Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Fortaegis (CSRB03)
Parliament bill publication: Written evidence. Commons.
Cyber Security and Resilience (Network and Information Systems) Bill (3rd February 2026)
Primary navigation
Home
Parliamentary business
MPs, Lords & offices
About Parliament
Get involved
Visiting
Education
House of Commons
House of Lords
What's on
Bills & legislation
Committees
Publications & records
Parliament TV
News
Topics
You are hereParliament home page
>
Parliamentary business
>
Publications and Records
>
Hansard
>
Commons Debates
>
Public Bill Committee Debates
>
Public Bill Committee
Session 2021-22
Cyber Security and Resilience (Network and Information Systems) Bill
Written evidence submitted by Fortaegis to the Cyber Security and Resilience (Network and Information Systems) Public Bill Committee (CSRB03)
Executive Summary
1.
Fortaegis
welcomes the Cyber Security and Resilience Bill (CSRB) and supports its objective of strengthening the resilience of the UK’s critical services and infrastructure in the face of rapidly evolving threats and technology.
2.
Fortaegis
is an Anglo-Dutch technology company with a global footprint
pioneering systems that embed trust
physically
into the
semiconductor layer, which is the foundation of modern computing.
This means machines and systems authenticate and operate securely inherently, rather than through traditional software-based approaches, which, however sophisticated, are inherently vulnerable and will become more so with the advent of quantum computing. Our technology
represents a paradigm s
hift in how
trust and security interoperate in modern computing systems
resulting in dramatic increases in their speed and scalability.
3.
This has strategic implications for Critical National Infrastructure (CNI).
As the UK increasingly depends on interconnected digital systems to deliver essential services, the security of those systems must be considered not only in terms of software controls, but also in terms of underlying architecture and compute
, along with their speed and scalability.
4.
This submission makes two central points:
a.
While the Bill itself is technology-agnostic, there is a risk that implementation and guidance could default to familiar software-centric security models unless care is taken to preserve architectural neutrality and
room
for techn
ological
advances.
Paragraphs 12
to
15
refer.
b.
The Bill should allow for the adaptation of guidance and assurance models as new security approaches and technologies mature, without requiring further primary legislation.
Paragraphs 16 to 18 refer.
5.
We also note that comparable international regimes, including the EU’s NIS2 Directive, face similar implementation challenges, reinforcing the importance of flexibility and
architectural neutrality in practice.
6.
Fortaegis
would welcome the opportunity to support further the Committee’s
work on this Bill
through providing oral
evidence to explain in more detail how emerging technology can advance long-term cybersecurity and resilience. We could also provide
add
itional
technical
detail in writing,
if helpful.
About Fortaegisa paradigm shift in compute and trust
7.
Fortaegis
is a pioneering Anglo-Dutch technology company with a global footprint that
embeds hardware
-rooted security directly into semiconductors. Its architecture establishes trust at the
physical
level of computing systems, enabling devices and systems to authenticate each other without reliance on software-based credentials, remote key management, or external certificate authorities.
8.
Most cybersecurity today assumes that trust is established and maintained through software: cryptographic keys, certificates, credentials, updates, and patching regimes. While this model has delivered significant benefits, it also creates systemic risks, given both increasing threats from a range of hostile actors, as recognised by the Bill, and rapid technological change in fields such as quantum and AI.
9.
Software credentials can be copied, stolen, replayed, or compromised at scale. Patch-based security assumes that systems can be updated rapidly and continuously, which is not always realistic for critical infrastructure and presents an increasing overhead on the digital economy.
10.
By
rooting security
below the software and
O
perating
S
ystem layers,
there are no credentials to steal and no authentication secrets to manage. This approach creates an environment which removes
entire categories of cyber risk
, such as
credential theft, spoofing, replay attacks, and future cryptographic compromise
.
While software is necessarily involved at higher layers of any computing system,
Fortaegis
’ architecture ensures that software does not act as the root of trust. Instead, trust is anchored at the hardware level, with
Fortaegis
' full-stack software operating within those constraints.
11.
Our technology has been tested through
a number of
third parties including the Dutch TNO (
Organisation
for Applied Scientific Research)
[1]
and multinational partners
.
Strategic Implications for UK Critical National Infrastructure
12.
This new approach is particularly relevant to long-lived, safety-critical, or mission-critical systems that are deployed at scale across infrastructure and supply chains, and where frequent updates are impractical or introduce operational risk. Examples include transport systems, energy and industrial control infrastructure,
defence
-adjacent platforms, and distributed computing environments supporting advanced data and AI workloads.
13.
Threats facing such systems includelong-term quantum ‘harvest now, decrypt later’ attacks against encrypted data and communications; supply-chain compromise of components or firmware; credential theft enabling impersonation of trusted devices; remote exploitation of management interfaces; and the inability to patch systems quickly due to safety, certification, or operational constraints.
14.
Security mechanisms that remove dependency on software credentials and reduce attack surface by design can play an important role in protecting national infrastructure over decades, not just months or years.
15.
Given the profound strategic implications for Critical National Infrastructure (CNI), which increasingly depends on digital systems whose failure or compromise would have national-level consequences, we are working in partnership with Western governments and allies, industry and academia to ensure this hardware-based approach to security becomes the zero trust compute foundation of Critical National Infrastructure.
Implementation RiskPreserving Architectural Neutrality
16.
We understand that the Bill is
not a technical standard, but rather sets out duties, powers, and enforcement mechanisms and that technical specificity will come later in the year in the form of secondary legislation, regulatory guidance and NCSC advice. We support the Bill’s technology-agnostic, risk-based approach and the open language ("appropriate and proportionate measures"
[2]
, "state of the art [...] appropriate to the risk posed"
[3]
) which provides space for evolution of threats and technical resilience. It leaves room for solutions; allows "appropriate measures" to include non-software trust; lets regulators decide what ‘good’ looks like.
17.
However, based on experience of cyber regulation in long-lived and safety-critical systems, we note a risk that implementation and guidance could default to familiar software-centric security models unless care is taken to preserve architectural neutrality.
This risk does not arise from the Bill itself, but from the understandable tendency for guidance and assurance frameworks to reflect prevailing practices.
18.
Emphasising
during scrutiny that the regime is intended to and must remain open to different security architectures would help ensure that the Bill’s flexibility is preserved in practice, not only in principle.
Adapting Guidance and Assurance as Security Evolves
19.
Cybersecurity architectures are evolving rapidly, including at the hardware and system-design level. It is therefore important that guidance, codes of practice, and assurance models developed under the Bill can adapt as new approaches and technologies mature, without requiring further primary legislation.
20.
This flexibility will be particularly important for regulators overseeing sectors where systems are deployed for decades and where retrofitting security controls
can be
costly or impractical. Ensuring that regulators have the authority to
recognise
emerging security architectures will strengthen the long-term resilience of the UK’s critical services
.
International Context
21.
Comparable regulatory regimes, including the EU’s NIS2 Directive, adopt similarly technology-agnostic and risk-based approaches.
22.
However, e
xperience across such frameworks suggests that their effectiveness depends heavily on implementation and guidance, particularly in avoiding unintentional
assumptions about how security controls must be delivered.
For example, the EU’s Cyber Resilience Act prompted serious widely-held concerns that specific implementation requirements, especially rigid compliance expectations, could have unintended security consequences.
23.
The UK therefore has an opportunity, through the CSRB, to demonstrate leadership in ensuring that regulatory flexibility is preserved as security technologies evolve.
Conclusion
24.
Fortaegis
supports the objectives of the Cyber Security and Resilience Bill and welcomes its risk-based, technology-agnostic design.
25.
To
maximise
its long-term effectiveness, we encourage Parliament to ensure that architectural neutrality is preserved in implementation and guidance, and that guidance and assurance models can adapt as new security approaches mature without requiring further primary legislation.
26.
Fortaegis
stands ready to support further the Committee in its work to scrutinise the Bill as it progresses. We
would welcome the opportunity to provide oral evidence to the Committee
: explain more about how hardware-rooted trust operates in practice; how it differs from software-centric security models; the range of threats it is designed to protect against; and its relevance to long-lived critical infrastructure systems. We can also provide
more detailed technical evidence in writing
,
if useful
.
January 2026
[1]
https://www.tno.nl/en/
[1]
[2]
"An RMSP must identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies…"
[2]
-
Schedule 2 insertion of Regulation 14B(1) into the NIS Regulations by Clause 10 (Bill 329)
[3]
"(having regard to the state of the art) ensure a level of security of network and information systems appropriate to the risk posed…"
[3]
-
Schedule 2 insertion of Regulation 14B(2)(a) into the NIS Regulations by Clause 10 (Bill 329)
Prepared 3rd February 2026
Footer links
A-Z index
Glossary
Contact us
Freedom of Information
Jobs
Using this website
Copyright
Privacy notice
Cookie policy
Cookie Manager