What does the UK’s Cyber Resilience Bill really mean for a quantum security future?

By Marc Ambasna-Jones 23 Jan 26 Reading time: 7 mins

“On 3 June 2024, a busy Monday morning in south-east London, criminals attacked Synnovis, an organisation that processes blood tests on behalf of our national health service. They did not turn up physically, but logged on to computers thousands of miles away and set off ransomware – malicious software that encrypts files from afar, making them unusable. The attack had a ripple effect across London hospitals. It delayed 11,000 appointments, blood transfusions had to be suspended and the company lost tens of millions of pounds.”

Ian Murray MP was speaking in the UK’s House of Commons on 6 January 2026, during the second reading of the Cyber Security and Resilience Bill. It was a clear attempt to ground the legislation in lived consequences rather than abstract threats. Cyber risk as something that disrupts hospitals, delays treatment and costs real money.

For all its focus on immediate and visible harms, the Bill is striking for what it does not mention. There is no reference to quantum computing, post-quantum cryptography or future cryptographic threats. Instead, the legislation takes a different approach. It reframes cyber security away from single incidents and towards the question of whether organisations can remain secure over time. It is that shift, rather than any named technology, that brings quantum risk into view.

For Lisa Matthews, CEO of KETS Quantum Security, this Bill “is a welcome challenge” to those that are adopting a “wait and see” approach.

“If your organisation is interpreting resilience only as ‘defending against the attacks of 2026,’ you are already failing this legislation,” she says. “You cannot claim to be resilient today if the mathematical foundations protecting your data are set to crumble in the near future – and this is the threat that quantum computers pose.”

She adds that the threat of ‘harvest now, decrypt later’ means that a breach of resilience effectively happens the moment sensitive long-term data is intercepted.

“The Bill turns what was once a roadmap into a mandate,” she adds. “There is a false sense of security currently, with some convinced that quantum computers are still decades away and therefore no urgent actions are needed. Realistically, we are looking at a timeline of fewer than five years.”

Cryptographic risk

That reading of the Bill resonates with security teams grappling with the practical consequences of long-term cryptographic risk. Chris Hickman, chief security officer at Keyfactor, says the legislation exposes a long-standing weakness in how cryptography has been managed inside large organisations. Too often, he argues, it has been treated as a background control rather than as an asset that needs to endure and evolve.

“The key shift in the Bill is that it moves organisations away from proving they are ‘secure today’ and toward demonstrating that they can remain secure over the lifetime of their systems and data,” Hickman says.

Quantum computing, he adds, brings that weakness into sharp relief by revealing just how deeply cryptographic choices are embedded across infrastructure, identity systems, and supply chains, and how difficult they are to change once a crisis is already under way. That shift from guidance to expectation is where the Bill starts to become clearer.

Robert Hann, global VP of technical solutions at Entrust, notes that neither the original NIS framework (the UK’s Network and Information Systems regulations covering critical services), nor the new legislation explicitly mandate cryptography. Instead, organisations are expected to choose security controls that match the risks they face. In sectors handling long-lived or sensitive data, he argues, it would be increasingly difficult to justify treating cryptography as anything other than a core control. Crucially, the Bill’s use of secondary legislation means those expectations can evolve, allowing emerging risks such as quantum computing to be addressed without rewriting the law.

That change in expectations also expands who needs to pay attention. As Gemma Martynwood, a partner at EIP, points out, the legislation brings a broader range of organisations into scope than the original NIS regime, including some managed service providers, data centres, and infrastructure-adjacent operators. Even organisations not directly regulated are likely to feel the effects, given their dependence on suppliers that are. In that context, long-term cryptographic weakness becomes not just a technical risk but a potential compliance and reputational one, particularly where data is expected to remain confidential for years.

That uncertainty is not lost on cryptographers themselves. Chloe Martindale, a senior lecturer in cryptography at the University of Bristol, says the quantum threat is real but difficult to time precisely. “It could be five years or 50 years before RSA and elliptic curve cryptography are broken,” she says. “But every communication on the internet relies on these problems, and many encrypted communications are already being stored in the hope of later decryption.”

Martindale argues that this makes long-term resilience a present concern, even in the absence of a clear quantum deadline. At the same time, she cautions against assuming there is a simple technical fix. Post-quantum algorithms are far less mature than classical methods, she notes, and replacing everything at once risks introducing new weaknesses. In her view, transition guidance needs to be explicit about layered approaches, combining classical and post-quantum techniques rather than treating post-quantum migration as a single switch to be thrown.

Quantum defence

For Matthews, the regulatory shift raises the bar on what counts as adequate preparation. Resilience over time, she argues, cannot be met by swapping one algorithm for another when deadlines loom.

“True resilience over time requires a defence-in-depth approach now,” she says, “implementing physics-based forward secrecy like chip-based QKD alongside post-quantum cryptography, so that when the threat landscape shifts, your foundations remain solid.”

In her reading of the Bill, resilience is more about ensuring cryptographic foundations can survive a change in assumptions rather than second guessing quantum’s expected impact.

“Migration is not a software patch you deploy overnight, it is a fundamental overhaul of digital infrastructure,” adds Matthews. “By mandating resilience, the Bill forces organisations to confront the uncomfortable reality that relying solely on today’s ‘best mathematical guess’ – even PQC – leaves a strategic blind spot. It raises the expectation that you must diversify your security portfolio immediately. If you wait for the threat to be immediate, it is already too late.”

Not everyone agrees that meeting that bar necessarily means long, disruptive migration programmes. Dan Panesar, CRO at Certes, argues that the assumption that post-quantum transition must take many years often reflects institutional inertia rather than technical reality. He says organisations frequently frame cryptographic change as a wholesale rebuild, when in practice there are approaches that allow protection to be upgraded without replacing entire applications or networks. From that perspective, the risk exposed by the Bill is less about the availability of quantum-safe technologies and more about whether organisations are willing to adapt their architectures early, rather than waiting for a clearly defined deadline.

Few would argue with that. But as Matthews points out, speed alone is not the same as preparedness. Turning what was previously guidance into a governance priority, and elevating post-quantum transition planning to board level, is, in her view, long overdue. At the same time, she cautions against replacing one form of certainty with another.

“This increase in urgency also demands that we scrutinise the detail of that guidance to ensure we aren’t discarding vital tools,” Matthews says. “Previously, the narrative has suggested a binary choice between PQC and QKD. The governance issue boards must now grasp is that these are complementary, not competing. PQC provides software-based protection, while QKD offers a stronger security promise, particularly against ‘harvest-now, decrypt-later’ attacks.”

The implication is that resilience, as the Bill now defines it, is less about betting on a single technology path and more about how organisations structure decision-making under uncertainty. In practice, that means boards asking different questions. It’s not just asking whether systems are secure today, but whether cryptographic foundations can be adapted without disruption. And not just whether suppliers encrypt data, but whether they can change how they do so as assumptions shift.

This is why the Bill’s silence on quantum computing is not an oversight. It does not attempt to mandate solutions or settle debates that are still evolving. Instead, it sets a test of seriousness. Security is no longer judged by passing an audit or responding to the last incident, but by whether organisations can demonstrate that their protections are built to last.

The Synnovis attack that framed the Commons debate was a reminder of what happens when cyber resilience fails in the present. The challenge posed by the Cyber Security and Resilience Bill is whether organisations are prepared for failures that may already be in motion, but will only become visible years from now.

Marc Ambasna-Jones / Editor

Working as a technology journalist and writer since 1989, Marc has written for a wide range of titles on technology, business, education, politics and sustainability, with work appearing in The Guardian, The Register, New Statesman, Computer Weekly and many more.