A lot of it is about designating critical suppliers + providers and their security obligations.

Central government would typically be a customer, that uses other suppliers and providers to achieve its goals, not a supplier or a provider itself.

So in that sense it doesn't seem so strange to see it omitted, or at least for first set of legislation etc.? Get the first party suppliers in shape first, then legislate the net result of government function using those suppliers etc.

This matches the article's point that the UK CSR bill may be a first step that helps to phase in bespoke legislation to improve UK national security.

For me this is professional because my work involves UK software engineering for medical information.

Coordinated vulnerability disclosure: https://github.com/joelparkerhenderson/coordinated-vulnerabi...

src: worked construction in state data centers

¿What asbestos, qué?

The right way to do this is to draft a framework law and a few decrees along the lines of “administrations XXX and YYY will apply NIS2 with the following exceptions and adaptations ....”

This avoids creating overly broad exemptions, ensuring that there is a reference framework, and preventing each administration from developing its own system.

This is very common in the arms and nuclear sectors, where many civil norms and standards clearly state “not applicable to nuclear” and the nuclear standard states “apply civil standard XXX, with the following specific provisions, the competent authority is the ONR.”

Declaring an overly broad exemption from the outset is not the right way to go about it.