Key considerations ahead of the UK’s new Cyber Security and Resilience Bill

Digital transformation is often seen as a double-edged sword. On the one hand, digitising processes offers a myriad of opportunities such as enabling business growth and increasing efficiencies. However, it can also bring new vulnerabilities that today’s sophisticated cyber criminals are only too willing to exploit

This ongoing balancing act is one that organisations involved in the UK’s critical national infrastructure (CNI) have been grappling with for some time – but the battle is becoming increasingly difficult. In the words of the UK Government in its recent Cyber Security and Resilience policy statement: “We are facing unprecedented threats to our critical national infrastructure. Resilience is not improving at the rate necessary to keep pace with the threat and this can have serious real-world impacts.”

These impacts have been demonstrated multiple times over in the last few months alone. From the recent spate of retail attacks to compromises at two NHS Trusts and an attack on Glasgow city council, providers of critical services are undoubtedly in the crosshairs.

A platform for growth

The upcoming Cyber Security and Resilience Bill (CSRB) is designed to help stop attacks like these from occurring in the future. Supported by other initiatives such as the Cabinet Office’s new Cyber Resilience Index, it focuses on addressing today’s digital challenges related to areas such as the emergence of AI-powered threats and building advanced protections into the UK’s critical services – all with the goal of enhancing national cyber resilience.

It is also intended to act as an enabler of economic growth. The UK Government views digital resilience as a foundation for growth rather than a barrier, fostering stability in a way that empowers businesses to innovate and flourish. This aligns with the Government’s May 2025 announcement regarding the development of a new National Cyber Strategy, with Chancellor of the Duchy of Lancaster, Pat McFadden, reinforcing the message the message that cyber security is not only a technical and defensive necessity, but a national growth engine.

Ahead of the bill – which is expected to come into enforcement in 2026 – organisations will be asking themselves how it applies to them and what steps they need to take to make their business compliant. Here, we outline a few key considerations to keep in mind.

• Expanded scope of UK cyber law

Compared to the existing Network and Information Systems (NIS) Regulations 2018, the CSRB increases the range of businesses impacted to reflect our increasing reliance on digital infrastructure. A particular segment to note is Managed Service Providers (MSPs), which are fundamental in managing many of the UK’s critical IT systems and networks. The CSRB says MSPs are an attractive target for attack given the access they have to clients’ IT systems, infrastructure and data. Data centres will also be subject to new obligations, along with a more comprehensive range of CNI sectors.

• Broader business obligations

When the CSRB comes into enforcement, organisations will be faced with additional and more granular obligations such as stricter requirements in terms of cyber incident reporting notifications. This includes additional transparency requirements to notify affected customers in the event of an incident and the need to report significant incidents to the relevant authorities (plus the NCSC) within 24 hours of it being discovered. Accountability has also risen to the executive and board level, with cyber security expected to be treated as an organisational governance issue.

• Stronger roles for regulators and Government

The CSRB equips regulators with additional tools and powers to proactively investigate potential vulnerabilities in systems and supply chains – from conducting audits to requesting evidence such as incident response plans. They will also have the power to assign certain vendors – i.e. those where disruption could have a significant impact on essential digital services – as "Designated Critical Suppliers", thereby imposing more stringent obligations. At a broader Governmental level, the Bill allows for a faster response to evolving threats by giving the Secretary of State more powers to update regulations without requiring new Acts of Parliament.

• A risk-based approach

The CSRB moves away from standardised models to a risk-based framework that flexes depending on various factors such as an organisation’s influence and risk profile. Instead of a one-size-fits-all approach to protecting essential services, organisations will have to implement and maintain cyber security measures that are proportionate to the risks they face. This extends to supply chains. Organisations must be prepared to evaluate their contractors’ cyber defences and establish processes for auditing and improvement.

Ultimately, recent incidents have highlighted the urgent and systemic need to adapt to the rapidly changing threat landscape. The CSRB will attempt to tackle this by marking a significant change in how cyber security and resilience are regulated for UK organisations, forming part of the UK Government’s ongoing focus on ensuring UK CNI is suitably resilient to the increasing threats faced.

As such, organisations operating in the UK need to monitor the exact scope and implications of the CSRB once it is introduced to Parliament later in 2025. They should also prioritise evaluating their current cyber security posture and processes, updating their incident response procedures, aligning with key contractors, and training their teams on the latest threats and best practices. Those that don’t risk falling foul of significant fines – to not mention increasingly sophisticated attacks.

Want to learn more about how we can support? Visit our Cyber Security Advisory and STARA® pages to discover how we help organisations understand the threats they face and put proportionate, threat based measures in place to manage risk.

Learn more about the Strategic Challenges in Cyberspace