The Cyber Security and Resilience Bill introduces new protections for UK essential services. Discover what the changes mean for your organisation and how to prepare for tighter cyber security regulations.

Cyber Security and Resilience Bill

The UK Government’s Cyber Security and Resilience Bill, outlined in April 2025, aims to protect the UK’s essential services and our critical national infrastructure against increasing cyber threats.

Prompted by serious incidents such as ransomware attacks on healthcare and utilities, the Bill introduces a more expansive and proactive approach to business cyber resilience. In addition, recent attacks in the retail sector have further highlighted the need for these measures.

While we are all aware of the importance of robust cyber security, recent attacks on the UK’s retail sector highlight how far-reaching, unexpected, and sometimes unintended the impacts can be. For example, some of the UK’s rural community and island shops relying on their local Co-op have been left without food on the shelves in the last two weeks. Consequently, local shop owners have been trying to feed their communities by sourcing new supplies from hundreds of miles away on the mainland. These real human impacts reinforce the importance of getting cyber security right—not just to protect your business, but to protect those who rely on you.

What the Cyber Security and Resilience Bill means for UK businesses

This new legislation builds on the existing Network and Information Systems Regulations 2018 (NIS 1). These regulations established a baseline for cyber security requirements for operators of essential services such as energy, water, healthcare, transport, and finance. Moreover, the Cyber Security and Resilience Bill expands this foundation by widening its coverage, particularly across critical supply chains and their digital service providers.

The aim is to ensure alignment with the EU’s NIS2 Directive. This directive similarly broadens the scope of the existing NIS1, strengthens regulators’ enforcement powers, and imposes stricter reporting timelines for incidents. While the UK is no longer bound by EU law, the Bill ensures that UK standards remain interoperable and competitive on the global stage.

Key measures in the Cyber Security and Resilience Bill

Expanded Regulatory Scope

The Bill builds on existing NIS regulations. It widens the scope to include more sectors and essential service providers—including key suppliers to organisations operating in health, water, transport, and energy. Furthermore, it covers IT service providers that deploy managed services, active administration, and/or monitoring of IT systems, infrastructure, applications, and networks.

Strengthened Incident Reporting

Organisations in scope will be under stricter requirements to report significant cyber incidents. This especially applies to incidents involving ransomware or operational disruption, which must be reported within 24 hours of becoming aware.

Supply Chain Cyber Risk Management

The Bill obliges organisations to identify and mitigate cyber risks within their supply chains. This places increased scrutiny on third-party providers.

Adaptable Framework for Evolving Threats

Provisions are included for the legal framework to evolve in response to new technologies, threats, and vulnerabilities.

Enhanced Regulatory Powers

Regulators will be empowered to impose binding requirements, enforce compliance, issue fines, and recover oversight costs from regulated entities.

Will we be in scope?

Organisations will be classified as in-scope if they operate in critical sectors. Alternatively, they may be included if they support these sectors by providing essential services such as IT infrastructure, data processing, cloud platforms, or connectivity.

We expect to see formal guidance issued to explain the thresholds, but it will be important to self-assess based on your role and your understanding of your systemic importance to your clients.

Managed Service Providers take note

Calling all Managed Service Providers (MSPs), including IT outsourcing firms, cloud service providers, and security monitoring providers—you are explicitly recognised in the policy statement as a key part of the UK’s digital supply chain and will be brought within scope of the new legislation.

As you will have seen through recent attacks on the healthcare sector, MSPs are attractive targets for cybercriminals. Moreover, a compromise can lead to cascading impacts across multiple clients. As a result:

MSPs will be subject to specific security duties, including providing technical and organisational measures to reduce risk for your clients.
Be ready to report incidents, even if the attack targets your clients’ infrastructure by exploiting your own systems or services.
Be aware that regulators may conduct compliance audits, and non-compliance could lead to enforcement action.

Looking ahead

The Cyber Security and Resilience Bill is a major evolution in the UK’s cyber regulatory landscape. By expanding scope, strengthening enforcement, securing supply chains, and aligning with global standards, it ensures UK businesses build resilience in the face of escalating cyber threats. All potentially in-scope organisations—especially Managed Services Providers—should begin preparing now to meet future legal and operational obligations.

Ready to prepare for the Cyber Security and Resilience Bill?

Contact our team for expert guidance on updating your cyber security strategy.

Article by

Anna Walters

Senior Consultant, Risk Evolves

May 28, 2025
Cyber Security
cyber risk management, Cyber Security and Resilience Bill, horizon scanning 2025, incident reporting, managed service providers, NIS Regulations 2018, supply chain security