Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Legislation

The UK Cyber Security and Resilience Bill

What It Means For Your Business

17 min read January 2026

A practical guide for IT providers, CNI operators, and their suppliers

Published: January 2026

Author: Dead Simple Computing Ltd

Version: 1.0

Contents

  • Executive Summary
  • What Is The Cyber Security and Resilience Bill?
  • Who Is Affected?
  • Key Requirements
  • The New Incident Reporting Rules
  • Supply Chain Obligations
  • Penalties and Enforcement
  • Timeline
  • How To Prepare: Your Compliance Checklist
  • How DSC Can Help
  • Further Resources

1. Executive Summary

The Cyber Security and Resilience Bill was introduced to UK Parliament on 12 November 2025 and had its second reading on 6 January 2026. It represents the most significant update to UK cyber security regulation since the original NIS Regulations in 2018.

Key points:

  • Expands scope to include Managed Service Providers (MSPs) and data centres
  • Creates new "Designated Critical Supplier" category
  • Reduces incident reporting time from 72 hours to 24 hours
  • Introduces fines of up to £17 million or 4% of global turnover
  • Strengthens supply chain security requirements
  • Gives regulators enhanced enforcement powers

Who needs to act:

  • Operators of essential services (energy, transport, health, water, digital infrastructure)
  • Relevant digital service providers (cloud, search, online marketplaces)
  • Managed Service Providers (MSPs) - newly in scope
  • Data centres above certain thresholds - newly in scope
  • Critical suppliers to any of the above - potentially in scope

Timeline:

  • Royal Assent expected: 2026
  • Implementation: Phased, via secondary legislation
  • Action required: Now - don't wait for final regulations

2. What Is The Cyber Security and Resilience Bill?

Background

The UK's current cyber security framework for critical infrastructure is based on the Network and Information Systems Regulations 2018 (NIS Regulations). These were derived from EU law and have remained largely unchanged since implementation.

In that time:

  • Cyber attacks have increased dramatically in frequency and sophistication
  • Supply chain attacks have become a primary attack vector
  • Major incidents have disrupted hospitals, government services, and critical infrastructure
  • The threat landscape has evolved to include nation-state actors and sophisticated criminal groups

The Government's own assessment states that the UK is "desperately exposed" to cyber threats, with 204 nationally significant cyber attacks in the past year alone - double the previous year.

Purpose of the Bill

The Cyber Security and Resilience Bill aims to:

  • Expand scope - Bring more organisations under regulation, particularly those in digital supply chains
  • Strengthen requirements - Align with international standards and close gaps in current regulations
  • Improve incident reporting - Get faster visibility of threats across critical sectors
  • Enhance enforcement - Give regulators the tools and powers to ensure compliance
  • Future-proof the framework - Allow faster updates through secondary legislation

Relationship to NIS2

The EU updated its equivalent regulations through the NIS2 Directive, which came into force in October 2024. The UK Bill aligns with NIS2 in many areas but is not identical.

Key similarities:

  • Expanded scope including MSPs
  • Stricter incident reporting
  • Supply chain requirements
  • Higher penalties

Key differences:

  • UK Bill does not currently include manufacturing or food sectors
  • UK uses existing sectoral regulators rather than creating new ones
  • UK includes specific powers for national security directions

Organisations operating in both UK and EU should map requirements carefully, as compliance with one does not automatically mean compliance with the other.

3. Who Is Affected?

Currently Regulated (NIS Regulations 2018)

Operators of Essential Services (OES):

  • Energy (electricity, oil, gas)
  • Transport (air, rail, water, road)
  • Health (NHS trusts, healthcare providers)
  • Drinking water supply and distribution
  • Digital infrastructure (internet exchange points, DNS providers, TLD registries)

Relevant Digital Service Providers (RDSPs):

  • Online marketplaces
  • Online search engines
  • Cloud computing services

Newly In Scope Under The Bill

Managed Service Providers (MSPs)

This is a major expansion. MSPs provide outsourced IT services to other organisations, often with privileged access to their clients' systems. The Bill recognises that compromising an MSP can provide attackers with access to multiple downstream organisations.

If you provide managed IT services, managed security services, or outsourced IT support - you are likely to be in scope.

Data Centres

Following the Government's 2024 decision to classify data centres as Critical National Infrastructure, large data centre operators will face direct security obligations. Thresholds for "large" have not yet been finalised but are expected to be based on capacity.

Designated Critical Suppliers

Regulators will gain power to designate certain suppliers as "Designated Critical Suppliers" (DCS) if:

  • Their goods or services are critical to an essential service
  • Their disruption could have significant impact on that essential service
  • They are not already regulated under NIS

This is targeted at the small number of suppliers whose failure would have outsized impact - think specialist software vendors, key component suppliers, or critical service providers.

If designated, these suppliers will face equivalent security requirements to the operators they supply.

How To Know If You're Affected

You are likely in scope if:

  • You are already regulated under NIS Regulations 2018
  • You provide managed IT or security services to other organisations
  • You operate data centre infrastructure above threshold capacity
  • You are a critical supplier to organisations in essential services sectors
  • Your customers are in energy, transport, health, water, or digital infrastructure

You may be affected even if not directly regulated if:

  • Your customers are in scope and will flow requirements down to you
  • You are part of the supply chain to critical infrastructure
  • You handle data or systems critical to essential services

Sector Regulators

Each sector has a designated "competent authority" responsible for guidance, monitoring, and enforcement:

Sector Regulator
Energy Ofgem
Transport (aviation) Civil Aviation Authority
Transport (maritime) Maritime and Coastguard Agency
Transport (rail) Office of Rail and Road
Health Department of Health and Social Care
Water Drinking Water Inspectorate / Ofwat
Digital Infrastructure Ofcom
Digital Services Information Commissioner's Office

Under the Bill, organisations will also need to notify and report to the National Cyber Security Centre (NCSC) in addition to their sectoral regulator.

4. Key Requirements

Security Measures

Regulated organisations must implement "appropriate and proportionate" technical and organisational measures to manage risks to their network and information systems.

The Bill aligns these measures with the NCSC's Cyber Assessment Framework (CAF), which is already used across critical infrastructure sectors.

Core security outcomes expected:

A. Managing Security Risk

  • Governance structures for cyber security
  • Risk management processes
  • Asset management
  • Supply chain risk management

B. Protecting Against Cyber Attack

  • Service protection policies
  • Identity and access management
  • Data security
  • System security
  • Resilient networks and systems
  • Staff awareness and training

C. Detecting Cyber Security Events

  • Security monitoring
  • Anomaly detection

D. Minimising Impact of Incidents

  • Response and recovery planning
  • Incident response capability
  • Recovery capability

Supply Chain Security

The Bill introduces explicit supply chain security obligations. Organisations must:

  • Assess cyber security risks from their supply chain
  • Implement appropriate measures to manage those risks
  • Include security requirements in contracts with suppliers
  • Monitor supplier compliance

This reflects the reality that supply chain attacks were the story of 2025, with major breaches at M&S, Jaguar Land Rover, and others all originating through third-party suppliers.

Incident Reporting

See Section 5 for detailed breakdown of the new incident reporting requirements.

Regulatory Engagement

Organisations must:

  • Register with relevant regulators
  • Provide information on request
  • Cooperate with regulatory investigations
  • Implement directions from regulators

5. The New Incident Reporting Rules

What's Changing

Aspect Current (NIS 2018) New (Bill)
Reporting trigger Incidents with "significant impact" Incidents "capable of having" significant impact
Initial notification 72 hours **24 hours**
Report to Sectoral regulator Sectoral regulator **AND NCSC**
Customer notification Not required Required for affected customers

What Must Be Reported

Reportable incidents include:

  • Incidents that have had a significant impact on service continuity
  • Incidents capable of having significant impact (even if contained)
  • Near-misses where significant impact was narrowly avoided

This is a significant expansion. Previously, only incidents that actually caused significant impact needed reporting. Now, incidents that could have caused significant impact must also be reported.

Reporting Timeline

Within 24 hours of becoming aware:

  • Initial notification to sectoral regulator
  • Initial notification to NCSC
  • Basic details: what happened, systems affected, initial assessment

Follow-up reporting:

  • Full incident report with detailed analysis
  • Timeline not yet specified but expected to be within 72 hours
  • Root cause analysis
  • Remediation actions

Customer notification:

  • Required for customers "likely to be adversely affected"
  • "As soon as reasonably practicable"
  • Threshold appears lower than GDPR's "high risk" standard

Practical Implications

You need:

  • 24/7 detection capability - You can't report what you don't know about
  • Clear incident classification - Know what triggers reporting
  • Pre-prepared notification templates - No time to draft from scratch
  • Designated reporting contacts - Know who at NCSC and your regulator
  • Customer communication process - Ready to notify affected customers
  • Documented procedures - Tested and rehearsed

The 24-hour clock starts when you become aware - not when you've completed investigation. This means:

  • Initial reports will be incomplete (that's expected)
  • You need processes to provide information quickly
  • Follow-up reports fill in the details

6. Supply Chain Obligations

Why Supply Chain Security Matters

The major UK cyber incidents of 2025 share a common thread: supply chain compromise.

Marks & Spencer: Attackers gained access through social engineering of a third-party contractor's service desk. Ransomware disrupted operations for months.

Jaguar Land Rover: Ransomware attack halted all UK production for nearly a month. 104,000 supply chain jobs at risk. Government provided £1.5 billion loan guarantee to protect the sector.

Synnovis (NHS): Attack on pathology services provider halted blood testing and cancelled surgeries across London hospitals.

Attackers increasingly target suppliers because:

  • Suppliers often have privileged access to customer systems
  • Suppliers may have weaker security than their large customers
  • Compromising one supplier can provide access to many targets
  • Supply chain relationships are built on trust that can be exploited

Requirements For Operators

If you are an operator of essential services or digital service provider, you must:

1. Map your supply chain

  • Identify suppliers critical to your essential service
  • Understand what access and data each supplier has
  • Assess which suppliers' failure would impact your service

2. Assess supplier risk

  • Evaluate each supplier's security posture
  • Consider their access, data handling, and criticality
  • Prioritise based on risk

3. Manage supplier risk

  • Include security requirements in contracts
  • Require evidence of security measures (certifications, audits)
  • Monitor compliance over time
  • Have contingency plans for supplier failure

4. Report on supply chain security

  • Be prepared to demonstrate supply chain risk management to regulators
  • Include supply chain in incident reporting where relevant

Requirements For Suppliers

If you supply to regulated organisations, expect:

Contractual requirements:

  • Security standards (Cyber Essentials, CE+, ISO 27001)
  • Incident notification obligations
  • Audit rights
  • Evidence requirements

Due diligence:

  • Security questionnaires
  • Audits and assessments
  • Ongoing monitoring

Incident response:

  • Obligation to notify customers of incidents
  • Cooperation with customer incident response
  • Potential joint regulatory engagement

Designated Critical Suppliers

The Bill creates a new category: Designated Critical Suppliers (DCS).

Regulators can designate a supplier as critical if their goods or services are essential to an operator's ability to provide their essential service.

If designated:

  • You become directly regulated under the Bill
  • You must meet equivalent security requirements to operators
  • You are subject to regulatory oversight and enforcement
  • Failure to comply can result in penalties

Expected to apply to:

  • Specialist software vendors
  • Critical component suppliers
  • Key service providers without alternatives
  • Infrastructure providers

The Government indicates this will be used sparingly for suppliers with outsized systemic importance, not broadly applied.

7. Penalties and Enforcement

Maximum Penalties

The Bill significantly increases maximum penalties:

Breach Type Maximum Penalty
Most serious breaches **£17 million or 4% of global annual turnover** (whichever is higher)
Less serious breaches **£10 million or 2% of global annual turnover** (whichever is higher)

These align with GDPR-level penalties and represent a major increase from current NIS Regulations.

Enforcement Powers

Regulators will have enhanced powers including:

Information gathering:

  • Power to require information from regulated entities
  • Power to conduct inspections and audits
  • Access to systems and documentation

Directions:

  • Power to direct organisations to take specific actions
  • Power to direct remediation of vulnerabilities
  • Power to direct incident response actions

National security directions:

  • Secretary of State can direct actions in interests of national security
  • Can be issued to regulated entities or regulators
  • Broader and more flexible than standard regulatory powers

Cost recovery:

  • Regulators can recover costs of enforcement activities
  • Fees can be imposed on regulated entities

Factors In Penalty Decisions

Regulators will consider:

  • Severity and duration of the breach
  • Whether the breach was intentional or negligent
  • Steps taken to mitigate damage
  • Previous breaches and compliance history
  • Cooperation with the investigation
  • Financial impact of the penalty

Personal Liability

While the Bill focuses on organisational liability, directors and officers should note:

  • The Cyber Governance Code of Practice (April 2025) places responsibility on boards
  • Directors can face personal liability for governance failures
  • Insurance and indemnification should be reviewed

8. Timeline

Legislative Progress

Date Milestone
July 2024 Bill announced in King's Speech
November 2025 Bill introduced to Parliament (First Reading)
6 January 2026 Second Reading
2026 Committee stage, Third Reading, Royal Assent expected
2026-2027 Secondary legislation and phased implementation

When Requirements Apply

The Bill provides framework, with detailed requirements to be set through secondary legislation. This means:

  • Core obligations will apply from a date set by regulations
  • Different requirements may have different implementation dates
  • Transition periods may be provided for newly in-scope organisations
  • Regulators will issue sector-specific guidance

What To Do Now

Don't wait for final regulations. The direction is clear:

  • If you're likely to be in scope, start preparing now
  • Requirements will align with CAF and established good practice
  • Early preparation provides competitive advantage
  • Demonstrating compliance will become a commercial requirement

9. How To Prepare: Your Compliance Checklist

Phase 1: Assessment (Start Now)

Scope determination:

  • Assess whether you are directly in scope (OES, RDSP, MSP, data centre)
  • Assess whether you are a critical supplier to in-scope organisations
  • Identify your relevant sectoral regulator
  • Review customer contracts for existing security obligations

Current state assessment:

  • Assess current security posture against CAF
  • Identify gaps in security controls
  • Review incident response capabilities
  • Assess supply chain security measures
  • Review board-level cyber governance

Risk assessment:

  • Identify critical systems and services
  • Assess threats and vulnerabilities
  • Understand potential impact of incidents
  • Prioritise risks for treatment

Phase 2: Planning (Q1-Q2 2026)

Gap remediation planning:

  • Develop roadmap to address identified gaps
  • Budget for required investments
  • Assign responsibilities and ownership
  • Set realistic timelines

Incident response:

  • Review and update incident response plan
  • Ensure 24-hour reporting capability
  • Prepare notification templates (regulator, NCSC, customers)
  • Identify and train incident response team
  • Conduct tabletop exercises

Supply chain:

  • Map critical suppliers
  • Assess supplier security postures
  • Update contracts with security requirements
  • Implement supplier monitoring

Governance:

  • Establish board-level cyber oversight
  • Implement regular reporting to board
  • Align with Cyber Governance Code of Practice
  • Review director training needs

Phase 3: Implementation (Q2-Q4 2026)

Technical controls:

  • Implement security monitoring (24/7 capability)
  • Deploy detection and response tools
  • Strengthen access controls
  • Improve network security
  • Enhance data protection

Processes:

  • Formalise security policies and procedures
  • Implement change management
  • Establish vulnerability management
  • Create security awareness programme

Documentation:

  • Document security measures
  • Maintain evidence for regulatory review
  • Create compliance reporting

Testing:

  • Conduct security testing
  • Test incident response procedures
  • Validate backup and recovery
  • Exercise business continuity plans

Phase 4: Ongoing Compliance (2027+)

Continuous improvement:

  • Regular security assessments
  • Ongoing monitoring and detection
  • Incident response exercises
  • Supply chain reviews
  • Board reporting

Regulatory engagement:

  • Register with regulator(s)
  • Respond to information requests
  • Report incidents as required
  • Implement regulatory directions

10. How DSC Can Help

Dead Simple Computing provides managed IT, security services, and compliance support for regulated industries. We're ISO 27001 certified ourselves and understand what compliance actually requires.

Assessment Services

Cyber Security & Resilience Bill Readiness Assessment

  • Scope determination - are you affected?
  • Gap analysis against expected requirements
  • Risk assessment and prioritisation
  • Compliance roadmap

CAF Gap Analysis

  • Assessment against Cyber Assessment Framework
  • Identification of gaps and weaknesses
  • Prioritised remediation recommendations

Managed Services

Compliance-Ready Managed IT

  • IT support with security and compliance built in
  • Evidence and reporting as standard
  • SIEM integration for monitoring
  • Audit support included

Security Services

  • 24/7 MDR (Managed Detection & Response)
  • UK-based SIEM with Assuria
  • Vulnerability management
  • Security monitoring

Advisory Services

vCISO Services

  • Strategic security leadership
  • Board reporting and governance support
  • Compliance management
  • Regulatory engagement support
  • Incident response planning

Incident Response Planning

  • IR plan development
  • Playbook creation
  • Tabletop exercises
  • 24-hour reporting readiness

Training

Board Cyber Briefings

  • Cyber Governance Code of Practice
  • Board responsibilities under new regulations
  • Risk appetite and governance

11. Further Resources

Official Sources

The Bill:

  • UK Parliament Bill page: parliament.uk
  • Policy statement: gov.uk/government/publications

NCSC:

  • Cyber Assessment Framework: ncsc.gov.uk/collection/caf
  • Cyber Security Toolkit for Boards: ncsc.gov.uk
  • Cyber Governance Training: ncsc.gov.uk

Government:

  • Cyber Governance Code of Practice: gov.uk
  • Government Cyber Action Plan: gov.uk
  • Cyber Governance Mapping: gov.uk

DSC Resources

About This Guide

This guide was prepared by Dead Simple Computing Ltd in January 2026 based on the Cyber Security and Resilience Bill as introduced to Parliament and associated Government publications.

The Bill is subject to amendment as it passes through Parliament. This guide will be updated as the legislative process progresses.

This guide is for informational purposes and does not constitute legal advice. Organisations should seek appropriate professional advice for their specific circumstances.

About Dead Simple Computing

Dead Simple Computing is an MSP/MSSP providing managed IT, security services, and compliance support for regulated industries.

Credentials:

  • CISSP certified
  • ISO 27001 certified
  • Cyber Essentials Plus certified

We help with:

  • Managed IT for regulated industries
  • Security services (MDR, SIEM, awareness training)
  • Compliance (ISO 27001, CE+, NIS2, CAF)
  • vCISO services

Contact us:

  • Web: deadsimplecomputing.co.uk
  • Email: [email protected]
  • Phone: 0118 359 2220
  • Book a call: deadsimplecomputing.co.uk/book

© 2026 Dead Simple Computing Ltd. All rights reserved.

Related Guides

Legislation NIS2 Readiness Checklist