The UK is on the brink of its most significant cyber security legislative reform in years. The Cyber Security and Resilience Bill (CSRB), expected to be introduced in the second half of 2025, aims to modernise the UK’s cyber framework and reflect the growing sophistication of digital threats. The Bill represents a sharp expansion of the current Network and Information Systems Regulations (NIS), bringing new industries into scope, tightening compliance obligations, and giving regulators stronger powers to oversee and enforce cyber resilience.
This new legislation signals a shift: cyber security is to become a core compliance competence, not just an IT issue.
Expanding the regulatory perimeter
One of the defining features of the Bill is the expansion of who it applies to. Today, only Operators of Essential Services like energy and water companies, and a narrow group of digital service providers are regulated under the NIS regime. The new Bill will bring Managed Service Providers (MSPs) and data centres into scope.
This change reflects the reality that these providers play an increasingly central role in the UK’s digital ecosystem; and that they’re prime targets for attack. Once the Bill takes effect, these entities will be legally required to implement cyber risk management, report serious incidents to regulators within 24 hours, and register with the Information Commissioner’s Office (ICO). Companies who may have previously operated outside the bounds of cyber regulation, such as a cloud IT support firm or a data centre operator, will need to assess their responsibilities and be ready for greater scrutiny.
A new focus on supply chain security
Perhaps the boldest element of the Bill is its approach to third-party risk. Where current regulations largely leave supply chain oversight to the discretion of individual companies, the CSRB will create legal duties to manage cyber risks across your suppliers.
The Bill will require regulated organisations to formally evaluate the cyber defences of their key contractors and service providers. Security expectations will need to be written into contracts, and companies will be expected to have processes in place for auditing, vetting and improving supplier practices. This is a marked shift from informal vendor management to codified obligations.
But the Bill goes further. Regulators will gain the power to directly designate certain vendors as “Critical Suppliers”, effectively regulating them in the same way as essential service operators. These suppliers, whose failure could significantly disrupt national infrastructure, will have to meet the same security and incident reporting standards as their clients. It’s a two-pronged strategy: organisations must vet their suppliers, but regulators can step in and regulate the most vital links in the chain directly.
Raising the bar for incident reporting
Another major change is how and when cyber incidents must be reported. Under current rules, organisations only need to notify regulators if an incident causes a major service disruption. That narrow definition has left regulators and the National Cyber Security Centre (NCSC) in the dark about many serious breaches.
The CSRB will expand this requirement. Organisations will be required to report incidents that compromise the confidentiality, integrity or availability of critical systems — even if users don’t experience visible downtime. The notification process will follow a two-step model: a preliminary alert must be submitted within 24 hours, followed by a detailed incident report within 72 hours. This aligns the UK with international standards such as the EU’s NIS2 Directive and the US CIRCIA legislation.
For digital service providers, an additional transparency requirement will apply. If an incident may affect customers, those customers must be notified. This move will prevent providers from quietly handling breaches while leaving their clients unaware and exposed.
Making security standards binding
The new Bill won’t just tell companies what outcomes are expected; it will formalise how those outcomes should be achieved. The NCSC’s Cyber Assessment Framework (CAF) will become central to this effort. This widely used framework sets out good practices across areas like access control, patching, network monitoring and incident response. Once the CSRB becomes law, aligning to CAF will be the baseline.
To ensure the rules remain relevant, the Secretary of State will have the power to update technical requirements via secondary legislation. A statutory Code of Practice is also expected, translating principles into practical steps that organisations can follow to demonstrate compliance.
In effect, the government is drawing a clearer line between best practice and minimum legal standard. Many businesses already adhere to international frameworks like ISO 27001 or the NIST Cybersecurity Framework. but under the new Bill, this alignment may become a matter of legal necessity.
Future-proof legislation
A key strength of the UK’s approach lies in its adaptability. The Bill allows the government to amend regulatory scope and obligations without passing entirely new legislation. New sectors such as AI infrastructure or satellite networks can be added as threats evolve. There are also proposals for a government-issued Statement of Strategic Priorities, setting long-term goals for the UK’s cyber resilience, and emergency powers allowing the Secretary of State to act swiftly in cases of national security concern.
This model of delegated powers allows the regime to respond quickly to emerging risks, but it also means organisations will need to stay alert. Compliance isn’t static; it will require ongoing monitoring, adaptation, and engagement.
How the UK compares globally
Internationally, the UK’s approach aligns closely with the EU’s NIS2 Directive and the US’s developing frameworks. The UK shares common ground with both when it comes to incident reporting, enforcement powers, and baseline risk management. However, its decision to directly regulate certain critical suppliers stands out, as it’s a step neither the EU nor the US has taken in the same way.
Germany, for example, is expanding its laws under NIS2 and has strong audit and enforcement mechanisms, but lacks the UK’s ability to designate individual vendors for direct regulation. The US, meanwhile, takes a more decentralised approach, relying heavily on sector-specific rules and voluntary frameworks like NIST.
For global companies, this means that aligning with the UK’s CSRB, and by extension NIS2, provides a strong baseline for international compliance.
How should compliance teams begin to prepare?
With the CSRB expected to be introduced in the second half of 2025, businesses would be wise to begin preparing already. The legislation is likely to move quite quickly though parliament. That starts with assessing whether your organisation or suppliers will be in scope. If so, reviewing internal cyber defences, updating incident response procedures, and aligning with the CAF framework are crucial next steps.
Supply chain risk management should also be prioritised. Identify your most critical vendors, ensure security requirements are contractually embedded, and prepare for the possibility of increased oversight.
Engagement is equally important. Open communication with your regulator, participation in industry consultations, and awareness of upcoming codes and guidance will help future-proof your compliance strategy.
And finally, organisations should budget not only for technical upgrades and possible headcount, but also for regulatory fees, a new cost of doing business in a regulated digital environment.
