Jonathan Shelby

Jonathan Shelby

The UK Cyber Security and Resilience (CS&R) Bill represents the most significant reform of UK cyber legislation since the Network and Information Systems (NIS) Regulations 2018. While existing analysis has addressed the Bill's regulatory requirements, there is a critical gap in guidance on the architectural implications for organisations that must achieve and demonstrate compliance. This paper argues that the CS&R Bill's provisions (expanded scope to managed service providers (MSPs), data centres, and critical suppliers; mandatory 24/72-hour dual incident reporting; supply chain security duties; and Secretary of State powers of direction-), collectively constitute an architectural forcing function that renders perimeter-centric and point-solution security postures structurally non-compliant. We present a systematic mapping of the Bill's key provisions to specific architectural requirements, demonstrate that Zero Trust Architecture (ZTA) provides the most coherent technical foundation for meeting these obligations, and propose a reference architecture and maturity-based adoption pathway for CISOs and security architects. The paper further addresses the cross-regulatory challenge facing UK financial services firms operating under simultaneous CS&R, DORA, and NIS2 obligations, and maps the architectural framework against the NCSC Cyber Assessment Framework v4.0. This work extends a companion practitioner guide to the Bill by translating regulatory analysis into actionable architectural strategy. Keywords: Cyber Security and Resilience Bill, Zero Trust Architecture, Security Architecture, Critical National Infrastructure, NIS Regulations, DORA, Supply Chain Security, NCSC CAF v4.0

Jonathan Shelby

CubeSats have democratised access to space for universities, start-ups and emerging space nations, but the same design decisions that reduce cost and complexity introduce distinctive cybersecurity risks. Existing risk assessment frameworksNIST SP 800-37/53 [1, 2], ISO/IEC 27001/27005 [3, 4] and supply-chain guidance such as NIST SP 800-161 [5]assume abundant computational resources, centralised monitoring and mature governance structures that do not hold for power-limited, intermittently connected CubeSat missions. This paper develops a contextually appropriate risk assessment framework tailored to CubeSat environments, grounded in a 42-entry vulnerability register coded using STRIDE [6], MITRE ATT&CK [7] and CVSS v3.1 [8]. The register reveals that risks concentrate in communication and ground segments (mean CVSS 8.08.2) rather than distributing uniformly across subsystems. The framework introduces two constructs: a Security-per-Watt (SpW) heuristic that quantities security benefit per unit power, and a Distributed Security Paradigm (DSP) that reconceptualises incident response as an autonomous, constellation-level function rather than a purely ground-centric process. Scenario-based analysis demonstrates that adapted controls and distributed incident handling can achieve up to 2.7X higher SpW for cryptographic choices and 1.98X higher SpW for incident-response strategies compared with naive terrestrial transpositions, while remaining feasible for typical CubeSat power and governance constraints. The approach provides mission designers, operators and regulators with proportionate, auditable guidance, and offers a reusable pattern for adapting enterprise security frameworks to other severely constrained cyber-physical systems.

Jonathan Shelby

The Cyber Security and Resilience (Network and Information Systems) Bill, introduced to Parliament in November 2025, represents the most significant reform of UK cyber security legislation in nearly a decade. This paper provides a comprehensive practitioner-oriented analysis of the Bill's provisions, their practical implications, and the steps organisations must take to achieve compliance. It examines the expanded regulatory scope covering managed service providers, data centres, and designated critical suppliers; the enhanced 24/72-hour incident reporting regime; the strengthened enforcement architecture including penalties of up to \pounds17 million or 4\% of worldwide turnover; and the Secretary of State's new executive powers. The paper compares the Bill with the EU's NIS2 Directive and DORA, proposing a practical dual-compliance framework for financial services firms. It explains how Zero Trust Architecture principles can serve as a foundation for meeting the Bill's requirements, and how the NCSC's Cyber Assessment Framework v4.0 provides the assurance pathway. Four detailed appendices provide entity-specific compliance roadmaps, worked case studies mapping real UK incidents to Bill provisions, sector-specific action plans for financial services, energy, health, and MSPs, and a complete gap analysis and self-assessment tool mapped to CAF v4.0 and the Bill's requirements.