This Technical Note proposes an implementation clarification for the UK Cyber Security and Resilience Bill. The Bill rightly widens cyber-resilience obligations beyond isolated organisational systems to include managed service providers, critical suppliers, incident reporting, and the digital dependencies on which essential services rely. This Note argues that implementation guidance should also recognise epistemic infrastructure: digital systems, platforms, models, workflows, and supplier-dependent architectures that classify, prioritise, route, authenticate, validate, escalate, suppress, recommend, score risk, or support institutional decisions. The central claim is that cyber compromise need not appear as outage, unauthorised access, ransomware, or data loss. A system may remain technically available while its knowledge-governing function is degraded, manipulated, unauditable, or no longer within mandate. Such failures may affect cyber-risk scoring, managed security tooling, public-sector case management, research platforms, fraud detection, AI triage, and agentic workflows. The Note distinguishes data integrity, system integrity, epistemic integrity, and mandate integrity. It recommends that DSIT guidance address material compromise of knowledge-governing functions, including supplier dependencies, audit trails, mandate-drift controls, and incident-response procedures capable of restoring trustworthy institutional reliance.
Peter Kahl (Sun,) studied this question.