The UK government introduced the Cyber Security and Resilience Bill to Parliament this week. It’s designed to stop attacks like the Synnovis ransomware incident in June 2024, which cancelled 11,000 NHS appointments in London and contributed to at least one patient death.
Which is all very commendable, except this bill has been in development since at least 2022. It was announced in the King’s Speech back in July 2024. The details were published in April 2025. And it won’t actually come into force until 2027.
So we’ve got a roughly five-year gap between “we should probably do something about this” and “organisations must actually comply with these rules.” During which time: patient death. Ministry of Defence payroll breach. Jaguar Land Rover shutdown. Synnovis is still contacting NHS trusts about stolen patient data right now.
