It’s an operational resilience story, and for anyone responsible for physical security in the NHS or utilities, it’s a flashing indicator that the old boundaries between “cyber” and “physical” have finally collapsed in practice. The government’s own announcement is explicit that the goal is to prevent disruption to essential services and to tighten expectations on organisations and key suppliers that underpin them, including incident reporting and minimum-security requirements. 

When IT goes down in a hospital or a utilities environment, the building does not stop being a building. People still turn up. Doors still have to open. Vehicles still arrive. Chemicals still need handling. The physical world keeps moving, just with fewer systems working and more pressure on the humans in the loop.That is where physical security can either help you hold the line, or become a part of the problem. 

The policy shift: suppliers are in the spotlight 

One of the most significant angles in the reporting is the widened focus beyond just the operators of essential services. The proposals would put tougher duties on medium and large service providers and allow regulators to designate certain suppliers as “critical”, bringing them into scope with minimum requirements and stronger enforcement.  

For physical security professionals, that matters because the supply chain is often the most realistic route into a site. Not always through hacking a firewall, but through trusted access: credentials, contractor badges, shared systems, remote support arrangements, and the routine movement of people and assets across the perimeter. 

If “critical suppliers” now face stricter expectations, physical security and estates teams should take it as a cue to sharpen their own supplier assurance model. Not as a compliance exercise, but as a practical risk-control. 

The uncomfortable operational reality: cyber incidents drive physical risk 
In the NHS, serious digital disruption tends to create physical pressure points rapidly: overcrowding, frustration, queuing, service diversion, constrained communications, and reduced visibility of who should be where. Even when staff perform brilliantly, the operational environment becomes more volatile. Physical security then shifts from “prevention and reassurance” to “flow control, conflict reduction, and continuity support”. 

In utilities, cyber disruption often creates a different physical pattern: a move to manual workarounds, a reliance on local access, more site visits, and a greater need to protect remote assets that may be lightly staffed. The physical risk spikes at the edges: isolated sites, weak comms, and activities that were previously controlled digitally now being controlled through process and people. 

This is the key point. The cyber event is the trigger, but the harm often appears in the physical domain. 

What physical security needs to look like in a cyber-resilience era? 
If the UK is moving toward tougher incident reporting and stronger baseline security expectations for essential services and the suppliers around them, the smartest response is not to bolt “cyber” onto the side of physical security. It’s to unify them around resilience. 

Three practical shifts matter. 

First, design physical security to operate during degraded digital conditions. 
Ask a blunt question: if core IT systems are unavailable, what still functions? Access control, CCTV, intruder detection, hostile vehicle mitigation, monitoring, communications, visitor management, staff verification. If any of those rely on brittle dependencies, you need contingency options that are rehearsed, not theoretical. 

Second, treat identity and access as both digital and physical. 

Badging, contractor vetting, visitor processes, privileged access zones, escorted working, and key control are all part of resilience. When cyber incidents happen, organisations often relax controls to “keep things moving”. That is understandable. It is also a predictable way to create secondary incidents. A resilient model anticipates that pressure and builds safe, fast alternatives. 

Third, harden the supply-chain interface, because that’s where trust concentrates. 

The proposed focus on regulating service providers that hold trusted access across government and critical national infrastructure points to a simple truth: supply chains are security perimeters.  

The wider legislative push is a signal that expectations are rising. But resilience is built well before the regulator asks for proof. It’s built in how a site functions on a bad day. 

The organisations that do best will be the ones that stop treating cyber incidents as an IT interruption and start treating them as an all-hazards operational scenario, where physical security is a first-class control. 

Because for the NHS and utilities, “cyber resilience” ultimately means something very practical: services staying open, sites staying secure, and people staying safe.