The UK’s Cyber Security and Resilience Bill marks the most significant overhaul of cross-sector cyber regulation since the Network and Information Systems Regulations 2018. It expands who is regulated, tightens incident reporting, strengthens enforcement and gives government new powers to direct action on national security grounds.
Cyber security being treated as a matter of national resilience, with direct supervisory oversight and broader supply chain reach. The practical question for most boards is straightforward: are we in scope?
What the Bill does
The Bill updates and amends the existing NIS regime and does several things at once:
- Expands the categories of regulated entities
- Introduces a critical supplier designation power
- Reforms incident reporting thresholds and timelines
- Strengthens regulator inspection and information-gathering powers
- Establishes a Code of Practice framework and a Statement of Strategic Priorities
- Enables cost recovery and national security directions
Who is directly in scope?
The starting point remains operators of essential services and certain digital service providers under the current NIS framework. That includes sectors such as health, energy, transport, data infrastructure and cloud services. The Bill then moves further.
Managed Service Providers (MSPs)
Medium and large MSPs will be directly regulated, with the Information Commissioner’s Office acting as regulator. Small MSPs remain exempt, subject to thresholds.
For in-scope MSPs, the obligations mirror and extend NIS duties: proportionate risk management, expanded incident reporting and supply chain oversight. Contractual allocation of cyber risk to customers will no longer be sufficient. If you manage IT infrastructure for regulated entities, you should assume scrutiny.
Data centres
Larger data centres meeting size thresholds will be treated as operators of essential services. The Bill introduces a broad definition of a “data centre incident”, covering events that have had, are having, or are likely to have a significant impact. That drafting lowers the reporting trigger. Credible risk, not only realised disruption, can require notification.
Critical suppliers
Regulators, including the ICO, will be able to designate suppliers whose disruption could seriously affect essential or digital services. Once designated, those suppliers face direct statutory cyber duties and reporting obligations.
Instead of relying solely on regulated entities to manage third-party risk, regulators can step directly into supply chains where systemic impact is plausible.
Who else might be in scope?
The more difficult analysis lies here. The Bill deliberately targets weak links in national cyber defences. This means the focus is not confined to organisations delivering essential services directly. It extends into the digital ecosystem that supports them.
Organisations should consider:
- Do we provide digital services to operators of essential services?
- Would our failure affect national service continuity?
- Do we hold privileged or administrative access into regulated environments?
- Are we concentrated across one or more critical sectors?
Facilities management providers servicing NHS trusts or power plants may be captured if compromised access credentials create systemic risk. Payroll and HR providers supporting designated entities may be pulled into scope. Logistics, telecoms, SaaS platforms and financial firms whose disruption could be nationally significant are all exposed to closer examination.
Even where you are not formally designated, contractual flow-down obligations from regulated customers are likely to tighten.
Incident reporting raises the stakes
For those in scope, incident reporting expands significantly.
Incidents affecting confidentiality, integrity or availability, not only outages, may be reportable. For operators of essential services, events that are likely to have a significant UK impact must be notified.
The model is two-stage:
- Initial notification within 24 hours
- Fuller report within 72 hours
Notifications go to the sector regulator and the National Cyber Security Centre simultaneously. In some cases, customers must also be informed. This requires documented decision-making and clear escalation between IT, legal, compliance and senior management.
How to approach scope assessment
Boards should commission a formal exposure assessment rather than rely on sector labels. Map your organisation against:
- Operators of essential services
- Digital service providers
- Managed service providers
- Data centres
- Potential critical suppliers
Then assess indirect exposure through supply chain integration and systemic dependency.
Document your reasoning. Regulators are likely to expect structured analysis rather than informal judgement.
