This site uses cookies for analytics and to improve your experience. By clicking Accept, you consent to our use of cookies. Learn more in our privacy policy.

Cyber attack on NHS supplier exposes gaps in UK cyber resilience law

April 10, 2026

CYBER

As pro-Iran hacktivists disrupt NHS medical deliveries, doubts grow over whether new UK cyber laws can keep pace

By Denise Schipani, Cyber and Geopolitical Intelligence analyst

BRITAIN’S flagship cyber resilience legislation may already be outdated before it comes into force as attacks on critical supply chains accelerate.

A pro-Iran hacktivist attack has restricted supplies of medical equipment used by the NHS, in the latest cyber incident to highlight the vulnerability of critical supply chains to the spillover impact of malicious cyber activity.

Handala – which began carrying out cyber operations following the outbreak of the Israel-Hamas war in 2023 – took credit for the attack on US healthcare firm Stryker, halting ordering and manufacturing processes for at least a week in March and continuing to disrupt supplies to the NHS.

Critical national infrastructure (CNI) and the healthcare sector present especially attractive targets for politically motivated cyber threat actors during periods of geopolitical tension.

“These actors look to CNI for espionage, pre-positioning and disruptive cyber operations as the geopolitical landscape becomes more strained,” says Kailyn Johnson, Lead Analyst In Cyber and Geopolitical Intelligence at Sibylline.

“Services like the NHS are particularly attractive targets because of the impact a cyber attack can have on the government and its civilians.”

Crucially, CNI suppliers can provide these actors with a more accessible attack vector to cause second-order disruption, as well as a useful entry point into IT systems.

A ransomware attack on Synnovis, a laboratory diagnostic service provider to the NHS, was linked to the death of a patient after it caused major disruption to blood tests and transfusions in July 2024.

The perpetrators, a Russian cyber criminal group with suspected ties to Moscow, did not cite any political motivations for carrying out the attack.

However, the incident illustrates the potential consequences cyber attacks on supply chains can have for physical services and civilians.

Supply chains add layers of complexity to cyber security frameworks and can undermine the effective protection of critical systems from cyber attacks.

“The NHS comprises a vast supply chain, whether that’s technology, medical equipment or facilities,” Johnson says.

“This makes it very difficult to secure its systems and account for all potential cyber risks and their impact.”

The cyber threat landscape is also developing at pace, driven by emerging technologies and a dynamic, money-driven cyber criminal ecosystem.

This environment allows politically motivated cyber threat actors to hone their capabilities in ways that outpace both understanding and the development of comprehensive cyber security frameworks.

As cyber threat actors become more capable, their ability to exploit supply chains to undermine geopolitical adversaries is growing.

In the UK, the upcoming Cyber Security and Resilience Bill seeks to address this by widening the number of entities regulated under the Network and Information Systems (NIS) framework, introducing reporting and compliance requirements for the supply chain and the critical infrastructure they support.

The Bill has largely been welcomed by cyber security leaders as a positive starting point for more holistic protections to prevent and mitigate cyber attacks.

However, there are growing concerns over its effectiveness and timing, particularly as it may include fines for organisations where attacks result from compliance failures.

Across the EU, 35% of organisations that have implemented NIS believe the Directive’s expectations are unclear and have encountered difficulties in its implementation.

This lack of clarity also applies to the fine system proposed under the Cyber Security and Resilience Bill.

“It is unclear who is getting fined in these situations,” Johnson says.

“Fines can be a big, negative reinforcement to secure environments, but will that translate into accountability if they apply to government-funded trusts, for instance?”

A reduction in funding has also affected some NHS Trusts, which have highlighted the potential impact of local defunding on their ability to implement the requirements of the upcoming Bill.

The Bill is currently under review, with full implementation not expected until 2028.

Meanwhile, some organisations in the EU are already migrating to the updated NIS2 framework in an effort to introduce more proactive resilience measures.

The pace at which cyber threats to supply chains and critical infrastructure are evolving raises questions over whether regulation can keep up with the instability of the current geopolitical landscape.

Johnson adds: “The delayed implementation of the Bill means it risks falling behind before it even comes into effect, leaving supply chains vulnerable to increasingly capable cyber threat actors.”

Stay ahead of emerging risk. Get notified whenever Sibylline publishes a new report.