The UK Government published its Resilience Framework on 19 December 2022.

This step recognises that crises are likely to be greater than we have been used to in both frequency and scale in the next decade, given what the government describes as “an increasingly volatile world, defined by geopolitical and geoeconomics shifts, rapid technological change and a changing climate.”

The Framework is a risk-agnostic plan to strengthen the systems, structures and capabilities which underpin the UK’s resilience to all risks, including those which are yet to emerge. It is the first articulation of how the UK Government will deliver on a new strategic approach to resilience.

One of the three core principles of the Framework is a stronger emphasis on prevention and preparation for risks, whilst recognising the continuing need for careful and effective management of emergencies as they occur.

The two other core principles are “a developed and shared understanding of civil contingencies risks” and that building resilience is a “whole of society endeavour”.

The Framework dovetails with the UK’s National Cyber Strategy published last year, aimed at improving understanding of cyber risk, being able to prevent and resist cyber attacks more effectively and strengthen our ability to prepare for, respond to and recover from cyber attacks.

Standards and regulation

Critical National Infrastructure is already subject to regulation on resilience with regards to business continuity and security. The UK has the Security of Network & Information Systems Regulations 2018 (NIS Regulations), based upon the NIS Directive 2016/1148/EC – and confirmed in early December 2022 that it would update these as they apply to the UK, following the European Council’s formal adoption of NIS2 in November 20221.

In addition, the National Infrastructure Commission has recommended that the UK Government should publish a set of standards for energy, water, digital, road and rail services, to be reviewed and updated every five years.

Also, in the private sector the UK Government will introduce non statutory standards on resilience where these do not already exist, to give a clear benchmark on what “good” looks like for resilience. The government states that these standards will be “adjusted to take into account the unique sector landscapes, priorities, needs, and interlinkages with other sectors, to ensure that expectations are appropriate and not overly burdensome or disproportionate to the benefits they can deliver.”

In the highest priority sectors that are not already regulated, and for the highest priority risks, the UK Government will consider enforcing standards through regulation.

For material on how HSF supports its clients with resilience see:

1 The NIS 2 Directive will be published in the Official Journal of the European Union shortly, and will enter into force on the twentieth day following this publication. Member states must incorporate the provisions of the NIS 2 Directive into national law in 21 months from the entry into force of the Directive.

Key contacts

Andrew Moir
Andrew Moir
Global Head of Cyber & Data Security, London
+44 20 7466 2773
Kate Macmillan
Kate Macmillan
Cyber Risk Advisory Lead (UK, US & EMEA), London
+44 20 7466 3737