Getting ready for 'game-changer' Cyber Security Act: Five steps for councils

It's only a few months before the Government's Cyber Security and Resilience (Network and Information Systems) Bill becomes law, making the biggest change to UK organisations' cyber security thinking since the GDPR privacy regulations in 2018. Cyber-attacks continue to compromise sensitive data and paralyse operations at public bodies and private companies alike. Data breaches recorded by councils in England have increased by 53% over the last five years with referrals to the Information Commissioner's Office for the most serious breaches up 41% in that time. Mandating actionThe Government wants to contain these growing threats by making the previous cyber resilience guidance and benchmarking processes in the National Cyber Security Centre's Cyber Assessment Framework (CAF), a mandatory requirement. This means that by 2028, public sector entities such as local authorities and NHS trusts will have to meet the framework's cyber hygiene requirements or face penalties commensurate with the GDPR's data privacy drive. Organisations will need to ensure their core business and IT systems are cyber resilient and report any data breaches within 24 or 72 hours depending on the gravity of the incident – or face fines of up to £17 million or 4% of turnover. Next-level cyber securityAlthough organisations will have a two-year period to achieve compliance, they will need a combination of strong board-level leadership, wide-ranging education and expert external advice to achieve ‘next-level' cyber security cultures, cyber resilience regimes and incident reporting in good time. This lead-in will be essential to help organisations avoid the rushed IT system assessments that characterised much of Britain's response to the 2018 GDPR data protection legislation. It will also give authorities crucial time to strengthen their cyber security capabilities while dealing with the challenges of the UK's longstanding shortage of cyber security professionals. We have identified key steps for boards to deliver their action plans and enhanced security practices, to ensure compliance with the legislation while containing ever-evolving threats: Developing cyber maturityLeadership will need the right technical expertise in their organisation – not only to fully understand the Cyber Assessment Framework's criteria, but also the likely impact on their authority's risk management, technical controls, and cyber governance capabilities. Data-driven planningLeadership teams will need to harness the framework's assessment data to shape their cyber resilience action plans. These insights are essential to ensure their authorities not only develop comprehensive cyber resilience regimes but also enforce compliance – right across the organisation. Additional funding?Given the legislation could impose further IT infrastructure and reporting demands, council boards and chief information security officers (CISOs) will be required to prioritise the business case underpinning their action plans. They need to articulate comprehensive business and technical arguments to unlock the additional funding required. Changing threatsThe relentless evolution of cyber threats – given added impetus by AI – places a responsibility on senior executives to improve their authority's ability to identify and block these attacks. Councils will have to refine their security tooling and further consolidate their technology stacks: "siloed" systems can make it harder for cyber security teams to gather the real-time threat data needed to respond rapidly against malicious attacks. Best practiceCouncil boards will set the tone for uplevelling cyber resilience. Senior executives and CISOs will need to provide effective and inclusive leadership in embedding best security practices across their operations as well as organising the resources to satisfy the new framework's six-monthly cyber resilience reviews. Local authority chiefs know that effective cyber security cultures are inclusive: everyone from depot managers to finance teams will have a role to play. In this way, town hall leaders can ensure their councils uprate their cyber resilience to meet this game-changing Act's requirements while delivering the highest cyber security standards. Peter Jones, cyber security specialist, Conscia UK

Title

CYBER SECURITY

Getting ready for 'game-changer' Cyber Security Act: Five steps for councils

By Peter Jones | 26 May 2026

SUBSCRIBE TO CONTINUE READING