The Cyber Security and Resilience Bill (CSRB) sets out a series of legislative proposals that will help tackle the increasingly prolific and diverse cyber threats to the UK.
It does so through expanding and updating the UK’s Network and Information Systems Regulations 2018 (NIS Regulations), bringing Managed Service Providers, Critical Suppliers and Data Centre operators under its scope.
This blog explains the key changes the Bill brings to the scope of the NIS Regulations, who is in scope now, and its implications.
What is the Purpose of the Cyber Security and Resilience Bill?
The UK is experiencing more frequent, sophisticated and hostile cyber threats. Add to this a perceived inability for defences to keep pace with these threats, it can leave the UK in an increasingly vulnerable position.
The NIS Regulations – the UK’s only cross-sector cyber legislation – went some way to enhancing the security of UK critical networks and information systems. But the capabilities of our adversaries are growing, which is why the government has introduced the CRSB.
The Bill will aim to strengthen the UK’s cyber defences, safeguard critical infrastructure and essential services from rising cyber attacks by protecting more digital services, supply chains and enhance incident reporting.
Who Does the Cyber Security and Resilience Bill Apply to?
Currently, the NIS regulation applies to:
Operators of Essential Services (“OES”) – relating to those operating in sectors such as electricity, gas, oil, transportation etc. subject to sector specific criteria or designation by a competent regulator; and
Relevant Digital Service Providers covering cloud computing services, online marketplaces and online search engines (“RDSPs”).
The government now intends to broaden the scope of the regulation to:
Managed Service Providers (“MSPs”) - MSPs often have privileged access to their clients’ IT systems, networks, and sensitive data. This makes them a prime target for cyber attacks—and a critical point of vulnerability in the supply chain.
Designated Critical Suppliers (“DCS”) – This covers suppliers whose goods or services are so vital that a disruption could significantly impact the delivery of essential or digital services in the UK.
Data Centres - Data centres were officially designated as Critical National Infrastructure (CNI) in September 2024 due to their role in hosting essential services, supporting cloud computing and acting as a central hub for sensitive data and network traffic. The bill proposes a capacity-based threshold for regulation:
- ≥1MW capacity: All UK data centres (except enterprise-only) will be in scope
- Enterprise data centres: Only in scope if ≥10MW capacity
The Bill aims to bring all three under the same scrutiny as those that provide digital services.
What are the Biggest Changes Under the Cyber Security and Resilience Bill?
1. Incident reporting process(es)
Reflecting the general consensus that it is largely a question of ‘when’ not ‘if’ an organisation will suffer a cyber attack, the government is introducing stricter timescales and broader definitions for incident reporting. This takes the form of a new two-stage incident reporting process and includes an initial notification, submitted within 24 hours of becoming aware of a significant incident, followed by a full incident report, submitted within 72 hours of the same. The overall aim being to improve the understanding of the threats and to alert government and industry to potential attacks in a timely manner.
2. Supply chain assurance
Organisation’s supply chains have become an increasingly prevalent and complex vulnerability exploited by cyber criminals. Some of the most recent global security incidents such as SolarWinds and NotPetya, exemplify the dangers of this threat vector. Until this point, UK regulation does not explicitly cover supply chain risk management, instead relying on the non-statutory guidance such as the NCSC’s Cyber Assessment Framework (CAF) to close gaps. The Bill would make in-scope organisations (OES and RDPs) directly accountable for the cyber security of their supply chains. Secondary legislation will spell out these duties in detail, ensuring that OES and RDSPs assess and mitigate third-party cyber risks.
3. Strengthened security requirements
Plans are set to place the NCSC’s CAF on a stronger statutory footing. Clearer technical standards will be detailed through a statutory Code of Practice akin to the steps taken in 2021 with the Telecom Security Act (“TSA”).
When Will the Cyber Security and Resilience Bill Come into Effect?
The CRSB was first announced in the July 2024 King’s Speech, and the government published a detailed policy statement in April 2025 outlining its scope and objectives. Whilst we still don’t have a definitive date on when the Bill will come into effect, the CSRB is expected to be introduced in Parliament during the 2025-26 legislative session.
How Can Bridewell Help?
The key takeaway here is that for many more organisations in the UK, these requirements will become non-negotiable.
Whilst we await the publishing of the Code of Practice, Bridewell is able to support those operators of essential services, digital service providers and critical suppliers, prepping for compliance through its extensive experience in assessing and implementing the guidance detailed in the NCSC Cyber Assessment Framework (CAF).
More specifically Bridewell can support organisations with IR response testing at gold/silver/bronze levels, establishing and/or maturing organisational supply chain risk management or even specialised OT assessments.
