Beyond Cyber: Why the CSR Bill Must Address the Digital Built Environment to Protect the UK’s Critical Infrastructure
Digital Forensics Magazine – Research & Policy Briefing Series
13 November 2025
Context and Purpose of the CSBR Bill
The Cyber Security and Resilience (Network and Information Systems) Bill represents the most significant update to the UK’s digital-infrastructure regulatory landscape since the original NIS Regulations of 2018. Its objective is ambitious: broaden the definition of essential digital services, expand regulatory oversight, accelerate incident reporting, strengthen national-security intervention powers, and bring data centres, managed service providers, cloud infrastructure and critical suppliers firmly into scope. In terms of cyber governance, it is a meaningful step forward. It takes account of digital supply chains, outsourced technology dependencies, and the reality that modern services increasingly rely on cloud and platform infrastructure rather than traditional on-premises systems.
Yet while the Bill excels at modernising the cyber dimension of resilience, it does not yet reflect the operational reality of how critical infrastructure functions today. The UK’s essential services—utilities, ports, transport operators, energy networks, healthcare environments and many large data-centre estates—do not operate as isolated digital networks. They operate as “integrated cyber-physical ecosystems”, where power, cooling, industrial control systems, building services, automation platforms, digital-engineering data, protective security, and safety-critical systems are every bit as important as firewalls, monitoring tools or incident-response plans. A disruption in any of these physical or engineering layers can generate an outage that is operationally identical to a major cyber incident—sometimes with national-level consequences.
The Bill does not make this integration explicit. It focuses on network and information-system resilience but leaves the broader physical and engineered built environment implicitly assumed rather than clearly addressed. While its language requires organisations to take “appropriate and proportionate” measures, it offers little guidance on how this should be interpreted for environments where engineering, OT and building systems are inseparable from digital operations. It is here that the CSBR Bill, if interpreted narrowly, risks under-protecting the very infrastructure it seeks to secure.
Why a Cyber-Centric Approach Is Too Narrow
Modern critical infrastructure no longer operates within the neat boundaries assumed by legacy cyber regulations. It exists in a continuum between the physical and the digital. Data centres—now explicitly regulated under CSBR—are a prime example. They are not simply digital facilities; they are engineering-driven environments built on complex layers of building services, electrical systems, cooling plant, fire suppression, physical security and increasingly, operational-technology control systems. Many of the UK’s most important data-centre environments, particularly those operated by utilities or major CNI providers, host SCADA networks, OT command-and-control platforms, generator autostart systems, UPS logic, switchgear automation and BMS networks tied to cooling, ventilation, and environmental monitoring. These are not ancillary assets; they determine whether a data centre remains operational under load or stress.
Yet none of these systems are meaningfully acknowledged in the wording of the Bill. A data centre could meet every CAF outcome and every cyber-resilience measure in CSBR while still being dangerously exposed through its building-services layer. A poorly secured BMS controller, a compromised HVAC interface, an unprotected UPS monitoring system or insecure digital-engineered asset information can still trigger a shutdown, equipment damage or a partial loss of service. The fact that so many real-world data-centre incidents stem from environmental or power failures, rather than cyber breaches, highlights this critical gap.
The same pattern applies within utilities and energy networks. Their core operational resilience depends on OT equipment that cannot be easily patched, cannot be taken offline, and often relies on legacy engineering protocols. Grid interfaces, protection relays, pumping stations, safety systems and large mechanical assets are governed by physical engineering constraints rather than digital flexibility. These systems need security, but they require a hybrid approach that joins cyber controls, engineering discipline, safety standards, power-system expertise, and physical-security doctrine. The CSBR framework, as currently drafted, leaves that integration to interpretation rather than explicitly demanding it.
Ports and major logistics hubs introduce even greater complexity. Their operations rely on extensive OT and physical systems: vessel traffic services, terminal operating systems, crane automation, yard-management platforms, sensing and navigation equipment, access-control platforms, fuelling infrastructure, warehouse automation, refrigeration plant, road and rail linkages and emergency systems. Many of these devices sit on networked infrastructure, making them vulnerable not only to cyber intrusion but also to failure modes triggered by engineering faults, physical sabotage, or building-services disruptions. The UK’s own Cyber Security Code of Practice for Ports recognises this, but the CSBR Bill does not reference it. Without explicit alignment, ports risk being assessed purely through a cyber filter rather than as holistic cyber-physical systems whose failure can cause nationwide supply-chain disruptions.
The recurring theme is simple but profound: a cyber-resilience bill cannot meaningfully secure critical infrastructure if it does not explicitly address the “digital built environment” that sustains it. Power architecture, cooling systems, plant and machinery, mechanical and electrical services, OT equipment, digital-engineering models and physical-security structures are all attack surfaces and failure points. They must therefore be considered part of the regulatory regime—whether or not a cyber actor is directly involved.
Operational, Expertise and Professionalisation Implications for CSBR Implementation
For operators of essential services, the CSBR Bill introduces expectations that cannot be met through cyber expertise alone. True resilience demands multi-disciplinary teams spanning cyber security, OT engineering, power and building-services engineering, physical security, digital-engineering governance, and cyber-physical incident response. Few organisations currently possess this integrated capability, and even fewer regulators are staffed to assess it. The Bill therefore places a substantial burden on operators to build a more holistic resilience model—even though the legislation itself stops short of explicitly defining what that model must include.
Data-centre operators will need to treat cooling systems, UPS behaviour, switchgear, generator controls, environmental monitoring, and fire suppression as core elements of resilience. The same applies to digital-built-environment data such as BIM models and digital twins, which increasingly provide adversaries with precise knowledge of plant layout, cable routes, choke points, power distribution and physical vulnerabilities. Without protective governance around these assets, even the strongest cyber defences can be undermined.
Utility providers must integrate OT security with engineering-led risk processes, recognising that cyber-incident reporting rules now sit alongside safety-critical operational realities. Many OT systems cannot be rebooted, patched, or reset without major process implications. Cyber-only controls will not protect a system if its protection relays, PLCs, or substations are physically exposed or embedded in an insecure building-services network. Meeting CSBR expectations requires a fundamental shift towards cyber-physical operational governance.
Port operators must expand resilience planning to include the physical operation of cranes, conveyors, pipelines, rail interfaces, quays, refrigeration, fuelling and navigation systems. A disruption to a crane control system, a failure in a yard-automation platform, a breakdown in vessel traffic services or a compromise in fuelling or power infrastructure can have national supply-chain consequences. These environments require DFIR and cyber-monitoring capabilities that can correlate events across IT, OT and the built environment—whether the cause is cyber or physical.
All of this raises the question: “where will the expertise come from?” The UK’s current cyber-physical skills base is not large enough to support the scale of uplift CSBR implies. Organisations cannot simply recruit cyber specialists and expect resilience; they need professionals who understand the interactions between structural engineering, building-services behaviour, OT safety systems, protective-security design, digital-engineering governance, and cyber security.
One major, but under-recognised, part of the solution is already emerging through the Register of Security Engineers and Specialists (RSES). Established by the Institution of Civil Engineers in partnership with the National Protective Security Authority, RSES provides a formal competence benchmark for professionals working across physical, personnel and cyber protective-security disciplines. Many of its registrants come from civil, structural, mechanical, electrical, and building-services engineering backgrounds and already work on secure-by-design infrastructure for high-risk sites. They are accustomed to multi-disciplinary design, to balancing security with operational constraints, and to embedding physical-digital protective measures into the built environment. These are exactly the skills missing from some operators and regulators facing CSBR driven uplift.
Importantly, RSES is now in the process of being expanded as part of the Government’s preparations for Martyn’s Law (Protect Duty). The GSA Category within RSES is being developed to provide a formal competence route for Protect Duty security advisers, establishing a nationally recognised pool of specialists with validated expertise in protective security for crowded places and high-risk venues. This provides a clear precedent for how RSES can evolve to support major national security programmes.
The CSBR Bill could benefit from exactly this approach. An expanded and explicitly cyber-physical RSES could provide a nationally recognised, independently validated pool of specialists capable of supporting CSBR implementation, just as the GSA Category within RSES is being expanded to support Martyn’s Law. The most natural home for this expansion sits within the “Digital Built Environment” category already present in RSES, which is specifically intended to address the security of complex infrastructure, buildings, engineered systems and the digital information that underpins them. This category is uniquely positioned to bridge cyber, physical, OT and engineering disciplines because it encompasses practitioners who understand resilience not only as an information-security concept but as a property of the entire built asset. By extending this category to explicitly include cyber-physical system security, OT–BMS integration, digital-engineering governance (including BIM and digital twins), and the security of building-services infrastructure such as power, cooling and life-safety systems, the UK could rapidly establish a professional competence standard aligned with CSBR’s true scope. Leveraging and expanding this existing register is one of the fastest and most efficient ways to strengthen national capability without building new frameworks from scratch.
RSES is not a silver bullet. It cannot replace deep OT engineering or dedicated cyber-security expertise. But it provides an existing, credible, nationally recognised mechanism for addressing one of the most pressing challenges in modern resilience: the shortage of people who understand both the built environment and the security requirements that govern it. Properly expanded and integrated into CSBR practice, it could play a pivotal role in filling the expertise gap.
Conclusions
The CSBR Bill is a necessary and forward-looking evolution of the UK’s cyber-resilience framework. Its expansion of scope, elevation of managed service providers, modernisation of digital-service obligations and strengthening of regulatory enforcement are all timely and essential. But the Bill’s foundations remain heavily cyber-centric, and this creates a risk that the UK will secure the digital veneer of its critical infrastructure while leaving core physical, engineering, and operational layers under-protected. Modern resilience is not a cyber-only challenge; it is a cyber-physical built-environment challenge.
Critical-infrastructure operators—data centres, utilities, ports and other CNI organisations—must therefore interpret the Bill holistically, recognising that “appropriate and proportionate measures” extend beyond information-security controls to the engineering and physical systems that underpin service continuity. Regulators must expand their technical capability and adopt assessment models that reflect the reality of cyber-physical interdependency. Government should produce integrated guidance that bridges NCSC’s cyber authority with NPSA’s physical-security doctrine, OT-security frameworks, and digital-engineering standards.
At the same time, the UK must strengthen its security-professional ecosystem. An expanded and more explicitly cyber-physical RSES, especially through its Digital Built Environment category, could provide a nationally recognised, independently validated pool of specialists capable of supporting CSBR implementation, just as the GSA Category is being expanded to support Martyn’s Law. This would create a coherent professional pathway for practitioners whose competence spans the built environment, engineering assets, operational technologies, and physical-digital security design, filling a critical skills gap in the implementation of the Bill.
DFIR teams, meanwhile, must evolve into multi-disciplinary investigative units capable of handling incidents spanning IT, OT, building systems and physical assets. Only by combining cyber investigation with an understanding of engineering failure modes and built-environment design can they provide the evidence, learning and assurance that CSBR-driven oversight will demand.
If the UK is to build genuine national resilience, the CSBR Bill must become the foundation for a broader cyber-physical regulatory model. Cyber controls are essential, but they are not sufficient. Resilience will come from securing not only networks and information systems, but the buildings, power systems, engineering assets, operational technologies, professional communities, and digital-built-environment data on which modern society depends. The Bill is a vital step, but it is only the beginning of the journey toward protecting the UK’s critical infrastructure in an era where physical and digital threats are inseparable.
References
UK Parliament (2025) Cyber Security and Resilience (Network and Information Systems) Bill 2024–26, Bill 329 (as introduced, 12 November 2025). London: House of Commons. Available at: https://bills.parliament.uk/bills/4035 (Accessed 13 November 2025).
UK Parliament (2025) Cyber Security and Resilience (Network and Information Systems) Bill: Explanatory Notes, Bill 329-EN. London: House of Commons. Available at: https://publications.parliament.uk (Accessed 13 November 2025).
UK Government (2018) The Network and Information Systems Regulations 2018 (S.I. 2018/506). London: The Stationery Office. Available at: https://www.legislation.gov.uk/uksi/2018/506 (Accessed 13 November 2025).
NCSC (2025) Cyber Assessment Framework (CAF). National Cyber Security Centre. Available at: https://www.ncsc.gov.uk/collection/cyber-assessment-framework (Accessed 13 November 2025).
NCSC (2025) Cyber Assessment Framework 4.0. National Cyber Security Centre. Available at: https://www.ncsc.gov.uk/files/NCSC-Cyber-Assessment-Framework-4.0.pdf (Accessed 13 November 2025).
NPSA (2025) Data Centre Security – Key Considerations for Owners. National Protective Security Authority. Available at: https://www.npsa.gov.uk (Accessed 13 November 2025).
NPSA (2022) Data Centre Security: Guidance for Owners and Users. National Protective Security Authority. Available at: https://www.npsa.gov.uk/system-information-security/data-centre-security (Accessed 13 November 2025).
NPSA (2025) The Register of Security Engineers and Specialists (RSES). National Protective Security Authority. Available at: https://www.npsa.gov.uk/about-npsa/who-we-work/register-security-engineers-and-specialists-rses (Accessed 13 November 2025).
Institution of Civil Engineers (ICE) (2022) Infrastructure Security-mindedness. ICE Knowledge Hub. Available at: https://knowledgehub.ice.org.uk/cpd/safety-risk/infrastructure-security-mindedness (Accessed 13 November 2025).
Tags
#Cyber Security, #Critical National Infrastructure, #CSBR Bill, #NIS Regulations, #Digital Built Environment, #Data Centres, #OT Security, #RSES, #Martyn’s Law, #UK Cyber Policy, #DFIR, #Resilience
Share this document
© TRMedia Ltd. (Trading as – Digital Forensics Magazine) 2025
