By Shannon Simpson, CEO, Cyro Cyber
The Cyber Security & Resilience Act (CSR) is making its way through Parliament in 2026. Assurance will no longer be enough with the new Act. For too long cyber security it has been an underfunded, poorly-supported, tick-box measure. The arrival of the CSR Act will change this, especially as it comes weaponised by the enforced use of the anew Cyber Assessment Framework, known as a CAF and overseen by the National Cyber Security Centre (NCSC). Each regulator, or Oversight Body, will also have its own, enhanced CAF (eCAF).
For critical national infrastructure and essential services, securing a network has unique challenges. Their systems have often been built up over many years and, in the case of operational tech, there was never any expectation it needed to sit alongside critical information tech. As a result, they are often unable to receive patches, are deeply integrated with critical processes and must remain operational 24/7.
These services can’t just be shut down. So we recommend layering modern security processes around the legacy kit. This approach avoids the rip and replace idea and prepares for evolving threats. Here are some steps to take towards securing your critical network:
Start where you are
The best way build resilience is to properly implement what you already have. It’s not that government organisations don’t invest in cyber resilience, it’s that the implementation often wanes. Before spending on expensive new tools, configure the current systems and bring them up-to-date. This will put you in a better place to plan what needs doing next.
Establish good governance
The Cyber Assurance Framework supports clear, experienced governance. The NCSC says:
‘Effective security of network and information systems should be driven by organisational management and corresponding policies and practices. There should be clear governance structures in place with well-defined lines of responsibility and accountability for the security of network and information systems’1.
Good governance needs to extend throughout the team with training that works. Credentials misuse is an easy way for attackers to access the system, and once they’re in, to move laterally, exfiltrating data as they go. This form of attack has been seen on Councils in 2025.
We’re are not great advocates of the repeated tests some users have to take. Training needs to be interactive and preventative. So it stops users from moving on and redirects them to a test or explanation before they can continue. This method ingrains security procedures across the organisation.
Support the full lifecycle
Part of the responsibility for short-termism lies with vendors. In a legacy system, the original vendors may no longer support the system. We would like to see pressure on vendors to provide ongoing support for legacy systems in government organisations. This would reduce the huge costs in technology end-of-life upgrades. Proper support from vendors will help to manage ongoing changes, and costs, in the cyber risk environment.
Implement zero trust
A resilient system should be built on core zero trust principles. So all users have to explicitly verify themselves, access is limited to just-enough and segment access is minimised. Attacks on Councils in 2025 have come via unauthorised access to outdated legacy systems. In our work, we’ve seen networks where none of the nodes are monitored and no alerts are sent, for example.
Organisations can improve resilience and create an evidence trail by implementing zero trust methods. Instead of believing that everything behind the corporate firewall is safe, a zero trust model assumes every entry is a breach and demands verification from each request.
There’s also the new challenge of OT; dumb end-points. For example, cameras that monitor roads, rail and underground services are being digitalised. Traditionally this has been legacy
technology on isolated networks. Now OT is increasingly on the same network as the critical systems, but without the accompanying security measures. OT needs segmenting and the principles of zero trust applying. Locking down communication between systems and enforcing least-privilege access can reduce attack surfaces and limits who can interact with critical components.
Plan for evidence
The CSR Act will require evidence that your security procedures work in practice. We’ve identified some processes to help with this.
· Create a Senior Information Risk Owner position at Board level, with responsibility for security. This is a good way to ensure that difficult conversations don’t get watered down at a senior level. The SIRO can also lead a security working group, which should include those with expertise and responsibility for security, not just those who procure it.
· Use the existing compliance regimes to accelerate the CAF. Review what’s missing and how you can meet the requirements.
· Identify a breach back-up team and the technology it uses. If or when a breach happens, what do you do? What happens if the SOC is lost or your primary cloud provider goes down? Does everyone know what their role is?
· Start a testing programme for the systems and control you have. Record this and monitor change. This should include a schedule for Cyber Incidence Exercises (CIE). Identify who’s involved.
The best time to start with cyber security is always yesterday. But whatever stage you’re at, now is the moment to review your cyber security. Now that the CAF will mandate certain processes, it’s definitely time to show evidence of your network’s resilience.
Join us at CNI SEC – The Critical Summit for Critical Infrastructure
Thursday 29 January 2026
CNI Sec is an invitation-only gathering of the UK’s most senior cyber leaders in critical national infrastructure. This exclusive forum is designed to drive action, turning complex regulation into workable strategies, securing legacy and OT systems, managing supply chain risk, and staying ahead of the most sophisticated threats.
CNI SEC – The Critical Summit for Critical Infrastructure · Luma
Recent Comments