Recommendation 13

HM Government Accepted

The Government is committed to working closely with owners and operators of CNI in the UK to maintain and improve the cyber resilience of our most critical systems. Critical National Infrastructure (CNI) Lead Government Departments are responsible for setting the guidance and expectations that support their sectors’ resilience efforts. The Cabinet Office has committed to mapping these resilience standards, which are fundamental in holding industry to account and assuring the resilience of UK CNI. This mapping will be used to identify and address any gaps in the steer provided to CNI owners and operators regarding their resilience activities across all risks, including for cyber. Additionally, the National Protective Security Authority (NPSA) is working on developing guidance to support CNI (and wider Industry) to better understand what is expected in terms of protective security at their locations. As part of the Armed Forces Bill 2026, we are amending the Reserve Forces Act (RFA 96), which makes provision for matters including call-out for and recall to permanent service. These measures will help us respond to the unstable geopolitical outlook and latest threats that we face. In response to Strategic Defence Review Recommendation 27, and as part of wider government plans to improve the protection of CNI, the Ministry of Defence is exploring the development of a new force that is modelled on the Reserves. We will provide further public details in due course. This is part of HMG’s wider work to raise CNI resilience across the UK, as set out in the Resilience Action Plan, including work by Government with industry and National Technical Authorities to identify and prioritise where targeted interventions are required. This includes through the Cyber Security and Resilience Bill, which covers operators of essential services in the energy, transport, health, drinking water sectors, data and digital infrastructure and some digital services. The Bill requires in-scope organisations to meet proportionate cyber security and resilience requirements, consistent with the NCSC’s Cyber Assessment Framework and regulator guidance. They must also report more harmful incidents to their regulator and notify the NCSC within 24 hours, with a full report due within 72 hours. The Government will support organisations in meeting the Bill’s requirements through various methods, including implementation guidance for regulators, who themselves produce sector-specific compliance guidance. The Secretary of State will also have the power to issue a code of practice, which will clarify expectations and aid compliance for regulators and businesses. There is also a wide range of guidance, tools, training and support provided by the Government to support organisations to drive up cyber maturity. This includes the Cyber Governance Code of Practice to help organisations manage cyber risks, the Cyber Essentials scheme to prevent common cyber attacks (including in their supply chains) and the use of the Early Warning service. The upcoming National Cyber Action Plan will outline further concrete actions to strengthen our resilience and harness cyber’s enormous growth opportunities, including for CNI.