Geopolitics and Critical National Infrastructure

Assessing Potential Impact

By Stephen Hermanson

21 May 2026

The previous article shared an overview of the UK government’s legislative agenda for security and resilience. This follow-up helps to flesh out some of the questions that individual organisations could or should be asking about the potential impact.

Monitoring and engagement can build a picture of the legislative agenda and how others are responding. Depending on the impact, a passive stance may suffice. However, the purpose of Security Public Policy is to understand the relevance and impact of the legislative agenda to the organization, supply chains and broader eco-system.

Therefore, an intelligence brief about the legislative agenda should be accompanied by an impact assessment that considers how new or amended legislation may influence operational, financial, reputational and strategic risk. This understanding is important to allow business leaders to make informed choices about how to respond. In essence:

• Protect the business (reduce risk).
• Ensure appropriate partners and funding (sustainability & efficiency).
• Remain compliant.

To illustrate, I’ve taken the UK Cybersecurity & Resilience Bill as an example. Whilst the questions could apply equally regardless of the legislation, the specific purpose, scope and timing of legislation together with the specific context and constraints for the particular organisation may require more specific questions.

The nine lenses below offer a framework for considering organisational impact. It’s not an exhaustive checklist, and each element could expand to include additional considerations. It’s offered simply as a starting point.

	Lens	Focus
1	Supply Chain Response	Mapping exposure and seeking to understand new or adjusted obligations on supply chains and how these co-exist with your own obligations. The ultimate aim is to strengthen operational effectiveness by driving clarity about responsibility and accountability.
2	Customer Response	Looking closely at demand shifts, procurement criteria, contract management and consolidation risk. The ultimate aim is to ensure customers are confident about your security posture and compliance. In some instances, you may be supporting customers to understand their obligations.
3	Sector Regulator Response	Your regulator’s interpretation is your effective compliance standard. The aim is to remain engaged with the regulator (and possibly multiple regulators) to understand the timetable and process for arriving at new/adjusted interpretations, and being ready to provide evidence-based input to support or challenge regulatory measures.
4	Cross-Sector Consistency	Divergence risk for multi-sector operators and suppliers. This can often be the most neglected element as organisations need to look beyond their immediate sector and regulator to understand how horizontal security & resilience legislation plays out. The aim is to understand and remedy any ambiguities, gaps or inconsistencies between sectors.
5	International Comparison	Security and resilience are agnostic to borders and global supply chains continue to transcend jurisdictions. Many of the technical standards and guidelines that underpin the implementation of security & resilience controls stem from collaborations in regional and international standards bodies and alliances. The aim is to offer a practical perspective on where and how international approaches need to adapt.
6	Threat Actor Response	Adversaries get a vote too. They will be looking closely at the steps governments and organisations are taking to detect, protect and respond to attacks. Threat Intelligence can play an important role in understanding how adversaries are responding and adapting. The aim is to pair good Threat Intelligence with good Security Public Policy to design measures that are relevant, effective and sustainable.
7	Internal Governance & Culture	It’s very easy for all of this to go unnoticed at ExCo and Board levels unless the impact assessment can package and articulate the risks in a timely and effective way. The aim is to ensure sustained and reliable access to the ExCo and Board to ensure literacy, ownership clarity, compliance maturity, and prioritisation. The key is to frame security and resilience as part of the broader External/Corporate Affairs strategy.
8	Insurance Market Response	It’s worth keeping an eye on underwriting shifts, policy terms and regulatory penalty cover. In an environment such as security and resilience where it’s acknowledged that incidents are inevitable, insurance can play a central part in response and recovery. Understanding of threat landscape, performance against regulatory obligations and credible track-record of investments in security and resilience will feature strongly in underwriting discussions.
9	Investor & ESG Scrutiny	Investors may seek to apply their own interpretation and standards (usually from their home jurisdiction or other parts of their portfolio). They will seek confidence in the organisation’s security and resilience performance and relationships with government, regulators and agencies. They’ll want to be certain about disclosure, prioritisation, efficiency and risk tolerance. The aim is to understand and reconcile these factors.

The nine lenses are not equally urgent. They map to different planning horizons and organisational functions. Organisations should calibrate it to their sector, size, supply chain complexity and regulatory relationships. For example:

Priority	Lenses	Rationale
Immediate	Regulator · Supply Chain	Regulatory guidance and supply chain scope determine your actual obligations before secondary legislation is confirmed.
Near-term 2026	Cross-Sector · Governance · Insurance	Secondary legislation consultation. Board governance and insurance alignment can begin immediately.
Strategic 2026–28	Customers · International · Threats · Investors	Longer planning cycle. These lenses inform investment decisions, international strategy and market positioning over the full implementation period.

In conclusion, not every question will be relevant to every organisation. These proposed lenses can provide a structure for workshops or risk assessments. The key is to keep pace with the policy cycle and remain engaged at proposal, primary legislation, secondary legislation, regulatory guidance and standards development. New or reformed public policy considerations and risks could emerge at each stage, especially in response to powerful lobbies.