The UK Cyber Security and Resilience Bill: What IT and Compliance Leaders Need to Know
Last updated: March 2026.
The UK Cyber Security and Resilience Bill is the most significant reform of UK cyber legislation since the Network and Information Systems (NIS) Regulations were introduced in 2018. The UK government has introduced the Cyber Security Resilience Bill to strengthen digital resilience across critical infrastructure, managed services, and supply chains.
Introduced to Parliament on 12 November 2025, it has since completed its second reading and committee stage in the House of Commons, with Royal Assent expected in late 2026 and phased implementation likely running through to 2028.
The Bill amends and substantially expands the existing NIS Regulations, bringing more organisations into regulatory scope, tightening incident reporting timelines, introducing a two-tier penalty regime, and giving regulators significantly stronger enforcement powers. It also establishes clearer alignment with international frameworks, particularly the EU’s NIS2 Directive.
If you’re responsible for IT security or compliance, the direction of travel is clear whether or not the final commencement dates have been confirmed. The reporting timelines are already defined. The scope categories are already drafted. The fines regime is already set. Waiting for Royal Assent to begin preparing is the most expensive approach you can take.
In this guide, we’ll explain what the Cyber Security and Resilience Bill means for your organisation, who’s in scope, what the requirements are, how the fines work, how it aligns with frameworks you may already follow, and the practical steps you should take now to prepare.
Key Takeaways
- The UK Cyber Security and Resilience Bill modernises the NIS Regulations 2018, expanding scope, tightening reporting obligations, and introducing tougher enforcement. It has completed its Commons committee stage and Royal Assent is expected in late 2026.
- Organisations in scope include Operators of Essential Services, Relevant Digital Service Providers, managed service providers, Designated Critical Suppliers, data centres, and large load controllers.
- The Bill introduces a two-tier penalty structure: up to £10 million or 2% of global turnover for standard breaches, up to £17 million or 4% of global turnover for serious breaches, and up to £100,000 per day for ongoing contraventions.
- Incident reporting requires a 24-hour early warning and a 72-hour full report to both your sector regulator and the NCSC, with mandatory customer notification in relevant circumstances.
- If you’re already compliant with NIS2, ISO 27001, or NIST CSF, you have a head start, but UK-specific obligations, including CAF alignment, dual notification, and supply chain oversight, still require dedicated action.
- The Bill forms a core part of the government’s wider Plan for Change, which is focused on improving national resilience, strengthening critical public services and reducing the economic and operational impact of cyberattacks.
- Proactive preparation reduces audit pressure, closes compliance gaps, and demonstrates due diligence to regulators, insurers, and your board.
What is the UK Cyber Security and Resilience Bill?
The UK Cyber Security and Resilience Bill (CSRB) is a piece of primary legislation that reforms the Network and Information Systems Regulations 2018, the UK’s only cross sector cyber security regulation. It was announced in the King’s Speech in July 2024, with the policy statement published in April 2025, and formally introduced to Parliament on 12 November 2025.
The Bill amends rather than replaces the existing NIS framework, extending its reach to new categories of organisation, strengthening its reporting and enforcement mechanisms, and placing the NCSC Cyber Assessment Framework (CAF) on a firmer statutory footing as the baseline standard for in-scope organisations.
The government’s stated aim is to bring the UK into closer alignment with the EU’s NIS2 Directive, which replaced the original NIS Directive in 2023, while retaining a UK specific approach through a sectoral regulator model, dual notification obligations, and the new Designated Critical Supplier designation mechanism.
Why the Bill Matters Now
The urgency behind the Bill reflects the scale and cost of cyber threats to UK infrastructure. The NCSC’s Annual Review recorded 204 nationally significant cyber incidents in just one year, more than double the previous year.
The estimated annual cost of cyberattacks to the UK economy currently stands at £14.7 billion, and the Office for Budget Responsibility has warned that a catastrophic attack on critical national infrastructure could drive temporary government borrowing up by more than £30 billion.
High profile incidents have demonstrated exactly what regulatory gaps look like in practice. The ransomware attack on NHS pathology provider Synnovis in June 2024 cost an estimated £32.7 million, disrupted services across five NHS trusts, and delayed over 11,000 appointments.
The Marks and Spencer cyberattack in 2025 crippled online operations and resulted in reported losses of up to £300 million. Under the existing NIS Regulations, neither incident triggered the reporting obligations the Bill is designed to mandate.
What is the Current Parliamentary Status of the UK Cyber Resilience Bill?
The Bill has progressed significantly since its introduction. As of March 2026, it has completed its first reading, second reading, and committee stage in the House of Commons.
The amended Bill, reflecting changes made in committee, was published on 25 February 2026. It’s now moving towards Report Stage and Third Reading in the Commons, after which it will pass to the House of Lords for further scrutiny.
Royal Assent is expected in late 2026. However, most operational obligations will not take immediate effect on Royal Assent. The government has confirmed a phased implementation approach, with key requirements brought into force through secondary legislation following further consultation. Full implementation is not expected until 2028.
Some provisions will take effect on Royal Assent. Others will follow through secondary legislation. However, this isn’t a reason to delay. Begin now while you still have time to implement controls without the pressure of an active deadline.
What Are the Fines and Penalties Under the UK Cyber Security and Resilience Bill?
This is one aspect where the information circulating is often incomplete. The Bill introduces a two-tier penalty structure that is considerably stronger than the existing NIS Regulations, where maximum fines were capped at £1 million or £8.5 million depending on the breach.
For standard breaches, the maximum penalty is the greater of £10 million or 2% of global annual turnover. For serious or repeated breaches, the maximum rises to the greater of £17 million or 4% of global annual turnover. For ongoing contraventions where an organisation fails to remedy a compliance failure, regulators can impose daily fines of up to £100,000. Separate information notice and non-disclosure penalties of up to £10 million may also apply.
The UK cyber bill fines structure is comparable to GDPR and, for some breach types, exceeds the equivalent NIS2 penalties available across EU member states. The government has also introduced a cost recovery mechanism enabling regulators to recover the costs of their compliance activities through periodic fees levied on in-scope organisations.
Beyond the immediate financial exposure, the consequences of non-compliance extend further. Delayed or incomplete incident reporting amplifies the operational impact of a breach, damages customer and partner trust, and invites ongoing regulatory scrutiny. For managed service providers and data centres, persistent non-compliance could result in operational restrictions or removal from the market.
Preparing now is the most cost-effective approach. The fines are significant, but the reputational and operational costs of a poorly managed incident under the new regime are likely to be higher still.
Who is in Scope Under the Cyber Security and Resilience Bill?
The scope of the Bill is broader than the existing NIS Regulations. It extends mandatory obligations to categories of organisation that were previously either outside scope entirely or subject only to voluntary frameworks.
Operators of Essential Services (OES)
This covers the traditional categories already regulated under NIS: energy, transport, health, water, and digital infrastructure. These organisations are considered critical to the UK’s economy and national security and have existing compliance obligations that the Bill strengthens and expands.
Relevant Digital Service Providers (RDSPs)
This category covers cloud computing providers, online marketplaces, and search engines. The Bill confirms that medium and large managed IT service providers are now explicitly included, recognising the critical role they play in supporting business operations and their privileged access to customer systems.
Managed IT Service Providers
This is a significant expansion. Medium and large MSPs, outsourced IT helpdesk providers, and cyber security service providers are all brought into scope, with the ICO as the designated regulator. If your organisation provides ongoing IT management to other businesses and meets the size threshold, you’re now subject to regulatory oversight. Your own cyber security posture, incident reporting capability, and supply chain controls are all in scope.
Designated Critical Suppliers (DCS)
Under the Bill, regulators have the power to designate specific suppliers as critical where their disruption could significantly affect essential or digital services. This mechanism ensures key parts of the supply chain can be brought into compliance even where they wouldn’t otherwise fall into the standard categories.
Healthcare diagnostics providers, water treatment chemical suppliers, and high-impact infrastructure dependencies are among the examples cited. Designation comes with written notice and a right to make representations or appeal.
Data Centres
Data centres are brought into scope with specific capacity thresholds. Facilities with IT capacity of 1 MW or more will be regulated. Enterprise data centres serving only their own organisation face a higher threshold of 10 MW. This reflects the recognition of data centres as critical infrastructure components in the UK’s digital economy.
Large Load Controllers
This is a new category covering organisations that remotely manage 300 MW or more of electrical load, including EV charging networks, battery storage systems, smart grid operators, and large-scale virtual power plants. If you manage significant electricity loads at this scale, you’re likely in scope.
What Are the Key Requirements of the UK Cybersecurity and Resilience Bill?
The Bill introduces a number of new and strengthened cyber security requirements that organisations must prepare for:
Two-Stage Incident Reporting
The Bill’s incident reporting regime is one of its most operationally demanding elements. You must notify your sector regulator and the NCSC within 24 hours of becoming aware of a significant cyber security incident. This isn’t 24 hours to complete an investigation, but to report what you currently know.
For organisations without a mature detection and response capability, this timeline is extremely challenging.
Within 72 hours, you must provide a full incident report. For data centres specifically, near-miss events that could have had a significant impact but didn’t must also be reported. Customer notification is also required in relevant circumstances: affected clients must be informed of what happened, why they’re affected, and what steps are being taken.
Supply chain cascade reporting applies too. If another organisation’s incident caused or contributed to yours, you must report it. This creates visibility across the supply chain and means a single upstream breach can trigger multiple simultaneous reporting obligations downstream.
Alignment with the NCSC Cyber Assessment Framework
The CAF will be placed on a firmer statutory footing as the baseline standard for in-scope organisations. Its four objectives, covering risk management, protective security, detection, and impact minimisation, will underpin sector-specific codes of practice issued by regulators. If you’re not already mapping your controls against the CAF, this is where to start. Learn more about NCSC Cyber Assessment Framework services to support you.
Stronger Regulatory Oversight and Enforcement
Regulators gain significantly expanded enforcement powers, including the ability to conduct audits, issue compliance directions, and levy penalties.
The Technology Secretary gains new statutory powers to instruct regulators and in-scope organisations to take proportionate action to isolate or secure systems.
Regulators can also issue urgent directives in response to credible threats, requiring immediate steps such as increased monitoring, system isolation, or additional technical controls.
This is a structural shift from reactive compliance oversight to proactive intervention.
National Security Directions
Where an incident or threat poses a risk to national security, the Secretary of State can issue directions requiring organisations to modify systems, implement controls, appoint approved cyber security professionals, or provide operational information.
Where a national security direction conflicts with another regulatory requirement, the direction takes precedence. This is a broad power with significant operational implications for affected organisations.
How the Cyber Security and Resilience Bill Aligns with Other Frameworks
If your organisation already follows NIS2, ISO 27001, or NIST CSF, you’ll have many of the required controls in place. However, UK specific obligations go beyond these frameworks and require dedicated action.
CSRB vs. NIS2
The Bill and NIS2 share significant common ground, including 24 and 72 hour reporting timelines, supply chain obligations, and governance duties.
The key UK specific elements are the dual notification requirement to both your sector regulator and the NCSC, the Designated Critical Supplier mechanism, specific data centre thresholds, and the sectoral regulator model. Organisations operating across the UK and EU will need to comply with both but will find significant overlap in control requirements.
CSRB and ISO 27001
ISO 27001 certification already covers many of the required controls, including risk management, access controls, monitoring, and incident response. The gap lies in the regulatory processes. ISO 27001 doesn’t address specific reporting timelines, customer notification requirements, CAF-specific evidence, or dual notification to regulators and the NCSC. These obligations need to be added to existing ISO programmes; they can’t be assumed from certification alone.
CSRB and NIST CSF 2.0
The NIST Cybersecurity Framework provides a strong foundation across governance, identification, protection, detection, response, and recovery. As with ISO 27001, the gap is in UK-specific obligations, particularly incident reporting and regulator engagement.
NIST CSF aligned organisations will need to layer UK specific processes on top of their existing controls.
UK Cyber Governance Code of Practice
The Bill also aligns with the UK Cyber Governance Code of Practice introduced earlier this year, which provides guidance for boards and executive leadership teams on how to oversee cyber risk effectively. While the Code is voluntary, it signals the growing expectation that cyber security governance must be embedded at leadership and board level, not only within technical teams.
The Cyber Security and Resilience Bill isn’t just a technical requirement. Leadership teams will be expected to demonstrate oversight, accountability and informed cyber decision-making in line with the Cyber Governance Code of Practice.
How it Reforms NIS Regulations
The Bill modernises the NIS Regulations 2018 by expanding the scope, enhancing incident reporting obligations, and aligning more closely with NIS2. This ensures UK organisations are not left behind when it comes to international standards.
Cyber Security and Resilience Bill Crossover Matrix
| Requirement area | CSRB expectation | NIS2 aligned | ISO 27001 certified | NIST CSF 2.0 aligned |
| Risk management & controls | CAF-aligned outcomes (A–D) | ✔ (very close) | ✔ (strong) | ✔ (strong) |
| Incident reporting timelines | 24h early warning + 72h report; expanded criteria | ✔ (like-for-like) | △ add regulatory timing/process | △ add regulatory timing/process |
| Customer notification | Required for RDSPs/DCs after significant incidents | ✔ similar concepts | △ add process & comms | △ add process & comms |
| Regulator engagement | Notify regulator + NCSC; registrations; fees; audits | △ UK-specific | △ add regulator-specific steps | △ add regulator-specific steps |
| Supply-chain scope | DCS designation; MSPs in scope | ✔ similar intent | △ strengthen supplier oversight | △ strengthen supplier oversight |
| Data centres | In-scope at ≥1 MW (≥10 MW enterprise) | — EU varies | △ assess threshold & duties | △ assess threshold & duties |
Practical Steps for Preparing for the UK Cyber Resilience Bill
Don’t wait for deadlines to be published. Taking proactive steps now reduces audit pressure, closes gaps before enforcement begins, and demonstrates due diligence to regulators, insurers, and your board.
Determine Whether You’re in Scope
Start by assessing whether your organisation falls into one of the regulated categories. Consider not just your primary services but also how you support other regulated entities. If you’re an IT service provider, a data centre, or a supplier to organisations in essential sectors, scope review is your first action.
Map Your Controls Against the CAF
Review your existing security controls against the four objectives of the NCSC Cyber Assessment Framework. Mapping your existing ISO 27001 or NIST CSF controls to CAF will identify the specific gaps you need to close and provide the evidence base regulators will want to see.
Build 24/72 Hour Incident Reporting Playbooks
Develop incident response playbooks that document exactly how you’ll meet the 24-hour early warning and 72-hour full reporting obligations. Include regulator contact details for your sector, NCSC notification routes, customer communication templates, and a process for assessing whether cascade reporting obligations apply. The worst time to design these processes is during an active incident.
Ensure Logging and SOC Visibility
Rapid reporting depends on rapid detection and the best way to provision this for your organisation is through an expert-led Managed SOC Service. Make sure your SOC or MDR service can capture, correlate, and escalate incidents fast enough and that you put clearly defined SLAs in place, particularly for P1 incidents.
DigitalXRAID’s CREST, NCSC and Microsoft accredited SOC and CIR Level 2 assurance are directly relevant to what the Cyber Security and Resilience Bill requires. Get in touch to discuss how we can support your CSRB readiness.
Audit Your Supply Chain
Review contracts with MSPs, data centre providers, and critical suppliers. Ensure cyber security obligations and incident notification timelines are clearly defined in your SLAs.
If you’re an MSP or critical supplier, review your own posture against the obligations that will apply to you and begin early engagement with the ICO as your designated regulator.
Align Board Level Governance
Review your governance structures against the Cyber Governance Code of Practice. Ensure there’s a named senior individual accountable for CSRB compliance, that cyber risk is reported at board level, and that leadership can demonstrate informed oversight if regulators come calling. Regulators will expect governance evidence, not just technical controls.
Budget for Compliance Costs
Factor in regulatory fees under the cost recovery mechanism, potential audit costs, investment in detection and reporting infrastructure, and any external expertise you’ll need for CAF mapping, legal interpretation, and regulatory engagement. Building compliance into your budget now avoids unplanned spend under time pressure later.
What Will You Need to Implement for CRSB Compliance?
For organisations newly coming into scope or with significant gaps against current requirements, the following capabilities may need to be built or procured.
- 24/7 incident detection and initial notification capability: the 24-hour reporting window starts when you become aware. Detection delays directly shorten the time available for notification. Most organisations will need a managed SOC service to achieve this reliably.
- Structured incident reporting processes: documented procedures for assessing incident significance, drafting notifications, and engaging your sector regulator and the NCSC simultaneously, including customer notification workflows.
- Customer notification systems: the ability to identify affected customers, compile communications, and send them within required timeframes. For organisations with large client bases, this is a non-trivial operational requirement.
- Logging and information management infrastructure: regulators can require you to generate and retain information you don’t currently collect. New monitoring, logging, or tracking systems may be needed specifically for compliance evidence.
- Regulatory engagement capability: budget for external expertise including cyber security consultants for compliance interpretation, legal counsel for regulatory interactions, and potentially external auditors.
What New Powers Do Regulators Have Under the Cyber Security and Resilience Bill?
The Bill gives the government and regulators significantly more power than they hold under the existing NIS framework.
Regulators gain the ability to conduct audits of in-scope organisations, recover their compliance costs through periodic fees, and issue specific and urgent directives requiring organisations to increase monitoring, isolate systems, or implement additional controls in response to a credible threat.
The Technology Secretary gains new statutory powers to instruct both regulators and in-scope organisations to take action in the interests of national security. Where such a national security direction conflicts with another regulatory obligation, the direction takes precedence.
Regulators may also require in-scope organisations to appoint a senior cyber security professional approved by the government. Given the current shortage of qualified senior practitioners in the UK, this provision could create significant recruitment challenges for affected organisations.
These provisions represent a structural shift from reactive compliance oversight to proactive government intervention in cyber security. The government doesn’t need to wait for an incident to occur before acting.
Final Thoughts: Prepare Now for the UK Cybersecurity and Resilience Bill
The Cyber Security and Resilience Bill is the clearest signal the UK government has ever sent that cyber resilience is a mandatory obligation for critical services, and their supply chains, not a discretionary investment.
The reporting timelines are defined. The penalty structure is confirmed. The scope categories are drafted. The Bill’s committee stage is complete, and it’s progressing through Parliament with broad cross-party support.
Organisations that wait for Royal Assent to begin preparing will face compressed timelines, elevated compliance costs, and the risk of being caught unprepared when the first enforcement actions arrive.
If you’re aligned with NIS2, ISO 27001, or NIST CSF, you’re part of the way there. But UK specific obligations, from CAF mapping and dual notification to supply chain oversight and board governance, require dedicated action that existing certifications alone don’t cover.
DigitalXRAID is a CREST-accredited and NCSC-assured Cyber Incident Response Level 2 Assured Service Provider. Our CREST, NCSC and Microsoft accredited 24/7 Security Operations Centre, incident response capability, and compliance consultancy directly support what the Cyber Security and Resilience Bill requires.
Whether you need to assess your scope, map controls against the CAF, build incident reporting playbooks, or establish the 24/7 detection capability the reporting timelines demand, we can help.
Get in touch with the DigitalXRAID team today for expert guidance on CSRB readiness, framework alignment, and incident response capability.
FAQs on the Cyber Security and Resilience Bill
What is the UK Cyber Security and Resilience Bill?
The UK Cyber Security and Resilience Bill is legislation introduced to Parliament in November 2025 that modernises the Network and Information Systems Regulations 2018. It expands the scope of regulated organisations, strengthens incident reporting requirements, introduces a two-tier penalty regime, and aligns UK cyber law more closely with the EU’s NIS2 Directive. As of March 2026, it has completed its committee stage in the House of Commons and is expected to receive Royal Assent in late 2026.
Who is in scope of the UK Cyber Resilience Bill?
Operators of Essential Services, Relevant Digital Service Providers (including managed service providers), Designated Critical Suppliers, data centres meeting the 1 MW capacity threshold, and large load controllers managing 300 MW or more of electrical load are all in scope. Organisations that wouldn’t otherwise qualify may also be designated as critical suppliers if their disruption could significantly affect essential or digital services.
What are the fines and penalties under the UK cyber bill?
The Bill introduces a two-tier penalty structure. For standard breaches, fines can reach the greater of £10 million or 2% of global annual turnover. For serious or repeated breaches, the maximum rises to the greater of £17 million or 4% of global annual turnover. For ongoing contraventions, regulators can impose daily fines of up to £100,000. These penalties are comparable to GDPR enforcement and in some cases exceed NIS2 equivalents.
What are the incident reporting timelines under the Bill?
In-scope organisations must notify their sector regulator and the NCSC within 24 hours of becoming aware of a significant incident, and provide a full incident report within 72 hours. Customer notification is required in certain circumstances. Cascade reporting obligations also apply where another organisation’s incident caused or contributed to your own.
How does the UK Cyber Security and Resilience Bill differ from NIS2?
Both share similar principles, including 24- and 72-hour reporting timelines and supply chain obligations, but the UK Bill operates through a sectoral regulator model, requires dual notification to both the sector regulator and the NCSC, introduces the Designated Critical Supplier mechanism, and sets specific thresholds for data centres. Organisations operating across both the UK and EU may need to comply with both frameworks.
When does the UK Cyber Security and Resilience Bill come into force?
The Bill is expected to receive Royal Assent in late 2026. Most operational obligations will be brought into force through secondary legislation following further consultation, with phased implementation likely running through to 2028. Some provisions may take effect on Royal Assent. The government has confirmed a sequenced approach to give regulators and industry time to prepare.
What steps should I take now to prepare for the UK cyber resilience bill?
Determine whether your organisation is in scope. Map your existing controls against the NCSC Cyber Assessment Framework. Build 24/72-hour incident reporting playbooks. Audit your supply chain contracts and obligations. Ensure you have 24/7 SOC or MDR coverage capable of meeting the reporting timelines. Align board-level governance with the Cyber Governance Code of Practice. Budget for regulatory fees, potential audits, and any capability investment required.
