The Government’s publication of the Cyber Security and Resilience Bill marks an important and overdue step toward strengthening our national cyber security position. As legislation, it zeroes in on technology, regulation, and compliance, laying out demanding new expectations for how organisations of all sizes must defend themselves, and the country, against escalating digital threats. It comes weeks after Ministers came together to warn of the increasingly “hostile and frequent” cyber threat landscape.

The Bill is decisive – however it’s also only part of the solution, writes Dr Ismini Vasileiou.

The Bill’s missing link

As guidance from both the Department for Science, Innovation and Technology and the National Cyber Security Council continues to remind us, cyber resilience isn’t just about technology: it’s fundamentally socio-technical. People, leadership, culture, and skills are at the heart of effective cyber defence. 

Closer to home, East Midlands Cyber Security Cluster (EMCSC) – which I founded in 2023 – is actively addressing this challenge by linking business, academia, and cyber experts to support knowledge-sharing and workforce development across our region. 

Their events, workshops, and expert-led seminars spread best practice and educate organisations on the twin shields of technical defence and cultural change. While the Bill is robust in technical requirements, the reality is that regulations and compliance measures will only go so far without a strong, skilled workforce to enact them.

Where Is the workforce strategy?

As I read the Bill and its surrounding commentary, one gap leaps out: the Government has raised the bar for organisations’ cyber responsibilities, but hasn’t addressed how they’ll actually develop the workforce capability to meet these new obligations. 

Why does this matter? Because there’s currently no unified national cyber skills framework to underpin the Bill. Instead, we have a mishmash of education, employer, and Government standards, with inconsistent role definitions and unclear skills terminology. Workforce capacity is simply assumed; nowhere is there a strategy or mechanism to deliver it. 

EMCSC is addressing this through a White Paper which is making its way around Westminster. More directly, we are using our CyberGrowth programme to offer valuable support to local SMEs and larger organisations, helping to guide career development in cybersecurity and signpost opportunities to enter and progress in the field. 

By building local networks and collaborating with industry professionals and government, EMCSC helps to address inconsistent role definitions and the lack of a unified skills strategy at a regional level.

What the Bill demands of us

The Bill isn’t shy about setting new expectations. The scope of NIS is expanding to cover more sectors, including SMEs, MSPs, OT, and digital suppliers. All will all be required to meet high cyber standards. Incident reporting is now on a rapid timeline (24/72 hours), which means organisations need clear roles and real competence in incident response.

The Cyber Assessment Framework (CAF) is becoming statutory, so governance, risk management, detection, response, and recovery capabilities are now mandatory. In addition to this, supply chain expectations are much tougher, pushing for supplier assurance and basic cyber competence at every level. 

Regulators have more powers, and there’s a greater need for standardisation in benchmarks for cyber capability. The new duty for secure digital services positions secure-by-design and identity management skills as essential.

Critical skills infrastructure

For all its strengths, however, the Bill misses some fundamentals. There’s still no national cyber skills taxonomy defining the specific competencies organisations must build aligned to the Bill’s requirements. 

There is a lack of clarity on role profiles, especially around incident response and governance functions. SMEs and suppliers are left in the dark about how they’re supposed to build up the skills needed to comply. 

Despite DSIT and NCSC guidance highlighting the importance of behavioural, leadership, and cultural factors, there’s no plan for integrating these into competency frameworks. And lastly, there’s no regional or national structure in place to support scalable skills development which is crucial for true resilience.

White Paper proposals matter

This is why our Cyber Workforce of the Future white paper’s recommendations are so timely. The proposals set out a comprehensive, UK-wide cyber skills taxonomy, mapped directly to the Bill’s requirements and the CAF pillars. They offer detailed role profiles and clear pathways for incident response and reporting as well as a regional delivery model that can support the newly in-scope SMEs and supply chain partners. 

The White Paper also recommends  the establishment of a national delivery body to maintain competency standards and support both organisations and regulators, as well as integrating secure-by-design, identity management, and other emerging roles relevant to the Bill. Most crucially, the proposals offer a complete workforce infrastructure: taxonomy, pathways, competency standards, and robust delivery mechanisms.

A national, unified skills framework

The bottom line is clear: the Bill is a major advance in regulatory direction, but it falls short on creating the workforce system needed to make it work in reality. Regulatory uplift means very little without workforce uplift. If we want resilience to be more than a tick-box exercise, we need a unified national skills framework to be aligned to regulatory requirements like CAF, rapid incident reporting, supply chain assurance, and secure-by-design principles.

Without concrete clarity on roles, competencies, and career pathways, organisations will struggle to meet the new obligations effectively  – and the Bill’s promise of greater national resilience risks going unfulfilled. 

This is the right moment to reset the conversation on cyber skills in the UK. The proposals outlined in our White Paper directly support the Bill’s aims and are exactly what’s needed to bridge the gap and make sure the Bill delivers real resilience on the ground.

If the UK is to move beyond regulatory uplift to genuine cyber resilience, grassroots organisations like EMCSC must be empowered and integrated into the national solution. Their work aligns directly with government aims: building professional networks, guiding careers, setting up events, and sharing expert advice for both technical and behavioural cyber competencies.

For Leicester and the wider East Midlands, EMCSC offers a proven model for strengthening local cyber security, ensuring new regulations translate to real, sustainable resilience on the ground.