Dr. Richard Browne:

That is a good question. First, this point goes to the very heart of the Cyber Resilience Act, CRA, process at a European level. The US policy in the current White House has moved towards exactly the same issue. We have a risk asymmetry here and a capability asymmetry. Those who run charities, sporting clubs, websites or a small piece of infrastructure cannot ever hope to be fully secure because they will never have the capacity or capability to do that. The aim of European policy and elsewhere in the world is to shift the burden of responsibility up the chain to the companies that can actually do that, to the people who make the equipment. Of course, there is always a risk that link would make it more expensive but that is a separate conversation. That is one thing. The solution here is to make everything more secure and take it out of the hands of individuals who will never be able to fully do that. Having said that, we do have a very expansive and quite capable domestic cybersecurity sector here. There is lots of advice, guidance and support out there, even on our website, to allow people to secure stuff like that. For the most part, however, and this is really important, the same guidance will apply to sporting clubs, charities and those running social media accounts and so on as will apply to politicians in the democratic process. This advice is to use multi-factor authentication, complex passwords and to ensure that access control is fully enabled. Once one has done this, that is quite a lot of what can be done because it is only really when dealing with much larger and much more complex pieces of infrastructure that more complex cybersecurity rule sets will become a thing. For the small scale, the simple things still work.