What to expect from the UK Cyber Security and Resilience Bill

UK Cyber Security and Resilience

In April 2025, the UK Government released a policy statement outlining plans to strengthen the regulation of Critical National Infrastructure (CNI) and its supply chain. These proposals will be introduced through the Cyber Security and Resilience Bill, expected to reach Parliament later this year. 

This article provides an overview of what is currently known about the Bill, its likely implications for organisations, and practical steps that can be taken to prepare for early compliance.

What is the Cyber Security and Resilience Bill? 

The Cyber Security and Resilience Bill (CSR Bill) marks a significant shift in the UK’s approach to cyber regulation. It aims to update and expand the existing Network and Information Systems (NIS) Regulations, which were designed to protect essential services from cyber threats. The new Bill is intended to reflect the evolving threat landscape and address gaps in the UK’s current cyber resilience framework. 

In its 2024 Annual Review, the National Cyber Security Centre (NCSC) identified a growing mismatch between the sophistication of modern cyber threats and the UK’s collective ability to respond. The CSR Bill is expected to broaden the scope of regulatory coverage, raise baseline security standards, and provide regulators with greater enforcement powers. 

Although the Bill draws inspiration from the EU’s NIS2 Directive, it is not a direct copy. The UK has said it will align only where doing so supports national interests. 

Key provisions of the Bill 

Broadening the scope 

The Bill will expand the range of organisations subject to regulation by: 

  • Bringing managed service providers (MSPs) into scope, potentially affecting 900–1,100 UK organisations. 
  • Including data centres, particularly those with over 1MW capacity (or over 10MW when used solely for enterprise services). 
  • Adding energy flexibility providers and potentially sectors like space in the future. 

Regulators will also be able to designate critical suppliers, who would then face the same duties as operators of essential services. 

Stricter requirements 

The CSR Bill introduces several changes to strengthen the responsibilities of in-scope organisations, including: 

  • Supply chain security will be formalised, with potential for further expansion through secondary legislation. 
  • A new code of practice will support compliance, setting out detailed technical and procedural requirements aligned with the NCSC’s Cyber Assessment Framework (CAF). 
  • Incident reporting obligations will be strengthened. Specifically: 
  • Serious incidents must be reported to regulators and the NCSC within 24 hours of detection. 
  • A full incident report must follow within 72 hours. 
  • Affected customers, particularly in the digital services and data centre sectors, may also need to be notified. 

Enhanced government and regulator powers 

Regulators will have stronger powers to monitor compliance, including: 

  • Requesting information 
  • Conducting inspections 
  • Imposing fines 
  • Recovering enforcement costs 

The Government is also considering emergency powers that would allow it to direct regulated entities during serious cyber incidents. This reflects a shift toward greater central coordination in times of crisis. 

Separately, the Government is consulting on restrictions around ransomware payments initially for public sector and CNI organisations, with potential future requirements for private firms to seek approval before making payments. While this sits outside the CSR Bill, any related compliance obligations will be aligned where possible. 

How it differs from the EU’s NIS2 Directive 

While aligned in purpose, there are notable differences between the CSR Bill and NIS2: 

  • Security standards: The UK will use the NCSC’s CAF rather than international frameworks like ISO 27001 or NIST CSF, although these can complement each other. 
  • Incident reporting: The UK is expected to align with the EU’s NIS2 timelines, requiring an initial notification within 24 hours and a full incident report within 72 hours. The types of incidents that must be reported will likely be similar, though the final UK definitions are still to be confirmed. 
  • Sectors covered: The EU’s NIS2 Directive covers a broader range of sectors, including space, manufacturing, research, and waste management services. These are not currently included in the CSR Bill. However, the UK Government retains the power to add new sectors by regulation without the need for additional primary legislation. 
  • Regulatory powers: Both the CSR Bill and NIS2 significantly strengthen regulators’ enforcement powers. They enable a more proactive supervisory role, including audits, mandatory compliance measures, and the ability to impose penalties for non-compliance across regulated sectors. 

When will the changes take effect? 

The Cyber Security and Resilience Bill is expected to be introduced in Parliament later this year. However, it is unlikely to become law (via Royal Assent) before early 2026. 

Once passed, there will likely be a transition period while the UK Government finalises the supporting code of practice and secondary legislation needed to implement the new requirements. 

What should organisations do now? 

If your organisation is already covered by the UK’s existing NIS regulations or you think you might fall under the expanded scope of the upcoming Cyber Security and Resilience (CSR) Bill it’s a good idea to start preparing now. Taking early steps can help reduce compliance costs, protect your operations, and lower the risk of future penalties. 

Here’s what to do: 

  1. Check if you’re in scope
    Review whether you provide essential digital or physical services. MSPs, data centres, and suppliers to regulated sectors are likely to be affected. 
  2. Define which parts of your business are impacted
    The Bill applies to specific systems and assets, not whole organisations. Identify which areas support essential functions. 
  3. Assess your cyber risks
    Conduct regular, threat-informed risk assessments on critical systems and processes. 
  4. Strengthen governance
    Ensure cyber risk is formally addressed at board level, with clear responsibilities, governance structures, and adequate resources. 
  5. Review your supply chain
    Identify key third-party providers, assess their cyber posture, and update contracts to reflect security and reporting expectations. 
  6. Improve incident response
    Make sure you can meet the 24- and 72-hour notification deadlines. Assign clear roles for regulator engagement and incident handling. 
  7. Stay informed
    Track the Bill’s progress and watch for further updates to guidance or legislation. 

Final thoughts 

The CSR Bill signals a more ambitious and coordinated approach to cyber resilience in the UK. For many organisations, especially those in the digital infrastructure space, it will introduce new legal obligations but also an opportunity to improve cyber readiness. 

Preparing early will not only help ensure compliance but also enhance operational resilience in an increasingly complex threat environment. 

Share this:

Latest Insights