The UK government introduced the Cyber Security and Resilience Bill to Parliament this week. It’s designed to stop attacks like the Synnovis ransomware incident in June 2024, which cancelled 11,000 NHS appointments in London and contributed to at least one patient death.

Which is all very commendable, except this bill has been in development since at least 2022. It was announced in the King’s Speech back in July 2024. The details were published in April 2025. And it won’t actually come into force until 2027.

So we’ve got a roughly five-year gap between “we should probably do something about this” and “organisations must actually comply with these rules.” During which time: patient death. Ministry of Defence payroll breach. Jaguar Land Rover shutdown. Synnovis is still contacting NHS trusts about stolen patient data right now.

The core problem the bill addresses is actually sensible: you’re only as secure as your suppliers. The NHS doesn’t typically get hacked directly—attackers go after the pathology labs, the IT helpdesks, the managed service providers who have the keys to everything. These suppliers have been operating in a regulatory void while holding patient records, diagnostic systems, and critical infrastructure access.

The bill brings about 1,000 of these providers into scope for the first time. They’ll need to meet minimum security standards, report incidents within 24 hours, and face fines up to £100k per day or 10% of turnover (whichever is higher) if they don’t. Regulators get new powers. The Technology Secretary can issue emergency orders to isolate high-risk systems during national security threats.

All good. All necessary. All arriving after the stable door is swinging open and the horses are halfway to the next county.

Liz Kendall says this will mean “fewer cancelled NHS appointments”—which feels wildly optimistic given that cancelled appointments are currently caused by understaffing, underfunding, and a health service held together with goodwill and overtime. But sure, let’s add “not because of ransomware” to the list of reasons your procedure might actually happen.

The real question is whether organisations will treat this as genuine security improvement or just another compliance checkbox to game. Because if there’s one thing the British public sector excels at, it’s producing documentation that proves you’ve technically met the requirements while the underlying problems remain untouched.

We’ll find out in 2027.