UK Cyber Security and Resilience Bill — What Businesses Need to Prepare For
The UK Cyber Security and Resilience Bill is expected to pass Parliament during 2026. It will expand the scope of UK cybersecurity regulation beyond the current NIS Regulations framework, introduce stricter incident reporting obligations, and give regulators new enforcement powers.
Most SMEs won’t be immediately affected when it passes, but digital service providers, managed services companies, and organisations in critical sectors should be preparing now. Here’s what’s being proposed, who’s likely to be in scope, and what to do while the Bill progresses.
Current Status and Timeline
The Bill is currently progressing through Parliament. The Government’s stated intention is to pass it during 2026, with implementation starting in 2026–2027.
The Bill expands the existing National Infrastructure Security Regulation (NISR) — the UK’s retained framework from the NIS Regulations — which currently covers essential services (energy, transport, water, health) and digital service providers above certain thresholds. The Bill introduces a three-tiered approach:
- Essential services and operators of critical infrastructure — Existing NISR scope, already regulated, enforcement ongoing.
- Important services — A new middle tier, likely to include digital services, managed service providers, and cloud services above certain revenue or user thresholds.
- Smaller organisations — A lighter-touch tier, potentially including SMEs offering digital services, with simplified requirements.
The exact thresholds and requirements are still being defined as the Bill progresses through Parliament.
What’s Changing
Expanded Scope
The current NIS Regulations apply to essential services (energy, transport, water, food and water supply, health, nuclear safety, digital infrastructure, space and waste management) and digital service providers with significant scale (social media, online marketplaces, cloud services, DNS services, web hosting, etc.).
The Bill will widen this to include:
- Managed service providers: Companies offering IT services, security services, or infrastructure management to other businesses may come into scope.
- Cloud services providers: If not already in scope under existing NIS.
- DNS services and domain registrars: May face stricter requirements.
- Organisations handling critical digital services: The definition of “critical” is expanding.
If you provide digital services, IT support, managed security, or infrastructure to other businesses, start monitoring whether you’re likely to be in scope.
Incident Reporting
The Bill introduces mandatory incident reporting obligations with clearer timelines and lower thresholds:
- Incidents affecting critical services or large numbers of users must be reported to the DCMS (Department for Science, Innovation and Technology) or sectoral regulator within a specified timeframe — likely 24–72 hours depending on severity.
- Reporting timeline is shorter than current guidance. Current practice is 72 hours; the Bill may require faster reporting for serious incidents.
- Reporting threshold is lower. Incidents affecting a small number of users or causing minor disruption may be reportable under the Bill when they wouldn’t be under current guidance.
For organisations already handling sensitive data under UK GDPR, this adds a new mandatory reporting channel to DCMS alongside ICO notification.
Enforcement Powers
The Bill gives regulators (DCMS, sector-specific regulators like Ofcom, Ofwat, Health and Safety Executive) new enforcement powers:
- Compliance notices: Regulators can issue binding notices requiring organisations to remedy cybersecurity failures within a specified timeframe.
- Penalties: Civil penalties up to £10M or 4% of global annual turnover (alignment with UK GDPR penalties for data protection violations).
- Audit rights: Regulators can conduct on-site audits and demand information about cybersecurity controls.
- Interim measures: Regulators can issue interim measures (e.g., mandatory disconnection of compromised systems) while investigations are ongoing.
These are substantially stronger than current NISR enforcement mechanisms.
Updated Technical Requirements
The Bill is expected to reference updated cybersecurity standards. Current NISR references the NIS Directive and ISO/IEC 27001. The Bill will likely update these to reflect:
- Modern threat landscapes (cloud, API security, supply chain risk)
- Zero-trust architecture principles
- Incident response and recovery capabilities
- Supply chain security requirements (organisations must assess and manage security of their suppliers)
Specific technical requirements are still being finalised.
Who’s Affected
Definitely in Scope
- Essential services operators (energy, transport, health, etc.)
- Large digital service providers (social media, cloud, DNS, web hosting)
- Critical infrastructure operators (already regulated under current NISR)
Likely in Scope (Prepare Now)
- Managed service providers offering IT support, security services, or infrastructure management
- Cloud service providers
- Telecommunications providers
- Large e-commerce and digital marketplace operators
Possibly in Scope (Monitor Progress)
- SMEs offering digital services (APIs, SaaS, managed services)
- SMEs in critical sectors (finance, healthcare, utilities)
- Organisations handling very large volumes of personal data
Not Currently in Scope
- SMEs not offering digital services, even if they use cloud services or online tools
- Very small businesses with minimal supply chain criticality
- Sole traders and micro-businesses
The exact thresholds for the “important services” and lower tiers will be defined in secondary legislation after the Bill passes.
What This Means in Practice
If You’re a Digital Service Provider
Review your customer base and data volumes. Are you handling sensitive data for critical sectors or large numbers of users? Are you in the supply chain of critical infrastructure? If yes, start documenting your current cybersecurity practices against the five Cyber Essentials controls and ISO/IEC 27001. The Bill is likely to reference these standards.
Implement or strengthen: incident response procedures, supply chain risk assessment, backup and recovery testing, access controls, staff training. These align with existing good practice and will likely be mandatory under the Bill.
If You’re a Managed Service Provider or IT Services Company
The Bill will likely bring you into scope. Customers will ask whether you meet the Bill’s requirements, and contracts will start including mandatory security clauses. Start now: document your cybersecurity practices, pursue Cyber Essentials or ISO/IEC 27001 certification, and implement supply chain security assessments of your own suppliers.
If You’re a Cloud Services User (But Not a Provider)
Unless you’re a large enterprise or in a critical sector, you’re unlikely to be directly regulated. But your cloud provider will be. Ensure you’re contractually protected: your cloud provider’s SLAs should include security commitments, incident notification timelines, and recovery capabilities. Review your Data Processing Agreement with your cloud provider to ensure it reflects your security requirements.
If You’re in a Critical Sector (Finance, Healthcare, Utilities)
You’re likely already regulated. The Bill will strengthen enforcement but probably won’t change your core security obligations. Align with the Bill’s likely focus: incident response readiness, supply chain security, regular security assessments.
What to Do Now
1. Assess whether you’re likely to be in scope. Are you offering digital services, managing IT infrastructure for others, or operating critical services? If probably yes, start preparing now.
2. Document your current cybersecurity posture. What controls do you have in place? Map them against Cyber Essentials (five controls) and ISO/IEC 27001 (28 controls). This gives you a baseline and identifies gaps.
3. Implement incident response procedures. The Bill will require faster incident reporting. Document: how you detect incidents, how you respond and contain, how you notify affected organisations and regulators, how you investigate and recover. Even a single-page incident response plan is better than nothing.
4. Strengthen access controls and data security. Multi-factor authentication, strong passwords, regular access reviews, encrypted storage, backup testing. These are foundational for any Bill-compliant organisation.
5. Assess your supply chain. If you rely on third-party services, software, or infrastructure, document their security practices. The Bill will likely require organisations to assess and manage security of their suppliers. Start with your most critical suppliers.
6. Monitor Bill progress. Subscribe to government updates (gov.uk, DCMS news) and sector guidance (NCSC alerts). As secondary legislation is drafted, requirements will become clearer.
7. Engage professional guidance. If you’re likely in scope, consider an assessment from a Cyber Essentials or ISO/IEC 27001 auditor. This gives you independent validation of your baseline and a clear roadmap to compliance.
Key Dates to Watch
| Date | Event | Action |
|---|---|---|
| Q2 2026 | Bill expected to pass Parliament | Prepare for phased implementation |
| 2026–2027 | Secondary legislation drafted | Requirements become clearer |
| 2027 onwards | Phased enforcement begins | Compliance obligations activate |
How the Bill Fits With Other Regulations
The Cyber Security and Resilience Bill doesn’t replace existing regulations — it sits alongside them:
- UK GDPR: Data security obligation (Article 32) remains. The Bill adds cybersecurity obligation. Both apply.
- NIS Regulations: Current essential services obligations remain. The Bill extends and strengthens them.
- Sector-specific regulation: Financial services (FCA), healthcare (CQC), utilities (Ofwat/Ofgem) maintain their own requirements. The Bill adds a cross-cutting cybersecurity overlay.
If you’re in a regulated sector, the Bill adds to your obligations — it doesn’t replace existing ones.
Cross-References
Related UK regulatory changes: Digital Compliance Overview covers the broader regulatory landscape. GDPR Article 32 security requirements are foundational to cybersecurity compliance. If you use AI systems, AI compliance covers AI security and governance.
Next Steps
If you think you might be in scope: Start documenting your cybersecurity practices now. Use Cyber Essentials or ISO/IEC 27001 as your framework.
If you want independent assessment: Bartram Cyber combines external scanning with questionnaire assessment and gives you a detailed readiness report mapping your controls against Cyber Essentials and UK GDPR Article 32.
To stay informed about regulatory changes: Subscribe to our fortnightly newsletter which covers emerging regulations across all UK compliance areas, including cybersecurity.
The Bill is still in development, but the direction is clear: UK cybersecurity regulation is tightening, scope is expanding, and enforcement is strengthening. Starting now puts you ahead of most businesses.