Skip to main content
Marsh logo

Article

King’s Speech: What the UK’s cyber legislative agenda means for organisations

The King’s Speech signals renewed momentum on UK cyber policy. Understand the impacts of the Cyber Security & Resilience Bill, Cyber Resilience Pledge and Computer Misuse Act.

20/05/2026 · 4 minute read

The King’s Speech last week (13 May 2026) signalled renewed momentum behind the UK government’s cyber agenda — pairing forthcoming legislation with a broader push to raise cyber resilience across the economy. For organisations operating in or supplying the UK market, three items are worth tracking closely: the Cyber Security and Resilience Bill, the Cyber Resilience Pledge, and proposed reforms linked to the Computer Misuse Act.

Cyber Security and Resilience Bill: raising the baseline for “essential” services

The government confirmed continued progression of the Cyber Security and Resilience Bill, which is intended to strengthen UK cyber defences by updating the legislative framework protecting “essential services” from cyberattacks.

The Bill will expand the remit of existing regulations and bring more organisations under regulatory scope, including managed IT companies, data centres, and operators that manage the flow of electricity to smart appliances. Regulators will also be given new powers to designate critical suppliers to the UK’s essential services, potentially widening the scope of regulation further.

A key focus of the Bill is mandatory reporting of cyber incidents to regulators and the National Cyber Security Centre (NCSC) within 24 hours, with a full report due within 72 hours. This is a particularly tight timeframe, and many organisations would find it difficult to provide meaningful information in such a short period.

While full details will emerge as the Bill moves through Parliament, the direction of travel is clear: greater emphasis on demonstrable cyber resilience — preparedness, response, and recovery — rather than written policies or one-off compliance.

What this may mean in practice

  • Increased expectations around governance, accountability, and cyber risk management for in-scope firms 
  • Greater focus on evidence and assurance (controls testing, incident readiness, and recovery capabilities) 
  • Potential spillover to suppliers, with more rigorous third‑party risk and contractual requirements

1. Cyber Resilience Pledge: an economy-wide call to action

While the legislation continues its journey through parliament, the government has also launched a Cyber Resilience Pledge — a practical initiative aimed at encouraging businesses to uplift everyday cyber hygiene and resilience. The pledge will form part of the Government Cyber Action Plan, which will launch later this year. While the pledge is voluntary, it can serve as a market signal, shaping what government, industry, customers, partners, and boards view as the “minimum expected practice.”

Companies signing up to the pledge commit to take the following actions:

  1. Make cyber a board responsibility:
  2. Sign up to Early Warning: Register for the Early Warning service within one month of signing the pledge.
  3. Require Cyber Essentials across supply chains:

Why it matters

The requirement for Cyber Essentials across entire supply chains will have a cascade effect, resulting in many more small businesses being required to implement and evidence baseline cybersecurity controls (for example, multi-factor authentication (MFA), patching cadence, backups, and incident plans). This may have the desired effect of increasing cyber resilience across the UK economy, particularly among SMEs. However, Cyber Essentials only establishes a bare minimum security standard — far more is needed to build cyber resilience truly.

2. Computer Misuse Act: modernisation on the horizon

The King’s Speech agenda also points to updates to the Computer Misuse Act 1990 via the National Security Bill, with proposals described as modernising powers to address today’s cybercrime landscape. Commentary indicates reforms may include new tools to constrain cybercriminal activity, including the creation of a “Cyber Crime Risk Order,” and may seek to better enable legitimate cybersecurity professionals’ access to secure systems — an area that has long attracted industry attention.

We welcome the Government bringing forward the Computer Misuse Act reform in the National Security Bill, marking a significant step for the UK's national cyber defences. The effectiveness of this reform will hinge on its details: careful calibration of scope, reporting thresholds, supply-chain rules, and timelines is essential. It is crucial for the Government to continue collaborating with industry to ensure that the rules are proportionate, implementable, and backed by clear guidance. We are prepared to assist in ensuring the success of this reform for all UK businesses.

3. What organisations can do now

While legislative detail and timelines will evolve, organisations can take sensible “no regrets” steps:

  1. Confirm exposure: Are you an essential service provider, a critical supplier, or a UK‑facing operator likely to be indirectly pulled into scope?
  2. Stress-test resilience: Validate incident response plans, backup integrity, recovery objectives, and crisis decision-making — not just technical controls.
  3. Strengthen third‑party oversight: Refresh supplier tiering, minimum security requirements, and evidence collection.
  4. Prepare for scrutiny: Ensure you can demonstrate “how you know” controls work (testing, metrics, and audit trails).

Our people

Placeholder Image

Kelly Butler

Head of Cyber - UK, Marsh Speciality

  • United Kingdom

Helen Nuttall

UK Head of Cyber Incident Management, Marsh

  • United Kingdom

Holly Waszak

Head of Cyber Claims, Cyber Risk

  • United Kingdom

Related insights

Hands using smartphone in city

Report

MythBusters: Purchasing cyber insurance doesn’t change your risk of an attack

24/02/2026
Working late on computer with focus and determination

Article

The human element in cyber risk management: From mental health to proactive people-centric solutions

18/02/2026
Abstract glowing network fiber optics tunnel on dark background.

Article

Cyber risk predictions for 2026: What UK business leaders need to know

06/02/2026
Marsh Cyber Catalys Report

Report

Cyber catalyst report: Guiding priorities in cyber investments

09/12/2025
View more