Skip to main content
Prepare for the UK Cyber Security and Resilience Bill
  • How Tos

Prepare for the UK Cyber Security and Resilience Bill

Adam Bromiley

19 Jun 2025 4 Min Read

TL;DR

  • Announced July 2024; details added April 2025; expected Royal Assent in 2026.
  • Applies to all critical services, their supply chains, and data centres.
  • New requirements in standards conformance, supply‑chain hygiene, incident reporting, and regulatory power.
  • Aligns the UK with EU’s NIS2.
  • Start now: scope your organisation, audit supply chains, enforce a robust security baseline, and test.

The UK Cyber Security and Resilience Bill (CS&R) was announced last year in the King’s Speech. It addresses gaps in current regulation, like NIS, with a broad scope, enhanced incident reporting requirements, and highlights the importance of supply chains in security.

It is expected to come into force early 2026.

Scope

CS&R expands the existing NIS (2018) scope and requirements.

Five categories of organisation are now affected, with OES and RDSPs already covered:

  1. Operators of Essential Services (OES): utilities, transport, healthcare, and digital infrastructure
  2. Relevant Digital Service Providers (RDSPs): search engines, marketplaces, and cloud providers
  3. Managed Service Providers (MSPs): companies providing core IT services to other organisations. These become RDSPs.
  4. Data centres: large data centres are now classified as CNI
  5. Designated Critical Suppliers (DCS): if failure disrupts OES / RDSPs operations

What changes?

The CS&R is considered the UK’s response to the EU’s NIS2 framework.

As well as affecting more organisations, a large part of the bill focusses on improving incident response, giving more power to regulators, and better enforcing cybersecurity standards:

  • All organisations should meet existing cybersecurity standards. Implement a solid security baseline. I.e., MFA, encryption at rest and in-transit, good network segregation, document labelling, and regular patching. CS&R is supported by NCSC’s Cyber Assessment Framework (CAF) and Cyber Essentials.
  • Supply-chain security. Contracts must enforce security-related SLAs and patching. Suppliers must inform customers of incidents.
  • Prompt incident reporting. Regulators and NCSC must be notified within 24 hours—a full report will be delivered in 72 hours. This will be aligned with NIS2. The scope of who and what gets reported will also broaden.
  • More power to regulators. Regulators will have greater ability to enforce fees and fines, without the need to resort to the taxpayer. They will also be able to request information from organisations under their purview. In return, these costs are becoming more transparent to the affected organisations. The ICO is similarly getting more enforcement power.

It’s expected that NCSC will require regulators’ own policies to align with CAF, which in turn adheres them to CS&R.

Quick compliance checklist

The nitty gritty of CS&R hasn’t been published yet, but that’s not stopping you being proactive over the coming year in preparation:

  • Scope: determine your status (OES, RDSP, etc.) and register with the correct regulator.
  • Gap analysis: PTP can figure out where you stand against CAF, the existing NIS directive, and other frameworks. Get certified with Cyber Essentials to demonstrate a security commitment to your customers and regulators.
  • Supply‑chain analysis: catalogue critical suppliers and scrutinise security clauses. We can help you vet and choose a third-party vendor with security of foremost importance.
  • Prepare incident response plans: ensure rapid detection and reporting with updated playbooks, monitoring, and staff training. Know who you’re reporting to and work with 24 and 72-hour timelines.
  • Document everything: logs, test results, supplier paperwork, meeting minutes. Demonstrate proactive risk management.
  • Regular testing: schedule penetration tests across your estate, from Internet-facing and cloud systems to corporate IT networks and OT. Implement remediations and get them retested.

Plan for the bill to continuously evolve. Secondary legalisation will adapt it to specific regulated sectors and emerging threats.

Bottom line

CS&R has a wide impact, but the bulk of the work has been done if you already follow good cyber hygiene.

And if you don’t?

We’re here to make that journey easy and effective.

Further reading

The Government’s policy statement: https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement

NCSC’s blog on CS&R: https://www.ncsc.gov.uk/blog-post/cyber-security-resilience-bill-policy-statement