Fines Won’t Fix This

On why regulation keeps demanding culture and organisations keep delivering compliance

The legislation lands. And the email arrives a few weeks later. Forwarded from somewhere in legal or risk, with a one line preamble along the lines of thoughts by Friday, please. Ahhhh… the unmistakeable scent of a budget about to be unlocked. The programme that was nice to have last quarter becomes mission critical this one. And what do we do? Well, the slide deck about awareness training is about to get a new title page… same content underneath, but let’s slap a sticker saying “resilience” on it.

This is what regulation does to organisations. It doesn’t produce the behaviour the regulator wanted. it produces the procurement that no one ever asked for.

The Cyber Security and Resilience Bill, introduced to the Commons in November 2025 and inching its way through committee since the new year, is the latest example. The numbers are doing the rounds in board papers as we speak… tiered fines reaching £17 million or 4% of global turnover for serious failures, daily penalties of £100,000 for ongoing contraventions, twelve regulators given sharper teeth and the kind of cost recovery powers that turn an investigation into a profit centre. Add to that the tightening of incident reporting to just twenty four hours, the expansion of scope to managed service providers and data centres, and the parallel pressure of NIS2 across the Channel and DORA in financial services… and you have the most muscular cyber regulatory environment the UK has ever attempted.

The natural assumption is that this changes everything.

It will change a great deal. It will not change the thing the regulators are actually asking for.

Read the bill itself. Read the FCA’s interventions on culture. Read DORA’s preambles about governance and accountability, and a strange recurring pattern starts to surface. The regulators have stopped pretending that paperwork is the goal. FINALLY.

The FCA states its ambition plainly: firms should have “good cyber hygiene, a good security culture and good governance”. DORA, under Article 5, requires members of a financial entity’s management body to “actively keep up to date with sufficient knowledge and skills” on ICT risk… not sign off a policy but hold the knowledge themselves. The Cyber Security and Resilience Bill repeats one phrase across its policy statement and its factsheets with the consistency of a chant… “appropriate and proportionate measures”.

These are not the words of regulators who want another module. They are the words of regulators who want organisations whose people behave well under pressure. They want decisions that hold up at three in the morning when an incident is unfolding and nobody is looking at a policy document. They want boards that understand cyber risk in their bones, not in their footnotes. They want, in the language of this newsletter, instinct.

And they will be answered, almost without exception, with another module.

Because compliance is something organisations know how to buy. There is a market for it. There are vendors with case studies and pricing pages and SaaS dashboards and integration partners. You can put compliance in a contract… you can audit it, evidence it, screenshot it, export it, attach it to a quarterly board pack, and feel, for one warm moment, that you have done something. Culture has none of those properties. Culture cannot be procured. Culture does not arrive in a deployment window. Culture has no SKU.

So when the regulator says we want better behaviour under pressure, the organisation hears we want better evidence of training delivery… because the second one fits the operating model and the first one does not.

The result is the doom loop the industry has been running on since the original NIS Regulations in 2018. Regulation arrives. Compliance is delivered. The gap between paper and practice widens. Another incident lands. The regulator returns, frustrated, with sharper teeth and clearer language. The organisations respond by buying more of the thing that did not work the first time, branded with the year’s preferred terminology. Awareness becomes resilience becomes culture becomes human risk management becomes whatever the next conference circuit lands on. The slides do not change. The behaviour does not change. The regulator gets louder.

What the Cyber Security and Resilience Bill represents, if you read it properly, is the regulator running out of patience. The fines are not a punishment. They are a price signal. They are saying…with awful clarity… that the cost of pretending is now greater than the cost of doing the work. £100,000 a day is what it costs to keep performing compliance theatre while the actual control… the human one… continues to fail.

And here is what I keep coming back to, in the rooms where this is starting to land. Boards are not stupid. CISOs are not lazy. The teams responsible for awareness are doing their best with tools designed for an audit, not for a brain. The problem is that nobody has shown them what the alternative looks like in practice. They have heard the word culture used three hundred times in three years and watched it mean three hundred different things… most of them another module dressed up.

Culture, in the way the regulators mean it, forms in three places. It forms when a leadership team sits in a tabletop scenario and discovers (in real time!!) that their incident response plan does not survive contact with a real incident. It forms when a finance team rehearses a deepfake CEO call and finds out which of them was about to wire the money before anyone called legal. It forms when reporting becomes the obvious move because the environment trained people to make it.

The connecting word in all three is rehearsal. People making real decisions, under real pressure, with real consequences, before the day arrives when the consequences are NOT a rehearsal. That is the control the regulator is asking for. It is the only thing that translates into the behaviour the bill was written to produce. And it is the thing almost nobody is currently buying, because it does not look like training and it does not arrive as a module.

The fines are coming. The bill will pass, the secondary legislation will follow, the daily penalties will become real, and somewhere in 2027 there will be a name on a press release that everyone’s hoping isn’t theirs. The responses currently being budgeted will, in the main, move the dial on procurement … and produce paperwork.

The thing that will actually move the dial is rehearsal. Tabletops with leadership. Pressured scenarios with the teams who handle the calls and the wires and the unusual requests. Reporting cultures that are designed… not hoped for. Build that, and the bill stops being a threat. Skip it? Well, that £100,000 a day is just the entry fee.

Plan for what you think is compliance, sure. But also plan for the other thing… the one the regulator actually wrote the bill about.