January 10, 2026
Patch me maybe?
UK government exempting itself from cyber law inspires little confidence
Gov’s cyber rules are for you, not them—cue online chaos
TLDR: The UK’s cyber bill skips government bodies, promising a non-binding “Action Plan” instead. Commenters blasted the double standard, debating constitutional checks and past power plays, and demanding real legal accountability since public services are frequent cyber targets and trust is on the line.
The UK’s new Cyber Security and Resilience (CSR) Bill sets tough rules for tech firms and data centers—but leaves central and local government out. Cue the internet’s collective spit-take. Critics say it’s classic “rules for thee, not for me” energy, especially after recent hacks on the Legal Aid Agency and Foreign Office. Former digital secretary Oliver Dowden wants ministers legally bound to take cyber seriously; the government waved a vibes-based “Cyber Action Plan” instead—same standards, no teeth.
Lawyer Neil Brown called that logic nonsense: if government will follow the rules anyway, why not just include itself? Meanwhile commenters went full constitutional cosplay: one camp insists the King’s role is ceremonial and the system has checks, dropping receipts like the Bill of Rights and the Supreme Court slapping down Boris’s prorogation. Others say those checks don’t help when ministers quietly sideline cyber.
Hot takes flew: some framed it as UK exceptionalism; others joked the CSR stands for “Cyber Standards for the Rest.” Memes landed hard—“Gov patches coming soon (terms apply),” and “EU’s NIS2? Britain’s got NIS2-later.” The mood: sharp skepticism, with a side of constitutional pedantry and peak British sarcasm.
Key Points
- •UK public-sector cyber incidents are increasing, with NCSC reporting 40% of managed attacks (Sep 2020–Aug 2021) targeting the public sector.
- •The proposed CSR Bill updates NIS 2018 rules but excludes central and local government while bringing managed service providers and datacenters into scope.
- •Sir Oliver Dowden urged the government to include public authorities in the CSR Bill to ensure ministerial accountability for cybersecurity.
- •Ian Murray cited the Government Cyber Action Plan as a way to hold departments to equivalent standards, though it imposes no legal obligations.
- •Legal and parliamentary voices, including Neil Brown and Matt Western, questioned the exclusion and indicated more national security legislation may follow.