Government Cybersecurity Legislation and Resilience Initiatives
Governments in the US, UK, and EU are advancing major legislative and regulatory efforts to strengthen cybersecurity and resilience across critical sectors and software supply chains. The European Union’s Cyber Resilience Act (CRA) introduces requirements for software and connected product vendors to embed security from the design phase, manage vulnerabilities throughout the product lifecycle, and deliver rapid updates, with global implications for SaaS providers and technology companies. In the UK, the new Cyber Security and Resilience Bill aims to overhaul protections for critical national infrastructure, updating the NIS Regulations and addressing the growing threat from nation-state actors, as highlighted by recent disruptive attacks on healthcare and other essential services.
In the United States, Congress has reauthorized the Cybersecurity Information Sharing Act (CISA 2015) through early 2026, restoring liability protections for organizations sharing threat intelligence with the federal government and sector-specific communities. However, the Cybersecurity and Infrastructure Security Agency (CISA) faces significant staffing shortages and capability gaps, prompting calls for increased funding and new strategies to address escalating cyber threats. Collectively, these legislative and regulatory actions reflect a global trend toward more robust, proactive, and coordinated approaches to cyber resilience and critical infrastructure protection.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
UK introduced Cyber Security and Resilience Bill
The UK government introduced a new Cyber Security and Resilience Bill to strengthen protections for critical national infrastructure, require rapid incident reporting, and impose stricter security obligations on suppliers and service providers.
Leaked memo revealed major staffing gaps at CISA
A leaked memo from acting director Madhu Gottumukkala said CISA had a 40% vacancy rate in key mission areas, undermining its ability to support national security priorities.
CISA 2015 reauthorized through January 30, 2026
The U.S. Congress reauthorized the Cybersecurity Information Sharing Act of 2015 on a short-term basis, restoring liability protections for cyber threat data sharing through January 30, 2026.
Synnovis hack highlighted risks to UK critical infrastructure
A high-profile cyberattack on Synnovis in 2024 was cited as a recent example of the threat facing UK critical national infrastructure and a driver for stronger regulation.
UK NIS Regulations 2018 took effect
The UK established the Network and Information Systems Regulations 2018 as the baseline cyber regulatory framework later targeted for update by new resilience legislation.
Cybersecurity Information Sharing Act of 2015 originally enacted
The U.S. enacted the Cybersecurity Information Sharing Act of 2015, establishing liability protections for organizations that share cyber threat information with the government and ISAO/ISAC communities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
The Cyber Resilience Act and SaaS: Why Compliance is Only Half the Battle
securityboulevard.com
Open sourceUK’s New Cyber Security and Resilience Bill: What Does It Mean For Critical Infrastructure Organisations?
blog.knowbe4.com
Open sourceNote to Congress: we needed to fund cyber yesterday
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Legislative Efforts to Strengthen Cybersecurity Regulations for Critical Infrastructure
Lawmakers in both the United States and the United Kingdom are advancing significant legislative measures aimed at bolstering cybersecurity protections for critical infrastructure and regulatory agencies. In the US, a bipartisan bill known as the SEC Data Protection Act of 2025 has been reintroduced to require the Securities and Exchange Commission (SEC) to modernize its cybersecurity protocols, implement uniform data protection policies, and align with federal and NIST best practices. The bill is a response to increasing cyberattacks on government agencies and concerns over outdated security frameworks, with the goal of ensuring the SEC can effectively prevent, detect, and respond to cyber threats while maintaining public trust in the financial system. Meanwhile, the UK government has introduced the Cyber Security and Resilience Bill to Parliament, marking a fundamental shift in the country's approach to protecting critical infrastructure. The bill addresses gaps exposed by recent high-profile breaches and brings managed service providers under regulatory oversight for the first time. It introduces eight major changes to enhance digital defenses and resilience, reflecting the evolving threat landscape and the need for updated regulations beyond the existing NIS framework. Both legislative efforts underscore a growing recognition of the need for robust, modern cybersecurity standards to safeguard sensitive information and essential services against increasingly sophisticated cyber threats.
Mar 21, 2026
UK Cyber Security and Resilience Bill Expands Critical Infrastructure Protections
The UK government has introduced the Cyber Security and Resilience (CSR) Bill to Parliament, representing a major update to national cybersecurity legislation. The bill expands the scope of regulated entities to include datacenters and managed service providers (MSPs), in addition to existing coverage of operators of essential services such as healthcare, energy, transport, water, and digital service providers. The legislation aims to ensure these sectors meet robust cybersecurity standards, with new rules also extending to organizations overseeing smart appliances like electric vehicle charging points and smart heating systems. The CSR Bill grants ministers emergency powers to intervene during major cyber incidents and imposes stricter compliance requirements, including mandatory reporting of significant cyber incidents within 24 hours. Non-compliant organizations face substantial penalties, including daily fines up to £100,000 or turnover-based penalties, marking a shift toward enforcement that scales with organizational impact. The bill is expected to receive Royal Assent in 2026 and is positioned as a key component of the UK’s strategy to strengthen national resilience and protect critical infrastructure from evolving cyber threats.
Mar 21, 2026
US Cybersecurity Policy and Preparedness Efforts for Critical Infrastructure and Government Networks
U.S. lawmakers and agencies are advancing multiple efforts to sustain and strengthen cybersecurity capabilities, with some federal authorities at risk of lapsing if Congress fails to avert a government shutdown. Nextgov/FCW reported that the **Cybersecurity Information Sharing Act of 2015**—which provides liability protections to enable private-sector sharing of threat intelligence with the government—and the **National Cybersecurity Protection System** (a federal civilian network intrusion-detection and prevention capability) were both tied to Department of Homeland Security funding legislation and faced imminent expiration absent reauthorization. The same DHS legislative vehicle was also described as key to reauthorizing the **State and Local Cybersecurity Grant Program**, which has provided **$1B** to improve cybersecurity at state and local entities. In parallel, Congress is considering sector-specific measures to improve resilience in energy and utility environments, while the Department of Energy continues operational readiness exercises. Nextgov/FCW highlighted proposed legislation including the **Pipeline Cybersecurity Preparedness Act** (DOE-led programs to improve pipeline/LNG cybersecurity, information sharing, and incident response coordination) and the **Rural and Municipal Utility Cybersecurity Act** (expanding grant and technical assistance for smaller utilities, with **$250M** proposed for FY2026–2030 and protections for sensitive shared cyber information). Separately, Industrial Cyber reported on DOE’s annual **Liberty Eclipse** exercise on Plum Island, which uses an isolated grid environment to train utilities and partners to detect, respond to, and recover from simulated attacks including **ransomware** and stealthy compromise scenarios spanning IT/OT and real-time operations teams.
Mar 21, 2026