The Cyber Security and Resilience Bill was introduced to update the UK’s framework for critical digital infrastructure. Clause 16 was designed to place direct statutory accountability on boards to oversee network and information security.
However, during Parliamentary debate, MPs rejected this clause. Arguments against it cited concerns over potential legal ambiguities and the risk of placing an undue operational burden on non-executive directors, potentially blurring the lines between governance and executive management.
Importantly, the rejection related to how oversight would be legislated, not whether boards should oversee cyber risk.
The legislative rejection is not a signal to de-prioritise cybersecurity. While the statutory mandate for specific oversight via Clause 16 has been removed, fiduciary and strategic responsibilities remain.
In 2026, the threat landscape remains volatile. Investors, regulators, and insurers continue to view cybersecurity as a critical ESG and governance metric. A board that lacks appropriate visibility over cyber resilience risks falling short of expected standards of care, regardless of the Act’s specific wording.
These expectations already exist within directors’ duties under the Companies Act 2006, particularly the duty to exercise reasonable care, skill and diligence and to promote the long-term success of the company.
Parliament’s decision should not be interpreted as a relaxation of expectations. Instead, it reinforces the need for boards to demonstrate strong governance voluntarily.
The operational, financial, and reputational implications of cyber incidents continue to intensify, requiring proactive oversight.
The UK’s Cyber Governance Code sets out clear expectations around:
These expectations exist regardless of the legislative outcome and continue to shape how good governance is assessed across the UK’s corporate landscape.
Boards and NEDs remain accountable for overseeing the long-term resilience of their organisations.
Boards that fail to treat cyber resilience as a core governance issue leave their organisations exposed to the following risks after an incident:
Good governance ensures the long-term sustainability of the organisation rather than simply satisfying regulatory checklists.
The removal of Clause 16 places the onus back on organisations to self-regulate effectively. This requires:
Effective boards mitigate cyber risk not by managing incidents directly, but by ensuring accountability, evidence based reporting, and regular testing of resilience and response arrangements.
The parliamentary vote highlights a gap between legal requirements and modern governance demands. High performing boards will use this moment to strengthen oversight rather than relax it.
Proactive engagement today is consistently more effective than reactive action.
Ensure your governance structures are robust enough to withstand scrutiny and cyber-attacks without waiting for legislation to force the issue.
Bridgehouse supports Boards in designing governance frameworks that are resilient, compliant, and fit for the future.
We provide independent assessments of your governance structures, including cyber oversight, reporting lines, and board engagement. These reviews identify gaps, strengthen accountability, and support robust decision-making.
MPs may have rejected the move to legislate board-level cyber oversight, but the expectations placed on boards have not diminished. Most importantly, the risks have not diminished.
It is vital for boards to remain diligent and committed to proactive governance, which is more critical now than ever.
Contact the Bridgehouse team today to discuss how we can support your organisation’s cyber governance and board training needs by emailing us at services@bridgehousecs.co.uk
We would be pleased to answer any queries or have an informal chat to discuss your possible governance needs.