Get started

UK Cyber Security and Resilience Bill — What to Prepare For

regulatory-update 7 min read Updated 2026-03-23

UK Cyber Security and Resilience Bill — What to Prepare For

The UK Cyber Security and Resilience Bill has cleared committee stage and a carry-over motion was passed in March 2026. It’s expected to pass into law during 2026 and is expected to become active in 2028. The Bill expands the scope of the existing NIS Regulations (which currently apply only to essential services and large digital service providers) to include a wider range of organisations, strengthens incident reporting requirements, and gives regulators new enforcement powers.

For many SMEs, the Bill may bring your business into formal cybersecurity regulation for the first time. This isn’t another “optional” standard like Cyber Essentials. This will be law, with enforcement and penalties. Understanding what’s coming is the first step to preparing.

What the Bill Changes

The existing NIS (Network and Information Systems) Regulations, which came into force in 2018, apply to “essential services” (energy, water, transport, health) and “digital service providers” above certain thresholds (payment services, online marketplaces, search engines, cloud services, data centre operators). Organisations in scope must implement security standards and report significant cyber incidents to the regulator.

The Cyber Security and Resilience Bill expands this scope significantly:

Wider Scope of “In-Scope” Organisations

The Bill introduces the concept of “critical digital infrastructure” — a broader and more flexible category than today’s NIS-regulated sectors. The exact threshold is still being finalised, but early indications are that the scope will expand to include:

  • Medium-sized digital service providers below current thresholds
  • Managed IT service providers (MSPs) and managed security service providers (MSSPs)
  • Cloud infrastructure providers at all scales
  • Internet Exchange Points (IXPs) and Domain Name System (DNS) operators
  • Larger e-commerce and online service platforms

Most SMEs won’t automatically come into scope — a 20-person SaaS business, for example, probably won’t be classified as critical digital infrastructure on day one. But SMEs that provide IT services to other businesses, operate cloud infrastructure, or offer digital services to large customer bases may find themselves in scope depending on how the final criteria are defined.

Strengthened Incident Reporting

The Bill tightens incident reporting requirements. Currently, NIS organisations must report “significant” incidents to the regulator (NCSC). The Bill clarifies what “significant” means, lowers the reporting threshold, and reduces the reporting timeline. Early drafts suggest:

  • Incidents must be reported within 24 hours of discovery (tighter than today’s “without undue delay”)
  • A broader definition of what qualifies as “significant” — potentially including incidents that don’t cause immediate impact but could lead to impact
  • Requirement to report the status of containment and remediation efforts, not just the incident itself

This impacts all organisations that might be in scope. The 24-hour timeline is tighter than most businesses currently operate, requiring more rapid incident detection and assessment.

Enforcement and Penalties

The Bill introduces new penalty regimes. Details are still pending, but early indications suggest:

  • Civil enforcement powers (improvement notices, compliance notices)
  • Financial penalties for failures to meet security standards or report incidents
  • Potential personal liability for directors or senior management in egregious cases

The regulator (likely NCSC or a delegated authority) will have explicit enforcement powers rather than today’s advisory approach.

Who Will Likely Be in Scope

Definitely in scope:

  • Essential services (energy, water, transport, health) — already regulated
  • Large digital service providers (payment services, online marketplaces, search engines, large cloud providers) — already regulated, scope likely expands slightly
  • Critical digital infrastructure operators — new category, exact definition pending

Probably in scope:

  • Managed IT service providers (MSPs) serving medium-to-large customer bases
  • Managed security service providers (MSSPs)
  • Cloud infrastructure providers at medium scale
  • Larger e-commerce and online platforms
  • Financial technology firms above certain thresholds
  • Telecommunications providers (increasingly part of critical infrastructure)

Probably not in scope:

  • Small professional services firms (accountants, consultants) with basic digital operations
  • Retailers with physical presence and online sales
  • Hospitality and leisure businesses
  • Manufacturers with in-house IT systems
  • Small professional agencies

The practical test is: if your business failure would significantly disrupt UK digital infrastructure, critical services, or a large customer base’s operations, you might be in scope. If you’re a 30-person accounting firm using Microsoft 365, you’re not.

What This Means for Your Business

If You’re Likely In Scope

If you provide digital services, operate IT infrastructure for others, or offer critical online services, you should assume the Bill will affect you when it becomes active (expected 2028, with a transition period through 2026–2027).

Prepare now by:

  • Implementing security governance: policies, procedures, training, incident response plan
  • Establishing baseline security controls aligned to Cyber Essentials (which will likely become a de facto requirement)
  • Implementing incident detection and response — you need to know when you’ve been compromised within hours, not days
  • Documenting your security measures and risk management processes
  • Creating an incident report template that can be sent to regulators within 24 hours of discovery

If You’re Probably Not In Scope

Most SMEs won’t be immediately affected. You don’t need to restructure your entire security posture tomorrow. But note that the Bill creates a downstream effect: if you’re a customer of a regulated provider (using cloud services, outsourcing IT), that provider will face new compliance requirements and may pass through costs or impose tighter requirements on their customers.

Also note that the Bill doesn’t override existing regulations. UK GDPR security requirements apply regardless of NIS scope. If you process personal data, you must maintain “appropriate technical and organisational measures” — which the ICO increasingly interprets as meaning “at least Cyber Essentials level security.” The Bill just formalises what many regulators already expect.

What to Do Now

1. Determine Your Likely Scope

Does your business:

  • Provide IT services or infrastructure to other businesses?
  • Operate cloud or data centre infrastructure?
  • Provide payment processing or financial services?
  • Operate a significant online platform or marketplace?
  • Manage networks or telecommunications?
  • Operate in a critical sector (energy, water, transport, health)?

If yes to any of these, monitor the Bill’s progression and prepare for potential scope. If no, you’re likely fine but should still implement baseline security hygiene (see point 2).

2. Implement Baseline Cybersecurity

Whether or not the Bill affects you directly, the trend across all regulators is toward higher baseline security expectations. Implement the five Cyber Essentials controls now:

  • Firewalls and internet gateways (control what traffic enters/exits your network)
  • Secure configuration (systems hardened against attack)
  • User access control (only people who need access have access; multi-factor authentication on critical systems)
  • Malware protection (antivirus on all systems that can run it)
  • Security update management (patches applied monthly, vulnerabilities patched urgently)

For most SMEs, these five controls cost £5K–£15K to implement (new tools, configuration, staff training). Cyber Essentials certification costs an additional £500–£2K. This is a one-time investment that reduces your cyber risk, improves your insurance position, and prepares you for future regulation.

3. Create an Incident Response Plan

Document: how you detect incidents, who’s responsible for assessment, who reports to regulators, what the timeline is. The 24-hour reporting timeline in the Bill (expected requirement) means you need rapid assessment. Practice your response plan annually. Test your backup and recovery processes.

4. Review Your Customer Contracts

If you’re an MSP, MSSP, cloud provider, or IT service provider, your customers will increasingly demand evidence of your security practices. Update your contracts to reflect your security posture. Create a simple “security summary” or “security brief” you can share with customers to demonstrate compliance.

5. Monitor the Bill’s Progress

The Bill is expected to pass in 2026, but the exact scope, penalties, and timeline are still being finalised. Set a reminder to check GOV.UK and NCSC updates quarterly. Subscribe to NCSC alerts if you’re in a relevant sector. The government will publish guidance on how the Bill will apply once it becomes law.

Key Takeaways

The Cyber Security and Resilience Bill is not optional compliance like Cyber Essentials. It will be law with enforcement and penalties. Most SMEs won’t be immediately affected, but the trend is toward wider scope and stricter requirements.

The practical step: implement baseline cybersecurity now (Cyber Essentials or equivalent). This protects you against actual cyber threats (43% of UK businesses reported a breach in 2025), improves your insurance position, meets existing GDPR security obligations, and positions you well if the Bill brings you into scope.

If you’re an IT service provider or operate digital infrastructure, assume the Bill will affect you and plan accordingly. The transition period (2026–2027) gives you time to build compliant practices before enforcement begins.

For a practical assessment of your cybersecurity posture against baseline standards and preparation for incoming regulations, Bartram Cyber screens your external security, internal controls, and compliance readiness — and delivers a prioritised action plan with cost estimates for each control.

The window for preparation is open. Use it.

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Map your regulatory profile →

More from this hub

EU AI Act — What UK Businesses Need to Know (Even If the UK Hasn't Adopted It)

The EU AI Act applies to UK businesses with EU customers. Here's what it is, what it requires, and how to prepare for the August 2026 (or December 2027) deadline.

Read article →

Employment Rights Act 2025 — Key Changes Every Employer Must Know

The Employment Rights Act 2025 rolls out across four phases from April 2026 to January 2027. Here are the key changes every UK employer must know about.

Read article →

How to Stay Ahead of Regulatory Changes — A Practical Framework

Reactive compliance is expensive. Here's a practical framework to monitor, prioritise, and implement regulatory changes before deadlines arrive.

Read article →