The UK is entering a new period of cyber regulation. The forthcoming Cyber Security and Resilience Bill represent the most significant overhaul of national cyber rules since 2018, reshaping how organisations must prepare for, withstand, and recover from cyber incidents.

To understand the scale of this change, it’s useful to look back at how the UK’s cyber regulatory landscape began — and why it now needs to evolve.

Brief History of the NIS Regulations (2018)

• Origins: The EU adopted the NIS Directive in 2016, and the UK implemented it through the Network and Information Systems Regulations 2018
• Purpose: It aimed to boost cyber and physical resilience of Operators of Essential Services (OES) (energy, transport, healthcare, water) and relevant digital service providers (cloud, search engines, online marketplaces)
• Why it was introduced: As reliance on technology grew, failures or attacks on these systems posed serious risks to the economy, public safety, and national security. The regulations established a baseline of security measures and incident reporting obligations to protect critical infrastructure

What Triggered the Cyber Security Resilience Bill (2025)

• Escalating threats: Cyberattacks surged by 50% in 2025, costing the UK economy an estimated £14.7 billion annually, with incidents disrupting healthcare, utilities, and supply chains
• Policy evolution: The UK government recognized that NIS 2018 was outdated. The new bill reforms and expands its scope, aligning more closely with the EU’s NIS2 Directive and global resilience frameworks
• High-profile incidents: Attacks on critical national infrastructure (CNI) such as water, power, and healthcare highlighted vulnerabilities. These events underscored the need for stronger resilience, faster reporting, and broader coverage of managed service providers and digital supply chains
• Government stance: The Prime Minister emphasized that national security must adapt to changing threats, framing the bill as a landmark reform to protect essential services

Comparison 2018 NIS Regulations vs Cyber Security and Resilience Bill

Why This Matters to Your Business

Under the new framework, organisations may face:

• Expanded regulatory coverage businesses previously outside regulation may now be included
• Faster incident reporting requirements, potentially within 24 hours
• Greater accountability for managing cyber risk and disruption
• Stronger regulatory powers and enforcement, including higher penalties

Who Should Pay Attention?

The Cyber Security and Resilience Bill will have a wide-reaching impact, not just on those businesses directly included in the expanded scope of NIS.

Directly Impacted:

The following businesses will be specifically included in the new scope:

• Data centre services – 1MW rated IT load upwards
• Large load controllers – Electricity load controls of 300MW+ aggregate
• Managed service providers – MSPs providing information systems related managed services (excluding micro and small enterprises)

In addition, the new regulations will include designated critical suppliers in scope. A designated critical supplier is any business who supplies goods or services and that supply is considered critical to the operation of an OES, RDSP or RMSP by the Information Commissioner or another government designated authority.

Indirectly Impacted:

With the expanded scope of the regulations, businesses in the supply chain for those directly impacted are likely to come under increased scrutiny. Requirements under the regulations include risk assessment and incident notification requirements which are likely to result in suppliers being asked to complete information security supplier assessments or meet specific requirements such as compliance with Cyber Essentials, Cyber Assurance or ISO 27001.

How businesses can prepare for UK Cyber and Resilience Bill

To prepare for the UK Cyber Security and Resilience Bill in 2026, organizations should identify whether they fit within the scope of the Cyber Security and Resilience Bill either directly in scope or indirectly through involvement in the supply chain to in scope organisations. This should include looking further down the supply chain than immediate customers, as requirements are likely to filter through the supply chain through increased supplier compliance monitoring and risk management.

Key Steps for Preparation

1. Identify regulatory and customer compliance requirements:
   • Are you likely to be directly or indirectly impacted with existing or future customers?
2. Identify Services and Suppliers:
   • Map out services and suppliers, understand the dependencies, including third-party relationships. This will help in assessing how information moves in and out of the organization and the potential impact of cyber incidents
3. Assess Information Security Risks:
   • Consider what information means to your business and your customers. What information do you hold, how important is it, how is it protected, is it protected well enough and what would happen if it were lost or stolen?
4. Document, document, document:
   • Documentation helps to ensure that information systems are understood, and that decisions around information security are recorded. Compliance requires documentation as evidence of a risk management-based approach to information security.
5. Deal with the identified risks:
   • This can be through policy, procedure and training, or through technical measures. Make sure your cyber security tools are suitable and capable of dealing with the risks identified.
6. Strengthen Supplier Risk Management:
   • Conduct due diligence on suppliers and review contracts to ensure they also meet the new cybersecurity standards. This is crucial as supply chain vulnerabilities can pose significant risks.
7. Enhance Incident Detection and Reporting:
   • Implement systems to quickly detect and report significant cyber incidents. Establish clear internal processes for notification and identify responsible parties for external reporting to customers and regulators.
8. Train and Test Your Team:
   • Conduct training exercises and tabletop scenarios to ensure that all team members understand their roles and responsibilities during a cyber incident. This includes leadership and technical teams.

Why Preparing Early Matters

Cyberattacks impose significant operational, financial, and reputational costs. With rising incident rates and increasing regulatory scrutiny, early preparation can:

• Reduce compliance risk
• Strengthen customer trust
• Improve operational resilience
• Minimise disruption during incidents

Cybersecurity is no longer just about prevention. It is about withstanding, responding to, and recovering incidents while maintaining service continuity.

How We Help

We help businesses reduce regulatory risk and build resilient cyber capabilities.

Our tailored, risk-based approach delivers compliance without unnecessary complexity.

Start with a free Cybersecurity Assessment