The Cyber Security and Resilience Bill (CSRB) were first announced in the King’s Speech in July 2024 and aims to modernise the UK’s regulatory landscape by updating the 2018 Network and Information Systems (NIS) Regulations. It demonstrates the UK Government’s recognition that cyber threats have evolved faster than existing laws and that recent incidents, including the Synnovis breach and ransomware attacks on M&S, Co-Op, and Harrods, have exposed public and private sector vulnerabilities, writes Notis Iliopoulos, pictured, VP of Managed Risk and Controls at the cyber firm Obrela.
The legislation will expand the scope of regulated entities, introduce stricter incident reporting requirements, strengthen regulator enforcement powers and establish cost-recovery mechanisms to fund oversight activities.
The proposed timeline
The roadmap for the Bill is still unfolding, but its announcement in mid-2024 marked a commitment to strengthening resilience. At the same time a DSIT policy statement in April 2025 gave greater clarity on the obligations organisations will face. The Bill is expected to be introduced to Parliament in late 2025, with secondary legislation anticipated in early 2026. Once passed, additional detail will be set out in statutory Codes of Practice, which are likely to build on the NCSC’s Cyber Assessment Framework.
This approach allows for flexibility, enabling measures to evolve quickly without needing a new piece of primary legislation each time. For those organisations in scope, while the exact compliance deadlines are not yet fixed, the direction of travel has been made clear and early preparation is essential to avoid disruption once the regulatory clock starts ticking.
Who is now in scope?
The most significant shift under the CSRB is the expansion of its remit. The original NIS Regulations primarily targeted operators of essential services, for example, energy, health, transport, water and digital infrastructure, along with certain digital service providers such as cloud services, online marketplaces and search engines. The new Bill brings many more organisations into scope.
Managed Service Providers are not included, which is a reflection of the privileged access to client systems these companies have which makes them an attractive target for attackers. Data centres, especially those offering colocation services, are also expected to be covered because of the growing reliance of critical services on these external hosting environments.
Regulators will also be able to identify and directly regulate “Designated Critical Suppliers” – those third-party providers whose compromise could have systemic consequences. This makes scrutiny of the supply chain a regulatory requirement rather than best practice. While large private sector employers are not yet covered, there is growing pressure to extend the cyber resilience obligations via updates to the UK Corporate Governance Code. This is a key area to watch for in the future.
New obligations
The Bill strengthens the obligations faced by organisations in scope. Incident reporting will be tightened, with organisations required to notify the NCSC and relevant industry regulators within 24 hours of identifying a cyber incident. This initial notification will likely need to be followed by a more detailed report within seventy-two hours. This will align the UK more closely with the EU’s NIS2 Directive.
Another important change will be the transformation of the NCSC’s Cyber Assessment Framework from guidance into legally binding technical standards. Organisations will be required to demonstrate compliance through governance structures, technical measures and regular independent audits.
Regulators will be given stronger enforcement powers, including the ability to conduct audits, impose fines and in severe cases even suspend services. Regulated entities may also be required to contribute fees to fund the cost of this enhanced oversight. The Bill is deliberately designed to be adaptive. By relying on secondary legislation to update and refine requirements, the government will respond more rapidly to evolving risks, from supply chain vulnerabilities to the growing sophistication of AI-enabled attacks. And the National Cyber Strategy refresh, expected by the end of 2025, may further shape the Bill’s implementation priorities.
Recent breaches have highlighted the potential for digital attacks to cascade across essential services and cause widespread harm. The NCSC has also warned that adversaries are exploiting AI-driven tools to enhance the speed, precision and scale of their operations. This is why comprehensive and flexible regulation is needed.
International alignment is another important driver. By bringing its standards closer to the EU’s NIS2 Directive and frameworks such as DORA, the UK is better positioning itself as a jurisdiction with consistent, high levels of resilience obligations. It will also simplify compliance for multinational firms operating across borders. The government’s parallel work on the Code of Practice for the Cyber Security of AI signals a broader intent to harmonise resilience across emerging technologies.
What steps are needed?
There are widespread implications for technology and business leaders with more organisations finding themselves under direct regulation, and obligations around incident reporting, governance and supply chain management will be significantly more demanding. Regulators will have greater enforcement power and compliance will carry direct financial costs in the form of potential fees.
This means the Bill is not something that organisations can afford to address reactively. Leaders need to begin by assessing their current maturity against the Cyber Assessment Framework and identifying gaps that will need to be closed. Supply chains should be mapped and assessed for resilience. Incident response plans should be reviewed to ensure they are ready to meet shortened reporting timelines. Finally, organisations need to be engaged with the policy process, as the details of secondary legislation will shape the precise technical standards and reporting formats they will need to adopt.
The Cyber Security and Resilience Bill is the most significant overhaul of the UK’s cyber regulatory framework since 2018. By broadening its scope, tightening its obligations, and empowering regulators, the Bill signals a more assertive stance on national cyber resilience. The organisations that start preparing now will be best placed not only to comply but also to build resilience and use it as a competitive advantage.
