UK cyber policy is entering a pivotal phase – but it will only make a difference if organisations can actually use it.

That was the view of EMCSC founder and director Dr Ismini Vasileiou, an associate professor at  De Montfort University, as she spoke at the Westminster eForum conference on the next phase of progress for UK cyber security and regulation. 

The online event, chaired by Rt Hon Baroness Neville-Jones – former Minister of State for Security and Counterterrorism – brought together policymakers, regulators, industry leaders and experts to discuss how the country should respond to fast‑evolving threats, new legislation and the National Cyber Action Plan.

Dr Vasileiou spoke alongside keynote speaker Professor Simon Shiu, lead author of the UK Cyber Growth Action Plan report, and senior industry figures including Ben Lyons, Senior Director of Policy and Public Affairs at Darktrace. 

The conference involved discussion about frameworks and policies the Government has put in place – as well as the challenges businesses face in translating them into practice.

“We are in an important moment for UK cyber policy,” Dr Vasileiou told delegates. 

“The Cyber Security and Resilience Bill is now progressing through Parliament, building on the policy statement published in April 2025, and the wider conversation has moved well beyond a narrow technical discussion.

“We are now talking much more seriously about resilience, supply chains, incident reporting, governance, and accountability at leadership level.”

The Bill is designed to strengthen and expand the existing framework by bringing more organisations and services into scope and tightening expectations around incident reporting. 

In parallel, the Government has introduced a growing ecosystem of cyber codes of practice, intended to set baseline expectations and act as stepping stones towards more detailed guidance, standards and, where necessary, regulation. 

The Cyber Governance Code of Practice is pitched as a starting point for boards and directors, backed by training and NCSC toolkits.

Dr Vasileiou welcomed this progress – but warned that “publishing a code is not the same as achieving change”.

“Organisations do not experience cyber through neat policy categories,” she said. 

“Business leaders do not work their way systematically through separate governance codes, software codes, and assurance frameworks. 

“Instead, they experience cyber as part of running a business: managing risk, keeping services going, dealing with suppliers, protecting reputation and making hard choices with limited capacity.”

For Dr Vasileiou, three themes will determine whether the current policy wave delivers genuine resilience.

First, is the term ‘resilience’, with Dr Vasileiou saying that it can quickly become vague and risks driving box‑ticking rather than real preparedness.

Second, she argued, cyber must be treated as an organisational issue, not just a technical one. She said the strength of the Cyber Governance Code lies in the way it reinforces board‑level ownership across risk, strategy, people, incident planning and assurance.

Third is translation. Regulation, codes and incident‑reporting requirements all matter, but Dr Vasileiou said they will only improve national resilience if organisations can navigate them. 

“We need policy that organisations can navigate,” she said. “We need language that boards can use. We need pathways that make sense to businesses that are trying to do the right thing but do not have endless in-house resource. And we need to recognise that resilience is built not only through obligations, but through usability, clarity, leadership and culture.

“Cyber resilience will not be strengthened by policy intention alone,” Dr Vasileiou concluded. “It will be strengthened when organisations can see themselves in the language, understand what is expected of them, and act on it with confidence.”