The UK Cyber Security and Resilience Bill: what businesses need to prepare for

What the current framework covers and where it falls short

The UK's existing cybersecurity obligations for critical sectors sit within the Network and Information Systems Regulations 2018 (NIS Regulations) – the UK's legal framework for cybersecurity obligations on operators of essential services and relevant digital service providers, originally implemented from the EU's NIS Directive. When the UK left the EU, the NIS Regulations were retained in domestic law, but they've had no substantive update since.

Under NIS, two categories of organisation carry formal cybersecurity obligations. The first is Operators of Essential Services (OES) – organisations in critical sectors like energy, transport, water, health and digital infrastructure that are required to implement appropriate security measures and report significant incidents to their relevant regulator. The second is Relevant Digital Service Providers (RDSPs) – online marketplaces, online search engines and cloud computing services above certain size thresholds.

Regulators under NIS – known as competent authorities – include Ofcom, Ofgem, the Environment Agency and the Information Commissioner's Office, depending on sector.

The limitations of this framework have become difficult to ignore. The scope is narrow: it was designed around a specific list of sectors and service types, and large parts of the digital economy that underpin essential services – managed service providers, software vendors, data centre operators – sit outside it. Incident reporting (the obligation to notify regulators when a significant cybersecurity incident occurs) thresholds are vague, and the fines available to regulators are modest compared to the commercial scale of organisations they oversee. Most significantly, the NIS Regulations do not address supply chain security – the security of third-party suppliers and their software and services, which are increasingly used as attack vectors – in any meaningful way.

The SolarWinds attack, the MOVEit vulnerability and a series of NHS-related incidents have each demonstrated the same pattern: an attacker compromises a supplier rather than the target directly. The existing framework has no adequate answer to this.

What the Bill proposes to change

The Cyber Security and Resilience Bill, announced in the King's Speech in July 2024 and led by DSIT (the Department for Science, Innovation and Technology – the government department responsible for the legislation), proposes a substantial overhaul across four main areas.

Expanded scope. The Bill is expected to extend NIS-style obligations to a wider range of sectors and digital services. Most notably, it proposes to bring managed service providers (MSPs) – companies that manage IT infrastructure on behalf of other organisations – into scope as a regulated category. This reflects the reality that an attack on an MSP can cascade across every client they serve. The government has also signalled that the definition of regulated digital services will be broadened to capture more of the infrastructure that essential services depend on.

Stronger incident reporting requirements. The Bill proposes to tighten incident reporting obligations significantly. Under the current NIS Regulations, reporting thresholds are defined in relatively broad terms. The proposed changes would require regulated organisations to report significant incidents to their regulator within 24 hours of becoming aware of them – a material reduction from the current expectation – with a more detailed follow-up report to follow. The NCSC (the National Cyber Security Centre – the UK's national cybersecurity authority, part of GCHQ) would also receive incident data more systematically, improving the government's ability to identify patterns and coordinate responses across sectors.

Supply chain security obligations. This is one of the most significant new areas. The Bill is expected to introduce requirements for regulated organisations to assess and manage the cybersecurity risks presented by their supply chains. What this means in practice is that regulated entities would need to understand who their critical suppliers are, what security standards those suppliers meet and what would happen if a supplier were compromised. The exact form these obligations will take – whether prescriptive controls or outcome-based requirements – was subject to consultation, and secondary legislation is expected to provide the detail.

Enhanced regulatory powers and penalties. The Bill proposes to give regulators stronger enforcement tools, including the ability to issue larger fines. The proposed penalty framework is expected to be closer in scale to GDPR-style fines – potentially linked to global turnover – rather than the fixed caps that currently apply under NIS. Regulators would also gain new powers to require information from regulated organisations and, in some cases, to inspect their security arrangements proactively rather than only after an incident.

Who will be affected

The existing categories of regulated organisations – OES in energy, transport, water, health, digital infrastructure and financial market infrastructure – will remain in scope and face more demanding requirements. But the expansion of scope is where the Bill's reach grows significantly.

Managed service providers are the clearest new category. If your business provides IT management, network management, security monitoring or cloud services to other organisations – particularly to public sector bodies or organisations in regulated sectors – you should expect to be brought within scope. The government has been explicit that the MSP sector is a target of the expanded framework.

Data centre operators are also expected to fall within the revised definition of regulated digital services. The same applies to a broader range of cloud services than are currently covered.

Businesses that supply goods or services to regulated organisations face a different kind of exposure: indirect pressure through supply chain security requirements. If your customer is a regulated OES or MSP, they will be required to assess your security posture as part of their own compliance obligations. That assessment may include questionnaires, contractual security clauses or requests for evidence of certification such as Cyber Essentials or ISO 27001.

Size thresholds have not been definitively published at the time of writing, and the government has consulted on how to calibrate these to avoid disproportionate burden on smaller organisations. However, the direction of travel is clearly towards broader coverage rather than narrower.

What the Bill means in practice

For organisations that will be directly regulated, the obligations translate into several concrete requirements.

Incident response capability. A 24-hour reporting window is not achievable without a documented and tested incident response plan. Organisations need detection capabilities, a clear escalation path and a defined process for assessing whether an incident meets the reporting threshold – all before an incident occurs. Discovering that you don't have these in place during an active attack is the worst possible time to find out.

Supply chain due diligence. Regulated organisations will need to map their critical suppliers, understand what security standards each one meets and have contractual provisions that give them visibility of supplier-side incidents. This is a significant undertaking for organisations with large or complex supply chains, and it cannot be done quickly.

Technical security controls. The Bill is expected to reference a set of baseline security measures that regulated organisations must implement and maintain. The NCSC's existing guidance – including the Cyber Assessment Framework (CAF) – provides a reasonable indication of the direction. Organisations already working towards Cyber Essentials Plus or aligned to ISO 27001 will be better placed than those starting from scratch.

Board-level accountability. The Bill signals a clear expectation that cybersecurity is a board-level responsibility, not just an IT function matter. Senior leaders will need to be able to demonstrate that they understand the organisation's risk exposure and that appropriate governance is in place. Regulators are expected to look at governance as part of any supervisory engagement.

Timeline and current status

The Cyber Security and Resilience Bill was announced as part of the government's legislative programme in the King's Speech on 17 July 2024. DSIT subsequently published a policy statement outlining the intended scope and approach, and conducted a consultation on specific aspects of the proposed framework, including how managed service providers should be defined and the design of the incident reporting regime.

The Bill was introduced to Parliament in 2025 and is progressing through its Parliamentary stages. As with any significant piece of legislation, the final form of the Bill – and the secondary legislation that will flesh out the detail – may differ from the current proposals. Much of the operational detail, including precise reporting timelines, penalty scales and sector-specific requirements, is expected to be set out in regulations made under the Bill rather than in the Bill itself.

The government has indicated that it intends to bring the new framework into force as quickly as practicable following Royal Assent, but no specific commencement date has been confirmed. Organisations should not assume a long runway between the Bill passing and obligations coming into effect.

What to do now

Waiting for the Bill to pass before taking action is the wrong approach. The gap analysis and capability-building that compliance will require takes time, and the organisations that start now will be far better placed when obligations come into force.

Assess your current position against NIS. If you're already regulated under NIS, understand where your current posture falls short of the proposed new requirements – particularly around incident response timelines and supply chain visibility. If you're not currently regulated but expect to be in scope, the existing NIS framework and NCSC's Cyber Assessment Framework provide a useful baseline to work from.

Map your supply chain. Identify which of your suppliers are critical to your operations and what you currently know about their security arrangements. This is a gap most organisations find significant when they look honestly at it.

Review and test your incident response plan. If you don't have a documented plan, write one. If you have one but haven't tested it, run a tabletop exercise. The 24-hour reporting window makes response readiness a compliance requirement, not just good practice.

Brief the board. Senior leaders need to understand what's coming, what it will require of the organisation and what investment is needed to get there. Framing cybersecurity as a governance and regulatory matter – not just an IT cost – is the conversation that tends to unlock the right level of attention and resource.

Consider Cyber Essentials certification. For organisations not yet certified, Cyber Essentials provides a structured baseline of security controls that aligns well with the direction of the new framework and demonstrates commitment to security to regulators, customers and supply chain partners alike.