Title

CYBER SECURITY

Getting ready for 'game-changer' Cyber Security Act: Five steps for councils

Peter Jones identifies key steps for boards to deliver their action plans and enhanced security practices, to ensure compliance with the Cyber Security Act.

By Peter Jones | 26 May 2026
cyber resilience (c) Andrii Yalanskyi-Shutterstock

cyber resilience (c) Andrii Yalanskyi-Shutterstock

It's only a few months before the Government's Cyber Security and Resilience (Network and Information Systems) Bill becomes law, making the biggest change to UK organisations' cyber security thinking since the GDPR privacy regulations in 2018.

 Cyber-attacks continue to compromise sensitive data and paralyse operations at public bodies and private companies alike. Data breaches recorded by councils in England have increased by 53% over the last five years with referrals to the Information Commissioner's Office for the most serious breaches up 41% in that time.

 Mandating action

The Government wants to contain these growing threats by making the previous cyber resilience guidance and benchmarking processes in the National Cyber Security Centre's Cyber Assessment Framework (CAF), a mandatory requirement.

 This means that by 2028, public sector entities such as local authorities and NHS trusts will have to meet the framework's cyber hygiene requirements or face penalties commensurate with the GDPR's data privacy drive. Organisations will need to ensure their core business and IT systems are cyber resilient and report any data breaches within 24 or 72 hours depending on the gravity of the incident – or face fines of up to £17 million or 4% of turnover.

 Next-level cyber security

Although organisations will have a two-year period to achieve compliance, they will need a combination of strong board-level leadership, wide-ranging education and expert external advice to achieve ‘next-level' cyber security cultures, cyber resilience regimes and incident reporting in good time.

 This lead-in will be essential to help organisations avoid the rushed IT system assessments that characterised much of Britain's response to the 2018 GDPR data protection legislation. It will also give authorities crucial time to strengthen their cyber security capabilities while dealing with the challenges of the UK's longstanding shortage of cyber security professionals.

 We have identified key steps for boards to deliver their action plans and enhanced security practices, to ensure compliance with the legislation while containing ever-evolving threats:

 Developing cyber maturity

Leadership will need the right technical expertise in their organisation – not only to fully understand the Cyber Assessment Framework's criteria, but also the likely impact on their authority's risk management, technical controls, and cyber governance capabilities.

 Data-driven planning

Leadership teams will need to harness the framework's assessment data to shape their cyber resilience action plans. These insights are essential to ensure their authorities not only develop comprehensive cyber resilience regimes but also enforce compliance – right across the organisation.

 Additional funding?

Given the legislation could impose further IT infrastructure and reporting demands, council boards and chief information security officers (CISOs) will be required to prioritise the business case underpinning their action plans. They need to articulate comprehensive business and technical arguments to unlock the additional funding required.

 Changing threats

The relentless evolution of cyber threats – given added impetus by AI – places a responsibility on senior executives to improve their authority's ability to identify and block these attacks. Councils will have to refine their security tooling and further consolidate their technology stacks: "siloed" systems can make it harder for cyber security teams to gather the real-time threat data needed to respond rapidly against malicious attacks.

 Best practice

Council boards will set the tone for uplevelling cyber resilience. Senior executives and CISOs will need to provide effective and inclusive leadership in embedding best security practices across their operations as well as organising the resources to satisfy the new framework's six-monthly cyber resilience reviews.

 Local authority chiefs know that effective cyber security cultures are inclusive: everyone from depot managers to finance teams will have a role to play. In this way, town hall leaders can ensure their councils uprate their cyber resilience to meet this game-changing Act's requirements while delivering the highest cyber security standards.

 

Peter Jones, cyber security specialist, Conscia UK

 

 

Tags

Related Articles

CYBER SECURITY

Scottish councils funding falling short

By Paul Marinko | 11 June 2026

Funding for Scottish councils is failing to keep pace with rising costs and demand according to the Accounts Commission.

CYBER SECURITY

Lessons from Swansea: A collaborative approach to addressing poverty stigma

By Amanda Hill-Dixon | 11 June 2026

Amanda Hill-Dixon sets out evidence-informed actions for councils to reduce poverty stigma through universal services, dignified support, inclusive communica...

CYBER SECURITY

Progress on neighbourhood health, but much more to do

By Lee Peart | 04 June 2026

Greg Fell, president of the Association of Directors of Public Health (ADPH) and director of public health in Sheffield discusses how neighbourhood health ca...

CYBER SECURITY

Government to crack down on risky council investments

By Neil Merrick | 29 May 2026

Ministers are poised to crackdown on risky council investments using new powers to patrol ‘excessive’ borrowing and other financial decisions.

footer-logo

©2026 Hemming Group Limited. Registered in England and Wales. Registered No: 490200. VAT number GB342 023 408