The Cyber Security and Resilience Bill

The Cyber Security and Resilience Bill

What to expect

In our final article as part of October’s Cybersecurity Awareness month, we look at the Cyber Security and Resilience Bill (CSRB) which the UK Government is intending to introduce — a significant step toward modernising the country’s approach to cyber regulation and protecting critical national infrastructure.

While the Bill has yet to be introduced to Parliament, its underlying aims and likely direction are becoming clearer. We outline below what is currently known and what organisations should begin preparing for.

A Modern Framework 

The CSRB builds on the foundations of the Network and Information Systems (NIS) Regulations 2018, which were originally designed to protect essential services and digital providers. Since then, the cyber threat environment has changed dramatically requiring increased regulation.

The Government’s recent policy statement highlights three key objectives:

1. Expanding the scope of regulation to capture a wider range of essential digital services and their suppliers;

2. Enhancing resilience by setting clearer and more robust security standards; and

3. Empowering regulators to act quickly and flexibly as threats evolve.

In effect, the CSRB seeks to make cyber resilience not only best practice for organisations but a legal obligation — a recognition that digital infrastructure is now as critical as physical infrastructure to the UK’s economy and national security.

Key developments to expect

Although the Bill has not yet been finalised, several likely developments have been outlined in the Government’s statement and subsequent industry commentary:

1. Broader regulatory reach - The scope of the UK’s cyber security regime is expected to widen beyond traditional “operators of essential services.” Managed service providers (MSPs), data centres, and other digital infrastructure operators are likely to be brought into scope, recognising their increasing role in maintaining service continuity and national resilience.

2. Stronger supply chain oversight - Regulators may gain new powers to designate “critical suppliers” — allowing them to impose obligations on both suppliers and customers within key supply chains. This reflects the growing awareness that third-party vulnerabilities can pose system-wide risks.

3. More prescriptive security standards - The Bill will likely introduce specific, measurable requirements for cyber protection, building on frameworks such as the NCSC’s Cyber Assessment Framework. This shift could move compliance from a “best efforts” approach toward a more auditable, evidence-based model.

4. Stricter incident reporting timelines - The new regime is likely to include faster reporting obligations, potentially in two stages: an initial early notification within 24 hours, followed by a detailed report once investigations are complete. This would bring the UK closer to EU NIS2 standards and promote quicker national coordination during incidents.

5. Enhanced regulatory powers - Regulators are expected to receive expanded powers to conduct audits, request information, and issue enforcement directions. They may also be given flexibility to amend requirements via secondary legislation, allowing the regime to evolve without repeated Acts of Parliament.

6. Recognition of data centres as critical infrastructure - Data centres could be formally classified as part of the UK’s critical national infrastructure, reflecting their strategic importance. This would introduce additional security and resilience obligations for operators in the sector.

What remains unclear

While the Bill’s objectives are well-defined, several practical details remain uncertain. These include:

• The precise thresholds for when an organisation becomes in-scope;

• How the regime will apply to smaller entities or those newly captured;

• The interaction between the CSRB and other legal frameworks such as UK GDPR and sector-specific regulations; and

• The extent to which technical standards will be prescribed versus left to industry codes of practice.

Until the draft Bill is published, these details will remain fluid — but they are crucial to all organisations in understanding compliance, burden and cost.

Preparing for change

Even before the Bill’s formal introduction, organisations can take steps to prepare:

• Map exposure: Identify whether your business, services, or key suppliers are likely to fall within the anticipated scope.

• Review governance: Ensure cyber resilience has appropriate oversight at senior management and board level.

• Assess reporting readiness: Examine whether your incident response procedures can support faster notification requirements.

• Engage suppliers: Review contractual arrangements, audit rights, and information-sharing obligations.

• Benchmark against frameworks: Align internal security policies with recognised standards such as ISO 27001 or the NCSC Cyber Assessment Framework.

• Monitor legislative progress: The draft Bill and consultation process will provide further clarity — staying informed will allow for early adaptation.

A step toward greater national resilience

The forthcoming Cyber Security and Resilience Bill marks a pivotal moment in the UK’s approach to digital risk. It signals a move away from voluntary compliance and toward enforceable resilience, bringing the UK broadly in line with the EU’s NIS2 framework while preserving domestic flexibility.

For businesses, this represents both a compliance challenge and an opportunity: those who prepare early will not only reduce legal and operational risk but also demonstrate trustworthiness and readiness in an increasingly security-conscious marketplace.

For further information on this topic, please contact Martha Allen or Kate Steele.