"Cyber resilience is now treated as a matter of governance rather than pure technical compliance"

For more than a decade, cyber security regulation has been treated as a technical problem: mandate controls, require incident reporting and resilience will follow. That approach is now being quietly abandoned. Repeated, high-impact incidents have shown that failure rarely stems from a lack of tools, but from failures of decision-making, oversight and accountability at senior levels. Cyber resilience, it turns out, is less about whether an organisation owns the right tools, and more about whether the people in charge know what they're doing with them.

In response, regulators on both sides of the Atlantic have shifted course. Cyber resilience is now treated as a matter of governance rather than pure technical compliance, anchored in leadership accountability rather than post-incident reporting.

Against that backdrop, the Cyber Security and Resilience Bill (CSRB) is striking. Presented as an evolution of the Network and Information Systems (NIS) regime, it strengthens incident reporting and information-sharing, but stops short of embedding cyber risk within board-level governance. The result is a framework that regulates outcomes while leaving the decision-makers who shape those outcomes largely untouched.

That omission matters. For UK businesses operating in EU and US markets, cyber governance is no longer optional. By diverging from this consensus, the CSRB risks forcing firms to operate under two compliance models, weakening clarity, credibility and competitiveness.

What “good” looks like now

Despite differences in legal systems and regulatory style, regulators have arrived at broadly the same destination. In the EU and the US, cyber resilience is no longer treated as something organisations merely manage at an operational level; it is something they are expected to govern.