Four things from the past working week that a UK board should know about, in the order they would matter if you had to brief a chair over coffee on Monday morning. I have left out the noise. Where I have left something in, it is because there is a decision attached to it.

1. GCHQ's director says the quiet part out loud

On Wednesday 27 May, Anne Keast-Butler delivered the first GCHQ Annual Lecture at Bletchley Park. She used the phrase "moment of consequence" and described Britain as sitting in "a space between peace and war". She accused Russia of relentlessly targeting critical infrastructure, democratic processes, supply chains and public trust and warned of a narrowing window in which the West can stay ahead of China. The full speech text is on the GCHQ website and worth reading in full.

This is not a CyberUK keynote pitched at the security community. It is the head of GCHQ telling Parliament, regulators and the FTSE 100 that the threat model has shifted. UK firms that operate critical national infrastructure, hold large pools of citizen data, or sit in the supply chain to either, are now squarely inside that model.

For boards. Ask whether your annual cyber risk paper still treats nation-state actors as a residual risk in the appendix. If it does, it is a year out of date. The questions your audit committee should be asking next quarter are: which of our suppliers are downstream of a critical sector, what is our exposure to a long-dwell intrusion of the South Staffordshire shape, and do we have the telemetry to know within days rather than months.

2. Supply chain is now an AI problem too

The TrapDoor campaign, first surfaced by Socket on 22 May, continued to publish malicious package versions across npm, PyPI and Crates.io through the working week. By Friday researchers had catalogued more than 34 packages and 384 versions carrying credential-stealing payloads aimed at AWS, GitHub, GCP, Azure and crypto wallet keys.

What makes TrapDoor different from a routine npm typosquat is the AI tail. The attackers planted .cursorrules and CLAUDE.md files inside compromised packages, carrying hidden instructions encoded in zero-width Unicode. Pull requests were also opened against LangChain, LlamaIndex and OpenHands. The intent is to poison the agentic developer tools your engineers are already using, so that the next refactor introduces a backdoor your humans never asked for.

CISA caught up on Tuesday, adding three entries to the Known Exploited Vulnerabilities catalogue including the TanStack supply chain compromise and an Nx Console package poisoning. UK estates do not sit under CISA's binding operational directive, but the NCSC Early Warning service mirrors KEV in practice and any sensible patching SLA already does.

For boards. This is two questions, not one. First, do you have a software bill of materials for the services your customers touch, and a process to act on a KEV listing within days. Second, what is your written policy on AI coding assistants — specifically, whose responsibility it is to review the prompts and config files they pick up from third-party packages. If the answer to either is "we are thinking about it", set a date.

3. The Cyber Security and Resilience Bill grinds on

The Cyber Security and Resilience (Network and Information Systems) Bill remained at report stage in the Commons through the week, with amendments still being tabled. The Bill rewrites the 2018 NIS Regulations, brings managed service providers and large data centres into scope, raises incident-reporting obligations, and gives regulators sharper enforcement powers.

For UK firms watching from outside the existing NIS perimeter, the practical question is whether you will be in scope when this becomes law. The current drafting extends regulated entity categories considerably, particularly for managed service providers and digital infrastructure operators. It is also the route by which the UK reaches broad alignment with the EU's NIS2 framework without adopting it directly.

For boards. If you sell services to an operator of essential services, a relevant digital service provider, the NHS or central government, the question is not whether your contracts already commit you to NIS-like reporting obligations — most do — but whether you can demonstrate compliance under audit. Ask your CISO for a written gap assessment against the Bill as drafted at report stage. It is cheaper to do that now than to find out from a regulator after Royal Assent.

4. Quantum stops being a 2030 problem

The week also pushed the NCSC's "perfect storm" framing — nation-state risk, hacktivism, AI and quantum — back onto board agendas, with analysis aimed squarely at directors circulating during the week. The line directors picked up was the harvest-now-decrypt-later argument: data exfiltrated today, against current encryption, is being held for a future quantum computer to read. For any organisation with data that needs confidentiality beyond about 2030 — and that includes legal, medical, financial, defence supply chain and customer identity files — the migration to post-quantum cryptography is now a 2026 planning item, not a 2030 one.

The NCSC's migration timeline sets out three phases: discovery and planning to 2028, high-priority upgrades to 2031, and full migration by 2035. The first phase is the one a board can be held accountable for.

For boards. The decision is to commission an inventory of where you rely on RSA and ECC, where you do not control the cryptographic primitives (cloud services, vendor SaaS, hardware tokens), and who in your organisation owns the migration plan. The next step is for the audit committee to ask the CTO to name a date by which that inventory will exist.

The thread that ties this together

Four stories, one pattern. The boundary between "cyber" and "everything else" has stopped being useful. Russia's hybrid activity blends physical sabotage and information operations into the same kill chain. Supply chain compromise now reaches up through your software dependencies into the AI assistants your engineers trust. The Bill that updates NIS will pull thousands more UK firms into a regulated perimeter. And the cryptographic ground under your most sensitive data is shifting beneath you on a timetable that is no longer comfortably in the next decade.

The question to put on the next risk register is the simple one. If any of those four moves against us in the next twelve months, which control breaks first, and what is the second line of defence?