On 14 October 2025, UK ministers wrote a formal letter directly to the Chairs and CEOs of major companies. Not with fear. With expectation. It landed just days before the Cyber Security and Resilience Bill entered Parliament for first reading. The timing was deliberate.
Cyber security has moved beyond the realm of technical teams and quarterly dashboards. It now sits alongside financial governance and operational continuity as a core discipline of modern enterprise management. When cyber risk is poorly controlled, consequence does not stay contained. It moves through operations, supply chains and the confidence of leadership. When control falters, consequence follows fast.
As NormCyber CTO Paul Cragg notes, “The letter is a polite nudge with a serious undertone. Cyber cannot be isolated as an IT issue. It must be woven into the business fabric. Boards that wait for regulation to force action will already be behind.”
The government’s letter is therefore best understood as a line in the sand. And the Bill now in Parliament is the legislative follow-through. Together they signal that resilience is no longer optional. It’s commercial.
The End of FUD. The Start of Discipline.
For years, cyber has been positioned through fear, uncertainty and doubt (affectionately referred to as FUD). But fear has never stopped a breach. Discipline has.
The most resilient organisations move with visibility, vigilance and practised responses. They recover without losing momentum. They keep customer confidence while competitors stall.
The government’s intervention confirms what the market already knows: cyber is no longer a technical risk. It is a strategic enabler. And resilience is not a safety net. It is a source of advantage.
The Government’s Three Expectations: A Shift from Awareness to Accountability
Each expectation reflects a simple idea: resilience requires ownership and discipline.
1. Make cyber a board priority: This is about ownership, not compliance. Leaders must understand posture, track resilience like any other strategic metric and rehearse responses before they are needed.
2. Join the NCSC Early Warning service: Early Warning provides free, intelligence-led alerts from trusted sources. It surfaces signals that matter. But visibility without the ability to respond at pace is not protection. Continuous monitoring and rapid containment remain essential.
3. Require Cyber Essentials across the supply chain Risk rarely originates from the systems you oversee. It flows in through those you rely upon. A minimum standard across suppliers strengthens the whole ecosystem and prevents inherited risk from accumulating unnoticed.st internal systems.
The government’s letter sets a new baseline, but turning expectation into execution is where many organisations struggle. To support organisations in meeting these new expectations with confidence, NormCyber recommends the following steps.
NormCyber’s Recommendations: How to Build Resilience into the Rhythm of the Business
1. Make resilience a standing commercial metric
Treat cyber resilience like any other performance indicator. Brief leaders, assign ownership at board level and use the Cyber Governance Code of Practice as your framework. Risk registers should reflect real-world attack paths, not theoretical scenarios. This ensures resilience becomes part of decision-making, not a periodic review.
2. Treat your supply chain like an extension of your business
Cyber Essentials across suppliers is now a baseline expectation. Identify high-impact partners, validate their posture and apply the same scrutiny to your own environment. Supply-chain assurance is one of the fastest ways to stop inherited risk before it crosses your perimeter.
3. Practise pressure
Run tabletop exercises that simulate operational disruption, not just technical failure. Bring legal, comms, HR, marketing and operational leaders together. Test fallback modes and ensure the business can operate even under pressure.
4. Seal the weak points
A structured cyber risk assessment is the fastest path to clarity. Strengthen identity, segmentation, detection and data-recovery controls so that risk cannot move unchecked across systems.
5. Get ahead of regulation
The Cyber Security and Resilience Bill will codify expectations. Align your roadmap now so that compliance becomes a by-product of good discipline, not a last-minute rush.
6. Communicate clearly and consistently
Leadership needs accurate insight. Teams need credible training. Suppliers need transparent expectations. Clear communication reinforces discipline and builds confidence across the ecosystem.
Conclusion
Final Thoughts: Resilience is a Commercial Capability
Nationally significant cyber incidents are now a weekly occurrence, and the pattern is always the same: disruption spreads quickly, operational momentum is lost, and reputations take far longer to repair than systems do. The government’s intervention simply recognises a truth the market has already accepted – resilience is no longer defensive. It’s commercial.
Organisations that treat resilience as a discipline, not an annual audit, will move faster under pressure, protect continuity and maintain customer confidence while others stall. As Paul Cragg notes, “Cyber resilience is not a box to tick before the next audit. It is about being ready when, not if, the worst happens.”
The Cyber Security and Resilience Bill will formalise what “good” looks like. The ministerial letter is the preview. Expectation is about to become obligation.
NormCyber helps organisations shift from compliance-driven activity to continuous, 24/7 resilience. If you would like a complimentary consultation with one of our experts, you can book here: Book a free consultation
