Yesterday I attended “Next Steps for Cyber Security Policy and Regulation in the UK” hosted by the Westminster eForum.

Against the backdrop of the Cyber Security and Resilience (Network and Information Systems) Bill, in Report Stage in the Commons at the time of writing, the first session chaired by Rt Hon Baroness Neville-Jones, focused on the UK’s cyber resilience landscape and board-level governance.

The second half, chaired by Cliodhna Potter of KPMG, widened the discussion to cyber growth, industrial strategy, skills, SMEs and practical resilience across the wider economy.

The Cyber Security and Resilience Bill is an attempt to bring UK cyber regulation closer to the way cyber risk now works in practice. As the Westminster eForum agenda made clear, the focus is no longer just on security in the narrow sense. It is on resilience, expanded NIS scope, managed service providers, data centres, critical suppliers, incident reporting and the wider question of how dependent organisations have become on third parties and digital supply chains.

As I listened to the discussion, three questions came to mind and I was pleased to be able to raise these and consider the feedback and panel opinions. If most Managed Service Providers (MSPs) remain exempt, is the Bill missing too much of the supply chain? If resilience is the core aim, how closely does the Bill align with the Government’s Cyber Assessment Framework (CAF 4.0) in practice? And if SMEs are economically important and embedded in supply chains, is descoping them the right answer, or does the UK need a more scalable framework instead?

To me, those three questions captured the real issue running through the event, not just for the organisations I deal with, but for the wider economy. SMEs account for a very large share of the UK’s economic activity and that matters here. It is not just important to consider whether resilience should be strengthened – it should – but whether the Bill’s scope, proportionality and practical model match the structure of modern cyber risk.

With approximately 85-90% of MSPs being exempt from the Bill’s provisions, is the Bill not missing a significant proportion of the supply chain?

This question goes to the heart of what the Bill says it is trying to do. If the policy aim is greater resilience across modern digital supply chains, then scope matters. MSPs with turnover below €10m and fewer than 50 staff are exempt. The conference made clear that government is trying to respond to a world in which organisations depend far more heavily on managed providers, cloud platforms and other external digital services than they did even a few years ago.

The panel broadly agreed that the Bill is moving in the right direction by giving more weight to resilience and supply chain risk. There was support for the view that the Bill helps correct a longstanding gap by bringing suppliers and digital infrastructure more clearly into view. But there was also a clear note of caution. It was suggested that the Bill may be regulating suppliers rather than truly addressing supply chain context, and there were questions over whether the MSP definition is precise enough to give businesses real certainty.

A wider concern was recognised that even with these changes the UK still risks leaving too much of the supply chain and too much of the economy outside a framework.

There has been only brief mention of CAF (Cyber Assessment Framework) so far. How aligned does the panel feel CAF is with the Bill?

This matters because if the Bill is meant to strengthen resilience in practice, organisations need a credible route from policy into action. CAF is relevant here because it is already one of the clearest resilience-based ways of thinking about cyber, especially around preparedness, recovery and governance.

The discussion suggested broad alignment in principle, but not much detailed treatment. The clearest link made was that CAF starts from the assumption that incidents will happen and organisations need to be able to recover from them. That sits very comfortably with the Bill’s emphasis on resilience rather than prevention alone. In opening remarks it was pointed out that focus on planning, business continuity and reducing the impact of incidents when they occur was key. A more cautious note was that frameworks and codes only help if organisations can actually navigate them. So the issue did not seem to be conflict between CAF and the Bill. It was whether the wider framework is clear enough, usable enough and realistic enough for organisations to act on with confidence.

Is there a concern in descoping SMEs rather than building a more scalable framework given their significance in supply chains and contribution economically?

This is one of the sharpest policy questions of the three for me, because it tests whether the Bill is proportionate in the right way. There was clear recognition throughout the conference that smaller and mid-sized firms can still be operationally important, deeply embedded in supply chains and capable of causing serious disruption when they fail, even if they are not formally classed as critical infrastructure.

The response from the panel was nuanced. There was little appetite for simply extending heavy regulation to every SME. The balance was described as a difficult one because too much burden would cut across growth and innovation, while too little leaves important parts of the economy exposed. It was argued that what is needed is support that is understandable, affordable and proportionate, not enterprise-grade obligations pushed down onto smaller firms. That point was reinforced by wider comments about the commercial pressure SMEs are under and the need for simple, practical controls rather than complexity. The deeper strategic point may be that the real gap sits in the middle: firms that are not small, not Critical National Infrastructure (CNI), but still economically significant and digitally exposed. That is where the case for a more scalable framework becomes strongest.

Conclusion

Taken together, these three questions leave me with a broader concern about how the Bill understands the real shape of the UK cyber economy. What I heard across the conference was strong support for better resilience, clearer governance and a more serious approach to supply chain risk. But I was less convinced that the Bill, at least as discussed on the day, fully reflects the role SMEs now play within that picture, not only as smaller firms needing proportionate treatment, but as MSPs, specialist suppliers and embedded partners within larger delivery chains. Many of these businesses may sit outside traditional critical infrastructure categories, but they are still part of the operational fabric on which larger organisations depend.

For me, that is the real question. It is not simply whether SMEs should face heavier regulation, it is whether the Bill shows a deep enough understanding of their significance within modern supply chains to improve resilience in a meaningful and practical way. Simply exempting them from regulation despite that significance, does not feel like the answer.

Note: Individual panelists have not been named in this article. This article represents the views of the author and not necessarily those of all panelists and other delegates.