practices the Bill mandates - know your risk, protect your systems, detect incidents early, report promptly, manage your supply chain — have been in every serious security framework for the better part of two decades. The NCSC Cyber Assessment Framework, which the Bill places on a stronger statutory footing, was published in 2018. The National Cyber Strategy set expectations for critical infrastructure operators in 2022. The guidance has been there.

What has been missing is the same thing that was missing in London's building stock before 1666: not knowledge, but accountability. The timber buildings were not being built by people who did not know that timber burned. They were being built by people who knew it, and who also knew that no one was going to enforce anything different.

The Bill changes that calculation.

Clearing report stage matters more than most milestones do

Parliamentary milestones can blur together. Bills have multiple readings. They go to committee. They come back. They go to the Lords. It can feel like a long sequence of events that does not quite resolve into anything.

Report stage is different in one important respect: it is the last opportunity for substantive amendment in the Commons. By the time a bill clears report stage, the text is, in all material ways, set. The Lords may send it back with changes, but the architecture — the scope categories, the reporting timelines, the penalty structure, the designation powers — is established.

That means the organisations that have been waiting to see what the final text looks like before beginning preparation have now run out of road. The final text is, for all practical purposes, in front of us.

And the organisations that are only now beginning to read it are discovering what the Rebuilding Acts' opponents discovered about the brick requirement: the structural change is not optional. Your current posture is the building. The standards apply.

The organisations that will struggle are not the ones who lack knowledge

The security teams that are least prepared for regulatory change are rarely the ones that do not understand what is coming. They are the ones whose organisations treat security as an IT matter until the compliance pressure makes it unavoidable.

Those organisations now face a particular kind of problem. They have to build the governance structure, the board engagement, the incident response capability, and the supply chain oversight that should have been developing gradually over the last several years — and they have to do so under time pressure, with regulators forming views about acceptable standards and secondary legislation on its way.

The 24-hour notification window is the most visible version of this problem. Most organisations, at the point of an incident, discover that they cannot currently meet a 24-hour initial notification requirement - not because the technology is inadequate, but because the escalation paths are unclear, the definition of "significant incident" has never been agreed at board level, and the relationship with the sector regulator has never been established. Those are governance problems. They take longer to fix than technical ones.

The bill's dual notification requirement — to both the sector regulator and the NCSC simultaneously — creates additional complexity that most incident response playbooks have not contemplated. Building that capability now, when there is no active incident and no regulatory clock running, is substantially easier than building it at 2am on a Tuesday.

The organisations that will handle this well have already understood something important

Wren's geometric layout was rejected, but the brick requirement was accepted. The reason is instructive.

Rebuilding London on a new layout would have required resolving thousands of property disputes, compensating landowners, coordinating across competing commercial interests, and deferring the reconstruction that an already devastated city urgently needed. It was perhaps the optimal solution to the underlying problem, but it was not a solution the existing system could absorb.

The brick requirement was different. It did not require redesigning the whole system. It required changing what the system was built from. It could be absorbed into existing practice — you were building anyway, you were buying materials anyway, you hired builders anyway. Now the materials were different.

The organisations that will handle the CSR Bill well are the ones that have understood that good security works the same way. You are already running security operations. You are already doing vendor management. You are already running board risk committees. The Bill does not require you to redesign the organisation. It requires that what you are already doing meets a defined standard.

The organisations that will struggle are the ones treating this as a new construction project rather than a renovation.

What clearing report stage should prompt you to do now

Given that the architecture is settled, the practical question is what to do with the time between now and Royal Assent.

The secondary legislation and Codes of Practice that will flesh out the technical requirements are not yet published. That is not a reason to wait. The specific thresholds for "significant incident" may still be defined by sector regulators; the security outcomes required by the CAF are already public. The MSP registration requirements may be confirmed through secondary legislation; whether your organisation falls in scope as a managed service provider is already determinable from the Bill's existing text.

Two things are worth doing immediately that many organisations have not yet done.

The first is having an honest board conversation about what the Bill actually means for your organisation — not a compliance update, but a risk conversation. What would a £17 million penalty, or a 4% of turnover fine, mean for the business? What would a 24-hour notification requirement mean for your current incident response capability? Those questions have answers, and boards that have not yet heard them are not in a position to make informed decisions about investment.

The second is establishing the regulatory relationship before it is required. Most in-scope organisations have not contacted their sector regulator. Most regulators, by contrast, want to be engaged during implementation and are more likely to take a constructive approach to early compliance gaps from organisations that have been talking to them than from organisations that appear for the first time in the context of an incident report.

The floor is not the ceiling

The Rebuilding Acts transformed London's building stock from the most fire-prone in Europe to some of the most resilient. That transformation was not completed in the first year. It took decades of standards being progressively raised, extended to new building types, and enforced with increasing consistency. The Act was the floor, not the ceiling.

The CSR Bill is the same kind of moment, establishing a baseline. It does not describe the security posture of an organisation that takes the threat seriously. It describes the posture of an organisation that has done the minimum required to avoid regulatory sanction.

The best CISOs to work with are not the ones asking "what do we need to do to comply?" They are the ones asking "what does this bill reveal about the gap between where we are and where we should be?" Those two questions have different answers, and the organisations that are asking the second one will be better prepared not just for the Bill, but for the threat environment that made the Bill necessary.

London was rebuilt on its old streets. But it was rebuilt in brick, and it did not burn in the same way again.

The question for your organisation is not whether to comply. It is what you are going to build.

Share this article

Richard Midwinter
CTO
Richard Midwinter

Seeking Security Insights for Your Business?

Our fractional CISOs can help you implement the strategies discussed in this article. Book a call to discuss your security needs.

Book a Call