The Cyber Security and Resilience Bill - What to Do Now, Pre-Act, and Ongoing

Our earlier overview of the Cyber Security and Resilience Bill covered what it changes and who it affects. This post is the follow-up: a practical checklist sorted by urgency. If you are responsible for compliance in an in-scope organisation, you should be able to read this, hand it to your board, and start ticking items off.

Are You in Scope?

The Bill amends the NIS Regulations 2018 rather than replacing them. It keeps existing categories and adds new ones. Work through the table below.

Entity type	Threshold / condition	Status	Key action
Operator of Essential Services (OES)	Energy, transport, water, health, digital infrastructure — already designated	Already in scope	Review posture against tightened obligations
Relevant Digital Service Provider (RDSP)	Online marketplace, cloud, search engine — already designated	Already in scope	Add direct customer notification to incident response
Data centre operator	Colocation: rated IT load >= 1MW. Enterprise-only: >= 10MW	Newly in scope	Map NIS boundary; begin CAF assessment
Managed Service Provider (MSP)	Medium and large providers with privileged access to client systems	Newly in scope	Audit client contracts; expect cascade obligations
Large load controller	Aggregate control of >= 300MW of smart electricity load	Newly in scope	Contact energy sector competent authority early
Designated Critical Supplier (DCS)	Supplier to OES/RDSP whose disruption could cause significant impact — designated by regulators	Watch	Review dependency relationships with regulated customers
General commercial organisation	Not directly in scope unless designated as DCS	Not in scope*	Expect contractual pressure from regulated customers

Not in scope does not mean not affected. OES and RDSP customers will cascade cyber obligations into contracts. The Bill's scope can also expand via secondary legislation without a new Act.

Interactive Compliance Explorer

We have built an interactive tool to help you navigate the Bill. Select your organisation type to see which obligations apply under NIS 2018 and the CSR Bill, compare them side by side, and find your regulator.

Open the UK Cyber Compliance Explorer →

Parliamentary Timeline

Know the windows when preparation becomes expensive.

Milestone	Status
July 2024	Announced in King's Speech
April 2025	Policy statement published — scope, thresholds, and penalties confirmed
November 2025	First reading — Bill introduced to Commons
January 2026	Second reading and Cyber Action Plan published
January–February 2026	Committee stage — line-by-line scrutiny
Spring/Summer 2026	Report stage and third reading — remaining Commons stages, then House of Lords
Late 2026 (estimated)	Royal Assent — becomes law
2027 onwards	Secondary legislation and codes of practice — Secretary of State expands scope and introduces technical requirements

NIS 2018 entities are expected to face new duties immediately on commencement, so it would pay not to wait for Royal Assent. Newly in-scope entities should treat preparation as urgent now — incident response uplift and CAF alignment will take months to embed, not weeks.

The Checklist

NOW

These are actions that in-scope organisations should be taking today.

Governance

☐Determine whether your organisation is in scope — OES, RDSP, data centre, MSP, large load controller, or critical supplier.

☐Assign board-level ownership of CSRB compliance. This is not solely an IT matter.

☐Map all network and information systems supporting essential or digital services. Define your NIS scope boundary clearly.

☐Assess current posture against the NCSC Cyber Assessment Framework (CAF). This is the expected compliance benchmark for regulators.

☐Align board-level governance to the Cyber Governance Code of Practice (2024) — explicitly referenced alongside the Bill in government guidance.

Incident reporting

☐Update incident response plans: initial notification within 24 hours, to regulator and NCSC simultaneously.

☐Update full-report procedures for the 72-hour deadline — root cause, scope, and impact assessment.

☐Broaden reportable incident definition: the new threshold includes events capable of adversely affecting systems, not just those causing disruption.

☐If you are a data centre, RDSP, or MSP: establish a direct customer notification process. This is your obligation, not the regulator's.

PRE-ACT

These are actions to take before commencement, when you still have time to implement without regulatory pressure.

Supply chain

☐Audit your critical supply chain. Identify where supplier failure could significantly disrupt your essential service.

☐Update supplier contracts: include cyber security obligations, incident disclosure requirements, and right-to-audit clauses.

Regulatory engagement

☐Engage your sector regulator on the "significant incident" definition for your sector. The primary legislation leaves this loose; regulator guidance will fill the gap.

☐Build a regulatory watch process. The Secretary of State can expand scope and introduce new requirements via secondary legislation without a new Act.

ONGOING

These are habits and processes that should persist long after the Bill becomes law.

☐Train staff beyond the technical team. Legal, operations, communications, and board members need to understand reporting duties and escalation paths.

☐Monitor secondary legislation and regulator consultations. The compliance perimeter is not static.

☐Review cyber insurance coverage against the new penalty regime, including the 10% turnover tier for national security direction non-compliance.

☐Revisit CAF mapping at least annually. The framework is outcomes-based, not a checklist — maturity degrades without maintenance.

What the Regulators Will Look For

The Bill gives regulators proactive powers — they can request information and conduct inspections without waiting for an incident. A new cost-recovery mechanism means enforcement activity can be funded by the organisations being investigated.

What this means in practice: compliance is not just about having policies. It is about being able to demonstrate, on demand, that your controls are operational and effective. A well-documented CAF self-assessment, an incident response playbook that has been exercised, and supplier contracts with teeth will matter more than a policy binder that nobody has opened.

What Happens If You Do Nothing

The penalty structure is severe enough that inaction is a board-level risk decision, not an operational oversight.

Standard breach: up to £10 million or 2% of global turnover

Higher breach: up to £17 million or 4% of global turnover

National security direction non-compliance: up to £17 million or 10% of global turnover

Continuing contravention: up to £100,000 per day

For a mid-market organisation with £100 million global turnover, a standard breach could trigger a £2 million fine. A national security direction failure could trigger £10 million. These figures are turnover-linked, so they scale with organisational size. There is no ceiling that provides comfort to a large enterprise.

The Bottom Line

The Bill is not a one-time compliance event. The Secretary of State can expand scope, introduce new technical requirements, and issue national security directions without returning to Parliament. Your compliance posture needs to be living documentation, not a project with an end date.

Start with the NOW items. They are the foundation everything else builds on.