Audra Simons, Vice President Global Software Engineering at Everfox, discusses how the UK’s proposed Cyber Security and Resilience Bill marks a pivotal step in strengthening national cyber defences – and why organisations should look beyond compliance.
In the July 2024 King’s Speech, the UK Government announced it will introduce a Cyber Security and Resilience Bill to strengthen the UK’s cyber-defences and build the resilience of our essential services, infrastructure, and digital services.
The UK’s critical national infrastructure is essential to businesses that rely on it to drive the economy and to citizens who depend on it for their well-being.
However, the existing Network and Information Systems (NIS) Regulations, designed to protect the cyber and physical resilience of the UK’s health, energy, transport, drinking water and digital infrastructure, were enacted in 2018.
Since then, cyber-threats that can compromise these essential services have grown significantly and innovations such as AI and quantum computing have further increased the effectiveness and impact of cyber-attacks.
Recent cyber-incidents have highlighted the growing vulnerability of the UK’s critical infrastructure and major businesses.
The Synnovis ransomware attack in June 2024 on the National Health Service disabled critical systems, making patient health records inaccessible, cancelling thousands of surgeries and leaving many hospitals unable to function.
This disruption shows why the Government is updating regulations.
The new Cyber Security and Resilience Bill is expected to with recently introduced in Parliament in November 2025, aims to expand the scope of organisations covered, tighten incident reporting requirements, and introduce stronger enforcement.
Businesses will need to strengthen defences and demonstrate compliance with higher standards of resilience.
With new cybersecurity regulations pending and essential services facing rising threats from cyber-criminals and nation-state actors, there is a lesson in the tools many government organisations use to secure sensitive systems.
These tools can also protect critical infrastructure and promote business resilience.
The cybersecurity of many critical infrastructure systems have traditionally relied on an air gap.
However, the need for connectivity to maintain the “always on” stack of legacy systems within the Operational Technology (OT) network complicates this approach.
The conflict between these objectives has led to various ad hoc solutions to protect OT networks and the IT networks that connect to them.
Fortunately, the structure of these systems strongly mirrors the structure of sensitive government networks, which can provide a framework for securing critical infrastructure.
A key principle for sensitive network architecture is to keep systems of different risk levels separate and provide tightly controlled ways for them to exchange information.
When the risk gap is small, software-only controls like firewalls can be used.
As risk increases, stronger software is needed, such as trusted operating systems or separation mechanisms in cloud services.
When risk is high, as with critical infrastructure, software alone cannot reduce that risk to acceptable levels.
Here, hardware logic provides a strong foundation for software to deliver the complex security controls needed.
This is the ‘hardware-enforced’ approach to high assurance security.
Although this government innovation is not widely adopted in critical infrastructure and major businesses, there is no reason it cannot be.
In a hardware-enforced solution, software on separate CPUs interfaces with applications and services on the networks.
Hardware logic running on an FPGA chip connects the CPUs. The logic is configured on a separate interface away from the data path.
This makes the logic immutable; once you are confident it is correctly checking data, it will keep doing that, regardless of the data sent to it.
Software is complex and flexible, which makes it prone to failure.
Immutable hardware logic adds another layer of security.
Together, they provide strong yet flexible security, with protocol and data breaks enforced at the core by hardware logic.
Placing security controls reinforced with hardware logic between IT and OT systems can enable critical infrastructure industries to better manage risk across this network gap and provide higher assurance that a compromise of the IT network will not spread into the OT network.
This is a better alternative to less secure, makeshift and often unvetted solutions that attempt to bridge protected enclaves and the broader network.
Hardware-enforced controls can work with Content Disarm and Reconstruction (CDR) technology to provide strong protection against harmful file transfers that may contain hidden malware and other malicious content.
Advanced CDR software is split into two parts. The first describes the data to be delivered and the second builds new data from the description.
The use of hardware logic between the two verifies that the descriptions are safe and can be trusted.
Unlike regular CDR, this avoids the need to fully trust the complex software handling potentially unsafe data
Hardware-enforced technologies can also protect networks from harmful web-based threats including phishing, malware and zero days.
Using hardware-enforced Remote Browser Isolation (RBI) to deliver web content as an interactive video stream ensures the website’s original code does not reach the user, but the user still sees the content they need.
Software encodes and delivers the video stream while hardware logic provides full isolation that completely separates users from the Web.
New requirements from the Cyber Security and Resilience Bill offer critical industries and major UK businesses a chance to strengthen protections, demonstrate compliance and reinforce operational continuity.
Organisations that adopt solutions aligned with the Cyber Security and Resilience Bill’s focus on resilience, risk management and incident transparency will reduce exposure to attacks and be ready to meet regulators’ expectations with confidence.
For critical industries, hardware-enforced cybersecurity solutions can connect OT and IT for data transfer and remote access without unmanageable risk.
Using hardware logic between high value and high threat networks can protect against known threats and zero-day exploits, providing reassurance as innovations like AI and quantum computing evolve.
While the Cyber Security and Resilience Bill will likely require changes to many organisations’ security postures, hardware-enforced cybersecurity can be integrated with existing infrastructure to bolster defences on-premises, in the cloud or as a hybrid deployment with minimal network changes.
This reduces the likelihood and impact of a cyber-attack without affecting usability or business efficiency.
The UK is not alone. The EU’s NIS2 Directive and the US’s CIRCIA legislation both reflect a global shift toward mandating stronger resilience and faster incident disclosure.
For UK businesses, that means the bill should be seen not as a compliance burden but part of a wider international movement toward accountability in cybersecurity.
As cyber-threats rapidly grow in sophistication, defences built on hardware logic combined with software security can help businesses neutralise threats before they enter systems.
This approach to cyber-protection is far better than spending resources on detection, containment and response.
This article was originally published in the December edition of Security Journal UK. To read your FREE digital edition, clickhere.
