Louise Shea of Buro Happold reflects on how local governments are leading the charge in smart building cybersecurity. With national policy slow to catch up, cities are stepping in—embedding.

As smart cities surge globally, projected to grow from a £780 billion market in 2023 to £2.34 trillion by 2030, our reliance on digital infrastructure, smart technologies, and interconnected systems deepens. Buildings and places, once defined by bricks and steel, now pulse with IoT sensors, smart access controls, and Building Management Systems (BMS). Yet, this digital backbone brings vulnerability: 38% of cyberattacks targeted operational technology in 2024 (Verizon), and 77% of IoT devices remain vulnerable (Kaspersky). National legislation often lags, leaving cybersecurity as an afterthought in master planning. Tired of waiting, local governments are stepping up, setting bold standards to secure the built environment. 

 

Where national frameworks falter offering no mandatory directives for non-Critical National Infrastructure (CNI) buildings, local authorities are starting to fill the void. In the UK, cities like Manchester and Bristol are beginning to embed cybersecurity considerations into early planning, mandating risk assessments for smart building projects. Manchester’s 2023 Digital Strategy explicitly calls for cybersecurity to be integrated into smart city projects, requiring developers to address risks like ransomware from the planning stage. The Greater London Authority (GLA) updated its Smart London Plan in 2023, urging boroughs to weave cybersecurity into early planning. Hackney, scarred by a 2020 ransomware attack costing £12 million, encourages new developments to incorporate high standards to secure BMS and IoT from initial design phases. 

 

With 12% of London's building stock now smart (GLA), the stakes are amplified. Across the Atlantic, U.S. cities like Austin and San Francisco are similarly proactive. Austin’s 2024 Smart Mobility Initiative demands cybersecurity protocols for connected infrastructure, from EV chargers to public Wi-Fi.  San Francisco now requires real estate projects to integrate cybersecurity national frameworks (NIST) into compliant systems. With no national mandate for non-CNI cybersecurity, these local governments are setting a precedent, proving smart growth demands secure foundations. 

 

In the EU, where the Cyber Resilience Act (CRA) looms for 2026, cities like Amsterdam aren’t pausing. Its 2023 Smart City Framework insists on secure-by-design principles for all new developments, pre-empting national delays. This trend isn’t just reactive, it’s strategic and early integration reduces risks. Local governments are increasingly viewing cybersecurity as critical as health and safety, and non-negotiable for smart buildings and places, and I couldn’t agree more. It's also cost effective. Bolting on cybersecurity is expensive; retrofits can increase MEP budgets by 10-15%. 

 

Collaboration is driving this change, demonstrating that public-private partnerships can surpass national inertia. Tired of waiting, local governments are redefining resilience. They're not just maintaining operations; they're proactively safeguarding the digital infrastructure of our cities. As smart city growth accelerates, their standards are poised to compel national adoption, establishing cybersecurity as a fundamental pillar of future urban development.  

 

It's time to work together now to prioritise cybersecurity. For everyone’s benefit.