The British government’s much-delayed Cyber Security and Resilience Bill (CSRB) has been delayed again, according to sources with knowledge of the parliamentary schedule.

It is the latest in a series of hindrances for the update of Britain’s cybersecurity regulations despite the main provisions being finalized three years ago, potentially contributing to further disruptive attacks.

After prematurely describing the laws as “updated” in 2022, the Sunak government failed to actually timetable the introduction of its own bill to Parliament. The Starmer government’s largely identical law was set to be introduced on Wednesday to the House of Commons, but has been put on hold amid a cabinet reshuffle of senior and junior ministers. No new date for introducing the bill has been set.

It comes amid a series of high-profile cyberattacks causing disruption to British companies. Most recently production has been halted at Jaguar Land Rover, one of the British economy’s most significant manufacturers, prompting one expert to warn the attack was “more than a company outage — it’s an economic security incident.”

Similar disruptions this year have also impacted retailers including Marks & Spencer and the Co-op, leading to empty grocery shelves at stores across the country. Four individuals living in the United Kingdom were arrested in connection with those attacks earlier this year, and later released on bail.

While these three companies would not have been directly affected by the provisions of the CSRB — which focuses on critical infrastructure and essential digital services — all three are customers of Tata Consultancy Services (TCS) which has been investigated as a potential vector for the M&S attack, and which would have been covered under the legislation as a managed service provider (MSP).

TCS previously said it was looking into reports its support staff had been socially engineered to provide cybercriminals with initial access to M&S systems. The company subsequently denied its systems or users were “compromised,” although it has not responded to repeated requests for clarification about whether its services played a role in the attack.

Back in 2022, the British government warned that MSPs — businesses paid to manage IT infrastructure and provide support, often to smaller businesses that don't have a designated IT department — are “an attractive and high value target for malicious threat actors.”

Under the existing cybersecurity rules, known as the NIS Regulations, service providers are required to manage organizational risk, including human factors, to their network and information systems — with the regulation focusing on the impact of any attack to the service being provided.

“It’s unknowable whether or not quicker regulation of managed service providers would have prevented these breaches. What is clear is that there is a mismatch in our regulatory posture,” said Ciaran Martin, the founding chief executive of the National Cyber Security Centre and now a professor at the University of Oxford.

“NIS-style regulation is essential for critical services. But we need to look beyond that. I am beginning to think that at some point we’re going to have to break a taboo and say out loud that the protection of a lot of relatively trivial personal data is over-regulated, and that service continuity is deprioritised as a result,” added Martin.

“That might not be a matter of legislation: maybe corporate governance rules or shareholder action or the market can fix it. But right now our economic security looks more threatened by disruptive attacks than by data breaches but our policy framework hasn’t caught up with that yet,” he said.

A government spokesperson declined to comment on the delay.

Speaking to Parliament on Tuesday, the minister for business Chris Bryant said the CSRB would be introduced “soon,” adding: “I think I can get away with that with the Chief Whip and the Leader of the House, although, in the words of Humpty Dumpty, when I use a word it means precisely what I choose it to mean, no more and certainly no less.”