The UK Cyber Security and Resilience Bill: What It Means for Your Business and What to Do Now

If you've seen headlines about the UK's new Cyber Security and Resilience Bill and wondered whether it affects your business, you're not alone. Since the Bill was introduced to Parliament in November 2025, we've had a lot of conversations with SME owners and IT managers asking the same question: do I need to worry about this?

The honest answer is: possibly yes and even if you're not directly in scope right now, the ripple effects will reach you.

Here's what the Bill actually says and what you should be doing about it.

In this blog:

    • What the Bill is and why it exists
    • Which organisations are in scope (including some that will be surprised)
    • The three key obligations you need to act on
    • What the penalties look like
    • Four practical steps to take right now

 

The short version: The Cyber Security and Resilience Bill is the most significant overhaul of UK cyber security law in nearly a decade. It expands who is legally responsible for cyber resilience, tightens incident reporting deadlines, and introduces fines of up to £17 million or 4% of global turnover for serious breaches.

 

Why the Government Is Doing This Now

The existing rules, the Network and Information Systems (NIS) Regulations 2018, were a decent starting point. But they're showing their age. Reviews in 2020 and 2022 flagged significant gaps and the threat landscape has shifted dramatically since then. Ransomware attacks on critical services, supply chain compromises and state-sponsored intrusions have all escalated.

The Bill doesn't replace the NIS Regulations entirely; it reforms and extends them. Think of it as a significant upgrade rather than a complete rewrite. The three core changes are:

    • Expanded scope - more organisations are now covered
    • Faster incident reporting - stricter deadlines for notifying regulators
    • Stronger enforcement - bigger fines and more regulatory power

The goal, as the government's own summary puts it, is to ensure the services the UK relies on daily, from the NHS to energy networks, are genuinely resilient rather than just technically compliant on paper.

 

Who Does the Bill Actually Cover?

This is where it gets relevant for a lot of businesses that assumed they were off the hook.

The original NIS Regulations focused on obvious critical infrastructure: energy, transport, water, health and some digital services. The new Bill significantly expands that list.

Newly in scope under the Bill

Organisation Type

Why They're Included

Managed Service Providers (MSPs)

Trusted access to multiple customer networks makes them a high-value target

Data Centres

Now classified as essential services for the first time

Large Load Controllers

Critical to grid stability as the UK moves toward clean energy

Designated Critical Suppliers

Any supplier whose compromise could cascade to essential services

That last category is the one that catches people off guard. Regulators now have the power to designate any supplier as "critical" if disruption to their services would significantly impact the economy or public life. In practice, this means even smaller businesses supplying goods or services to essential service operators could find themselves in scope - even if they never considered themselves a cyber security-regulated entity.

If you're an MSP, this Bill is directly about you. Medium and large MSPs are explicitly named and the Information Commissioner's Office (ICO) will serve as the regulator. You'll have a statutory duty to assess and manage cyber risk, and you'll be subject to regulatory oversight for the first time under NIS rules.

The New Rules You Need to Know

For organisations that fall within scope, there are three practical obligations that will require real changes to how you operate.

1. Faster incident reporting

The old rules gave you a relatively flexible window to report incidents. That's gone. Under the new Bill:

    • Within 24 hours - submit an initial notification to your regulator (an early warning)
    • Within 72 hours - submit a full, detailed incident report
    • Simultaneously - the National Cyber Security Centre (NCSC) must be notified at the same time as your regulator

Critically, the definition of a "reportable incident" has been broadened. You don't just need to report incidents that have caused significant disruption; you must now report anything capable of causing significant impact. That includes ransomware infections where systems are compromised but haven't fully failed yet.

This means your internal incident response procedures need to be ready to move fast. If your current runbook assumes you have a few days to assess and escalate, it needs updating.

2. Aligning with the NCSC Cyber Assessment Framework

In-scope organisations are expected to comply with robust, nationally recognised standards. The primary benchmark is the NCSC's Cyber Assessment Framework (CAF), which released version 4.0 in August 2025. The CAF is built around four objectives covering network security, vulnerability management, access control and incident response.

If you're not already familiar with the CAF, now is the time to get acquainted. It's the framework regulators will use to assess whether your organisation is meeting its cyber resilience obligations.

3. Notifying your customers

MSPs, data centres, and digital service providers have a new direct duty: if a significant incident is likely to adversely affect your customers, you must tell them. This is a meaningful shift in accountability and one that changes how you communicate during a crisis.

 

What Happens If You Don't Comply?

The enforcement regime is significantly tougher than what came before. The previous maximum fine of £17 million was considered insufficient for large organisations. The new Bill introduces a tiered penalty structure:

    • Less serious breach - up to £10 million or 2% of global annual turnover, whichever is higher
    • Serious breach (e.g., failure to implement security duties or failing to report an incident) - up to £17 million or 4% of global turnover, whichever is higher
    • Ongoing non-compliance - daily fines of up to £100,000

Beyond fines, the Secretary of State now has a "Power of Direction" - the ability to order a regulated entity to take specific action immediately if there's an imminent threat to national security. Regulators can also inspect premises, seize documents, and interview personnel.

The key takeaway here: cyber security is no longer just an IT concern. These penalties are large enough to make this a board-level conversation.

 

What Should You Do Right Now?

The Bill is still working its way through Parliament, and the government has committed to giving businesses an adjustment period before new duties come into force. But waiting until the ink is dry is the wrong approach. Here's where to focus your energy now:

Step 1: Work out if you're in scope

Start with an honest assessment. Are you an MSP, a data centre operator, or a supplier to any essential services organisation? If the answer is yes or "probably", treat yourself as in scope and plan accordingly.

Step 2: Review your incident response plan

Can your team realistically produce an initial notification within 24 hours of discovering an incident? Most organisations we work with can't, not because they lack the capability, but because their processes aren't set up for that speed. Map out your escalation chain now, before you need it. If you're not sure where to start, our guide on building an incident response plan walks through the essentials.

Step 3: Familiarise yourself with the CAF

The NCSC Cyber Assessment Framework is the compliance benchmark regulators will use. CAF v4.0, published in August 2025, is the current version. It covers four core objectives across 14 principles. Even if you're not formally in scope, it's an excellent framework for assessing your own security posture. For many SMEs, Cyber Essentials or Cyber Essentials Plus is a practical first step toward meeting those standards.

A snippet from the NCSC website about the Cyber Assessment Framework

Step 4: Look at your supply chain

Even if your own business isn't directly in scope, your customers or partners may be. They will increasingly ask their suppliers for evidence of strong security practices. Getting ahead of that now means you're a trusted partner rather than a compliance problem.

 

The Bottom Line

The Cyber Security and Resilience Bill isn't just a compliance exercise for large enterprises. It's a signal that the UK government is serious about raising the baseline for everyone, and that the supply chain accountability gap that attackers have exploited for years is being closed.

The businesses that will struggle are those that treat this as a tick-box exercise at the last minute. The ones that will be fine are those that use it as a prompt to get their security fundamentals genuinely in order.

If you're not sure where to start, we can help. At CybaVerse, we work with SMEs and MSPs across the UK to build practical, proportionate cyber security programmes. Whether you need a readiness assessment against the CAF, help tightening up your incident response plan, or just a plain-English conversation about what the Bill means for your specific situation, get in touch.

Latest Insights and Articles

Supply chain attacks have doubled. See why vendor risk is now a major threat to UK SMEs and MSPs, and what to...

Discover the CybaVerse Operator Network for MSPs, MSSPs and resellers. Increase margins with white-label...

Meet Alice, Head of Product. Discover her role, the impact she has on CybaOps and how she's helping shape the...

See How CybaOps Can Take You
From Chaos To Clarity