The UK Cyber Security and Resilience Bill: Expert Guide to Business Compliance

Background: From NIS Regulations to the Resilience Bill

The UK's existing Network and Information Systems (NIS) Regulations 2018 implemented the EU's original NIS Directive, creating mandatory cybersecurity and incident reporting obligations for operators of essential services (energy, transport, water, digital infrastructure, health) and relevant digital service providers (online marketplaces, search engines, cloud services).

The UK government determined that the 2018 NIS Regulations were insufficient for the current threat environment. The Cyber Security and Resilience Bill, introduced in the 2024–25 parliamentary session, is the government's legislative response — updating and expanding UK cybersecurity regulation independently of EU NIS2, which the UK is not obliged to follow post-Brexit.

What the Resilience Bill Does

The Bill's stated objectives, as set out in the government's pre-legislative materials, include:

Expanded Sector Coverage

The Bill extends the scope of mandatory requirements beyond the existing NIS Regulations to cover managed service providers (MSPs), IT service companies and additional digital infrastructure providers. This is a significant expansion — under current law, most UK MSPs and IT service businesses have no mandatory cybersecurity obligations. Under the Resilience Bill, larger MSPs and those providing services to in-scope organisations will be subject to formal requirements.

Mandatory Incident Reporting

The Bill introduces strengthened incident reporting requirements, requiring in-scope organisations to notify the relevant competent authority within defined timeframes when a significant cyber incident occurs. Early indications suggest a 24-hour initial notification requirement (shorter than the current 72-hour window) for significant incidents, with a more detailed follow-up report required within a longer period.

Supply Chain Security

The Bill is expected to introduce explicit supply chain security obligations — requiring in-scope organisations to assess the security of their ICT suppliers and impose minimum security requirements on those suppliers by contract. This reflects the growing recognition that cyber risk in a supply chain can affect the security of multiple organisations simultaneously.

Enhanced Regulatory Powers

The competent authorities (NCSC, Ofcom, sector regulators) are expected to receive enhanced powers to proactively investigate compliance, impose improvement notices and levy higher penalties for non-compliance. The current NIS Regulations maximum fine is £17 million — the Resilience Bill is anticipated to raise this ceiling.

Who Is In Scope?

The full scope will be determined when the Bill receives Royal Assent and secondary legislation is published. Based on published pre-legislative materials and the government's consultation responses, in-scope categories are likely to include:

• Existing NIS-regulated operators: Operators of essential services and existing digital service providers under the 2018 Regulations
• Managed service providers: IT and managed service companies providing services to other businesses, particularly to in-scope organisations
• Data centre and cloud providers: Additional digital infrastructure providers not currently covered
• Expanded digital services: Potentially extending to categories not covered in 2018

UK SMEs operating in sectors unrelated to essential services or digital infrastructure may not be directly in scope, but may face indirect requirements through their supply relationships with in-scope clients who must apply supply chain security obligations downstream.

Timeline and Implementation

As of early 2026, the Bill is progressing through Parliament. Royal Assent is anticipated in 2026, with implementation regulations expected to provide a 12–18 month transition period before requirements take effect for newly in-scope organisations.

Businesses that believe they may be in scope — MSPs, IT service providers, digital service businesses — should not wait for Royal Assent to begin preparation. The gap assessment, policy development and technical control implementation needed to meet the anticipated requirements can take 6–12 months for a typical SME.

Practical Preparation Steps

Regardless of whether your business is directly in scope, the controls anticipated under the Resilience Bill represent sound cybersecurity practice:

1. Assess your scope exposure: Do you provide IT or managed services to organisations in regulated sectors? Are you a digital service provider? Seek legal advice if your scope position is unclear.
2. Develop an incident response plan: Document a process for detecting, managing and reporting significant cyber incidents — aligned to the anticipated reporting timeframes.
3. Review supply chain security: Assess the security posture of your critical IT and software suppliers and include security requirements in supplier contracts.
4. Achieve Cyber Essentials certification: A recognised baseline demonstrating foundational controls are in place — likely to be relevant to demonstrating compliance under the new framework.
5. Establish board-level cyber governance: The Bill is expected to require demonstrable board accountability for cybersecurity, not just delegation to IT.
6. Engage your legal and cyber advisers: The Resilience Bill will have legal implications beyond technical controls — engage specialist advice before the implementation deadline approaches.