For a piece of legislation first announced in the July 2024 King’s Speech, the progress of the Cyber Security and Resilience Bill has been steady rather than dramatic. But its implications for security leaders are substantial.
If you have not been tracking it closely, you are not alone. Most CISOs have been occupied with more immediate concerns: hostile cyber activity, supply chain breaches, and the constant pressure to demonstrate return on security investment. Yet this Bill will reshape the regulatory landscape for UK critical infrastructure, digital services, and their supply chains. Understanding its trajectory now saves expensive scrambling later.
Where the Bill Stands
Sponsored by DSIT, the bill is currently in the Commons at the Report stage.
Royal Assent is expected in late 2026. The government has been clear that implementation will be phased, with secondary legislation bringing specific obligations into force progressively through 2027 and 2028. Some provisions may take effect immediately upon Royal Assent. Most will not.
The timetable gives regulators and industry time to prepare. It also creates a dangerous temptation to defer action until dates are confirmed. That would be a mistake. The scope categories, reporting timelines, and penalty structures are already defined in the Bill. The broad direction of travel is, in all likelihood, fixed.
What is not yet fixed is the detail. Thresholds for specific sectors, exact security requirements, and Statutory Codes of Practice will all come through secondary legislation and regulator consultation. CISOs should be tracking those consultations now, not waiting for the final text. The Bill gives you the framework; the secondary legislation will give you the checklist.
What the Bill Actually Does
The Bill amends the Network and Information Systems Regulations 2018 rather than replacing them. It expands who falls under regulatory oversight, tightens reporting obligations, and gives regulators substantially stronger enforcement tools.
Expanded Scope
The most significant change is the broadening of regulated entities. The existing NIS regime covers Operators of Essential Services and Relevant Digital Service Providers. The Bill adds:
The last point deserves particular attention. It creates a flexible mechanism to capture supply chain dependencies that do not fit neatly into predefined categories. If you supply services to critical infrastructure operators, you could be brought into scope by designation even if your sector is not explicitly listed.
Incident Reporting: The 24-Hour Clock
The Bill introduces a two-stage reporting structure:
This is tighter than the existing NIS framework and mirrors the NIS2 Directive’s timelines. Crucially, the Bill requires dual notification - both to the sector-specific competent authority and to the NCSC. Organisations accustomed to single-point reporting will need to update their playbooks.
Customer notification is also required for data centres, RDSPs, and MSPs — they must take reasonable steps to identify and directly notify affected UK customers, explaining the incident and its likely impact. This is a direct obligation, not notification via the regulator. It creates a third communication thread alongside regulatory reporting, each with different content requirements and audiences.
There is one major practical change that is easy to miss: the threshold for reporting has shifted. Under NIS 2018, you only reported incidents that had actually caused significant disruption. Under this Bill, the threshold is lower — you must report incidents that are capable of adversely affecting the IT systems on which your essential or digital services rely. Events that compromise security without yet causing disruption may now be reportable.
There is a second unresolved problem: the Bill does not tightly define what counts as "significant" or "capable of adversely affecting." Those definitions will likely come through secondary legislation or regulator guidance, and they may differ by sector. Until they are published, every incident response playbook is built on an assumption. CISOs should engage with their sector regulator now to understand how the threshold is likely to be interpreted.
The Penalty Regime
The Bill replaces the existing flat penalty caps with a breach-type structure:
| Breach type | Maximum Penalty |
|---|---|
| Standard breach | Greater of £10 million or 2% of global annual turnover |
| Higher breach | Greater of £17 million or 4% of global annual turnover |
| National security direction non-compliance | Greater of £17 million or 10% of global annual turnover |
| Continuing contravention | Up to £100,000 per day |
The 10% tier for national security direction failures is the most consequential change. A company with £500 million global revenue faces up to £50 million for non-compliance with a Secretary of State direction. These are not hypothetical figures; regulators are being given broader investigatory tools alongside the new penalty regime.
Regulators also gain broader inspection powers, information-gathering authority, and the ability to recover costs from regulated entities.
The CAF on Statutory Footing
The NCSC Cyber Assessment Framework, previously guidance, gains stronger statutory recognition as the baseline for in-scope organisations. If you are not already familiar with the CAF’s four objectives - Manage Security Risk, Protect Against Cyber Attack, Detect Cyber Security Events, and Minimise the Impact of Cyber Security Incidents - now is the time to acquaint yourself.
The Bill also creates powers for the Secretary of State to issue national security directions to specific entities, requiring particular actions or prohibiting certain practices where threats to national security are identified.
It is worth noting that the Bill does not create personal director liability on its face. The penalties attach to organisations. But the CAF is an outcomes-based framework that embeds accountability at board level. Directors who treat cyber resilience as an IT matter rather than a governance responsibility will find they cannot credibly claim ignorance when a regulator comes calling. The direction of travel is clear: boards own this risk.
Does This Actually Change Anything for CISOs?
It depends.
If You Are Already NIS-Regulated
For existing Operators of Essential Services, the Bill tightens requirements you already know. The 24-hour reporting window is new. The dual notification obligation is new. The customer notification requirement is new. The penalty increases are new. But the fundamental architecture - sectoral regulation, security duties, incident reporting - is familiar.
One complication for energy, water, and transport operators is operational technology. The Bill's critical national infrastructure focus means OT environments are squarely in scope. Applying 24-hour incident reporting and CAF controls to OT/ICS networks, where detection tooling is often immature and segmentation is physically constrained, is genuinely harder than in corporate IT. If your OT security programme lags your IT programme, that gap is now a regulatory exposure.
Your preparation focus should be on:
If You Are a Managed Service Provider
This is where the Bill bites hardest. MSPs previously operated outside direct NIS oversight. Now they fall within scope as Relevant Managed Service Providers. If you provide IT services, security operations, cloud management, or infrastructure support to essential services operators, you will face direct regulatory obligations.
This means:
For MSPs that have built their business model on speed and flexibility, this represents a structural shift. Security governance, documentation, and audit readiness become competitive necessities.
If You Supply to Regulated Entities
Even if you are not directly in scope, expect compliance pressure from customers. The Bill places supply chain risk management obligations on in-scope organisations. They will need to demonstrate that their suppliers meet appropriate security standards.
If you sell into critical infrastructure, healthcare, energy, transport, or financial services, your customers will soon be asking for:
This is already happening informally but the Bill formalises it.
If You Are Outside Scope Entirely
For organisations with no connection to critical infrastructure or regulated digital services, the direct impact is limited. But the indirect effects are worth noting. The Bill signals where UK cyber regulation is heading. The boundary between "regulated" and "unregulated" will not remain static. And the security practices the Bill mandates - CAF alignment, robust incident response, supply chain oversight - are usually good practice regardless of regulatory obligation.
The NIS2 Comparison
Organisations operating across the UK and EU face a familiar challenge: parallel but not identical regimes. The Bill and NIS2 share principles - 24/72-hour reporting, supply chain obligations, expanded scope - but differ in implementation:
| Factor | UK Bill | EU NIS2 |
|---|---|---|
| Regulator model | Sector-specific (e.g., Ofcom, Ofgem, ICO) | Designated national authorities |
| Notification | Dual: regulator + NCSC | Single competent authority |
| Data centre thresholds | 1MW colo / 10MW enterprise | No explicit capacity thresholds |
| Critical supplier mechanism | Secretary of State designation | Not explicitly included |
| Maximum penalties | £17m / 4% turnover | €10m / 2% turnover (essential services) |
| Baseline standard | NCSC CAF | Member state determined |
If you are already preparing for NIS2, you have a head start. But UK-specific obligations require dedicated attention; dual notification, CAF alignment, the critical supplier mechanism. Do not assume NIS2 compliance automatically satisfies UK requirements.
Practical Preparation: What to Do Now
Regardless of your current regulatory status, several actions make sense:
1. Scope Assessment
Determine whether your organisation or your services fall within the expanded definitions. For MSPs and data centre operators, this is straightforward. For suppliers to critical infrastructure, it requires understanding your customers' regulatory status and whether designation as a critical supplier is plausible.
2. Incident Response Playbook Update
The 24-hour notification window is unforgiving. Most organisations currently take 48-72 hours simply to understand whether an incident is significant. You need:
3. CAF Mapping
If you have not mapped your controls against the Cyber Assessment Framework, do so. The CAF is not a checklist; it is an outcomes-based framework. For each of its four objectives, identify your current maturity, gaps, and remediation roadmap.
4. Supply Chain Audit
In-scope organisations must manage cyber risk throughout their supply chains. Even if you are not directly regulated, your customers will expect cooperation. Review your contracts, security questionnaires, and incident notification clauses. Ensure you can meet the security and reporting expectations that will flow down from regulated customers.
5. Board Engagement
The Bill elevates cyber resilience to a board-level accountability. Security is no longer an IT concern; it is a regulatory compliance and business continuity issue. Ensure your board understands the Bill’s implications for the organisation, the potential penalties, and the investment required to comply.
The Bottom Line
The Cyber Security and Resilience Bill is not a revolution. It is an evolution - an update to legislation written in 2018 for a threat landscape that has transformed since then. The core obligations are extensions of existing principles: know your risks, protect your systems, detect incidents quickly, report them promptly, and manage your supply chain.
For CISOs, the practical reality is that most of what the Bill requires should already be happening in well-run security programmes. The difference is that compliance becomes mandatory rather than voluntary, and the penalties for failure become severe rather than symbolic.
The organisations that will handle this transition smoothly are those that start preparing now, while the Bill is still in Parliament and the implementation timeline remains measured. Those that wait for Royal Assent or the first enforcement action will face compressed timelines and elevated costs. The smart move is to prepare now.
