Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by the UK Cyber Security Council (CSRB32)
Parliament bill publication: Written evidence. Commons.
Cyber Security and Resilience (Network and Information Systems) Bill (10th February 2026)
Primary navigation
Home
Parliamentary business
MPs, Lords & offices
About Parliament
Get involved
Visiting
Education
House of Commons
House of Lords
What's on
Bills & legislation
Committees
Publications & records
Parliament TV
News
Topics
You are hereParliament home page
>
Parliamentary business
>
Publications and Records
>
Hansard
>
Commons Debates
>
Public Bill Committee Debates
>
Public Bill Committee
Session 2021-22
Cyber Security and Resilience (Network and Information Systems) Bill
Written evidence submitted by the UK Cyber Security Council (CSRB32)
Evidence for the Bill Committee
Cyber Security and Resilience (Network and Information Systems) Bill
The UK Cyber Security Council welcomes the introduction of the Cyber Security & Resilience Bill. As the professional body for the cyber security sector, the Council is uniquely positioned to support the Bill’s objective of strengthening the UK’s cyber defenses.
Awarded Royal Charter status in 2022, the UK Cyber Security Council was established to create a unified set of professional standards for the UK’s cyber security sector, and to hold the Cyber Security Professional Register.
With partners across industry and Government, the Council created the UK Cyber Security Standard for Professional Competence and Commitment (UKCSC SPCC). This Standard, championed by the Department for Science, Innovation and Technology (DSIT), sets out the professional and ethical standards cyber security professionals must meet for different roles and specialisms. It is against this Standard that individuals awarded Cyber Security Professional Titles are assessed.
The Council fully supports the Bill’s objectives, however we recommend that it includes explicit reference to the UK Cyber Security Council as the authority for setting and maintaining the professional standards for the cyber security profession. The Council’s role is already well established, and has received support from successive governments.
To achieve the Bill’s ambitions, the UK must transition from a fragmented patchwork of varying certifications to a unified national standard of professional competence and ethical conduct. This is where we believe the role of the Council can be invaluable in this process. In addition, any cyber security framework is only as strong as the professionals who operate within it - an area where the Council’s responsibility for holding and developing the cyber security professional register can be of support.
Addressing the cyber workforce gap
The Bill aims to enhance the security and resilience of the UK and the critical sectors that underpin our economy. It focuses primarily on the technical and regulatory requirements of covered entities (i.e. organisations), without sufficient emphasis on the competence and ethics of the practitioners managing the systems that underpin the entities and our wider digital economy. It places no requirement on the individuals developing, maintaining, and securing the very systems that this infrastructure relies upon.
This creates a strategic misalignment where:
●
Entities are regulated, but practitioners are notAn organisation may be found compliant on paper while its systems are managed by individuals without verified skills or ethical oversight.
●
Variable standards of implementationWithout a requirement for professional registration, the resilience of critical sectors is subject to significant inconsistency, dependent on the varying internal hiring standards of individual companies rather than a unified national benchmark.
●
Supply chain riskThe infrastructure entities rely on is often built by third-party developers. If these developers are not held to the standards set by the Council, the Bill's goal of end-to-end resilience is undermined from the outset.
We recommend that the Bill explicitly recognises the Council as the authority for professional standards to ensure a consistent, high-quality workforce across the UK. By referencing the Council in the Bill, the government will:
●
Standardise competenceEnsure that cyber professionals meet rigorous, peer-reviewed standards, demonstrating their ability to manage complex risks in high-risk environments.
●
Enhance accountabilityProvide a framework for ethical conduct and professional registration, similar to chartered professions in engineering or medicine.
●
Future proof the workforceSupport the Bill’s long-term resilience goals by aligning regulatory compliance with professional development.
Other safety-critical professions, such engineering and medicine, require licensed practitioners to protect the public. Similarly, the security of the UK's digital backbone should be entrusted to those who meet recognised professional standards and a commitment to a Code of Ethics. This provides the necessary assurance to regulators, covered entities and the public that the workforce is not only technically capable, but also professionally and ethically accountable.
Proposed amendment to the Bill
Clause 29 (Regulations relating to security and resilience of systems);
at the end of the section (new subsection).
"Regulations made under this section must include provisions requiring covere
d entities [MSP, RDSP, OES] to ensure that any individual with primary responsibility for the management of its network and information systems holds a valid professional title with the UK Cyber Security Council, and meets the annual requirements to remain on the Council's professional register (appropriate to their role].
Clause 29 is the most favorable location as it serves as the Bill's primary enabling power for establishing security and resilience requirements. By embedding the UK CSC titles here, a unified, auditable benchmark is created that automatically applies to all "regulated
persons" -
including OES, RDSPs, MSPs, and Critical Suppliers-without the need for repetitive amendments across multiple duty clauses.
February 2026
Prepared 10th February 2026
Footer links
A-Z index
Glossary
Contact us
Freedom of Information
Jobs
Using this website
Copyright
Privacy notice
Cookie policy
Cookie Manager