NewThe 6-week AI Pilot ·  Fixed scope. Fixed price. £18k. 4 pilots per quarter.  See how it works →
0333 050 0729Book a free strategy call
Cybersecurity12 MIN READ·MAR 2026·BY ASSUREPATH

The Cyber Security and Resilience Bill just passed committee. Here is what it actually means for your business.

The UK's biggest overhaul of cyber security law since 2018 is moving through Parliament at speed. Managed service providers, data centres and critical suppliers are about to face mandatory incident reporting, tighter compliance and penalties that match GDPR.

The UK's biggest overhaul of cyber security law since 2018 is moving through Parliament at speed. If you use an MSP or you are one, you need to read this.

This is not a distant proposal. It is happening now.

The Cyber Security and Resilience Bill completed its committee stage in the House of Commons in late February 2026. The amended bill was published on 25 February. It is now heading for report stage, third reading and then over to the Lords, with Royal Assent expected by the end of 2026.

That means the legislation is largely settled. The big decisions have been made. And unlike some bills that languish in committees for years, this one has cross-party support and genuine momentum behind it. The committee scrutinised it across seven sessions. The Government clearly wants this done.

If you have been waiting for the "final version" before paying attention, this is as close as you are going to get before it becomes law.

Why now? The numbers are brutal.

The Government did not draft this legislation on a whim. The threat landscape forced their hand.

The NCSC's Annual Review 2025 revealed that the UK experienced 204 nationally significant cyber incidents between September 2024 and August 2025. That is up from 89 the previous year — a 130% increase. It works out at roughly four significant attacks per week.

NCSC CEO Richard Horne did not mince words at the launch event: "Cyber security is now a matter of business survival and national resilience."

The threat landscape
  • 204 nationally significant incidents in 2024–25 (up 130%)
  • 43% of UK businesses reported a cyber breach in the past 12 months
  • 74% of large businesses reported a breach
  • £14.7bn estimated annual cost to the UK economy

Meanwhile, the UK Government's own Cyber Security Breaches Survey 2025 found that 43% of UK businesses reported experiencing a cyber breach or attack in the past 12 months. That is equivalent to around 612,000 companies. Among medium-sized businesses, that figure was 67%. Among large businesses, 74%.

The estimated annual cost of cyber attacks to the UK economy? £14.7 billion. That is roughly 0.5% of GDP.

This bill is the Government's response. And it is backed by a £210 million Cyber Action Plan, launched on the same day as the bill's second reading, which includes a new centralised Government Cyber Unit and a cross-government Cyber Profession initiative.

Secretary of State Liz Kendall put it plainly: "Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life."

Who is now in scope? (This is the bit most people miss.)

The existing NIS Regulations 2018 already cover operators of essential services — energy, transport, health, water and digital infrastructure — plus some digital service providers like cloud computing, search engines and online marketplaces.

The Cyber Security and Resilience Bill does not replace those regulations. It amends and extends them. This is important — it is a different approach to the EU, which replaced its original NIS Directive wholesale with NIS2.

Here is who gets brought into scope for the first time:

Managed service providers (MSPs)

Medium and large MSPs providing services in the UK will be classified as "Relevant Managed Service Providers" (RMSPs). They will need to conduct risk management against their network and information systems, register with the ICO and follow any guidance the ICO issues.

Data centres

Data centres are brought into scope as operators of essential services. The thresholds are 1MW rated IT load for standalone facilities and 10MW for enterprise data centres (those operated exclusively to support the owner's own business).

Critical suppliers

Regulators will be able to designate certain suppliers as "critical" based on disruption risk. If a supplier's products or services are essential enough that a compromise could cause substantial economic disruption, they are in scope.

Large load controllers

Entities controlling 300MW or more of energy smart appliances — think EV charging networks and virtual power plants — are brought in as operators of essential services.

This is a significant moment for the IT services industry. If you are a UK business using an MSP — and most SMBs are — your provider is about to face direct regulatory obligations for the first time.

The supply chain effect: why this matters even if you are not directly regulated

Here is where it gets real for most UK businesses.

Even if your organisation is not directly in scope, the supply chain provisions mean you will almost certainly feel the effects. The Government has signalled it intends to use powers from the Bill to enact secondary legislation specifically addressing supply chain cyber risks. This could mean new contractual requirements, mandatory security checks and continuity plans flowing down from regulated entities to their suppliers.

In practical terms: if you supply services to anyone who falls under the expanded NIS regime, expect tougher questions about your security posture, incident response capabilities and business continuity planning. Your MSP contracts are going to get longer.

What changes for incident reporting?

This is one of the sharpest changes in the Bill and the one that will require the most operational preparation.

Currently, under the NIS Regulations 2018, regulated entities must notify their regulator of significant incidents "without undue delay and in any event no later than 72 hours" after becoming aware.

Under the new Bill, the timelines get much tighter:

01
24 hours
Initial notification after becoming aware of an incident.
02
72 hours
Full incident report submitted to the regulator.
03
ASAP
Notify affected UK customers as soon as practicable.

There is also a lower reporting threshold. Incidents "having, or capable of having" an adverse effect must now be reported — not just incidents that are actually causing harm.

"That 24-hour initial reporting window is tight. Very tight. If your incident response plan currently assumes 72 hours to get things in order, you have just lost two-thirds of that time."

Penalties: now matching GDPR

The enforcement framework gets serious teeth.

Maximum penalties
  • £17M or 4% of worldwide turnover for the most serious breaches (whichever is greater)
  • £10M or 2% of global turnover for standard non-compliance
  • £100K per day for continuing contraventions

There is also a power to increase turnover-based penalties up to a maximum of 10% of worldwide turnover. On top of that, regulators gain cost recovery powers, meaning they can charge regulated entities for the cost of investigations and oversight activities. The ICO has explicitly welcomed this provision.

These are not theoretical penalties. With enhanced enforcement powers and information-sharing protocols with law enforcement, regulators will have both the motivation and the tools to act.

How does this compare to EU NIS2?

If you read our recent post on the EU AI Act and its implications for UK businesses, you will know that UK businesses cannot ignore European regulation just because of Brexit. The same logic applies here.

The UK Government has been explicit that it wants UK cyber law to "sit more comfortably alongside international frameworks, particularly the EU's NIS2."

The key similarities: both require 24-hour initial incident notification, both bring MSPs and data centres into scope and both mandate customer notification. The key difference: the UK Bill amends the existing NIS framework rather than replacing it, and relies more heavily on secondary legislation for operational detail.

For businesses operating across both jurisdictions, this alignment is good news. Compliance with one should largely satisfy the other — though the devil will be in the detail of the secondary legislation.

Your 7-step action plan (start this week)

You do not need to wait for Royal Assent. The policy intent is settled. Here is what to do now:

01
Work out if you are in scope
Are you an MSP, data centre operator, or supplier to organisations that are? Even if you are not directly regulated, your customers' compliance obligations will flow down to you. If you are not sure, a cyber risk assessment is a good starting point.
02
Audit your incident response timeline
Can your team detect, assess and report a cyber incident within 24 hours? If you have not tested this under realistic conditions, a tabletop exercise will show you exactly where the gaps are.
03
Review your MSP contracts
If you outsource IT, check what your provider's incident reporting obligations are. What does your contract say about notification timelines? Are there clauses covering customer notification? If not, these need adding.
04
Document your security posture
The Bill introduces outcome-based duties rather than tick-box checklists. You need to be able to demonstrate that your security measures are appropriate, proportionate and effective. If you do not have formal policies in place, start there.
05
Get Cyber Essentials certified
The Government is pushing Cyber Essentials harder than ever. Organisations with Cyber Essentials certification see 92% fewer insurance claims. It is the minimum credible standard and it is increasingly being demanded by enterprise clients and public sector buyers.
06
Brief your board
Only 27% of UK businesses now have a board member responsible for cyber security, down from 38% in 2021. That is a worrying trend and one the Bill is designed to reverse. Make sure your leadership team understands what is coming. If you do not have a CTO or IT Director to drive this, a fractional technology leader can fill that gap without the six-figure salary commitment.
07
Monitor the secondary legislation
The Bill grants the Secretary of State significant powers to expand scope and introduce detailed requirements through secondary legislation. This means the regulatory perimeter is not fixed. Keep watching — or better yet, have someone watch for you.

The bottom line

The Cyber Security and Resilience Bill is not a surprise. It has been telegraphed since the King's Speech in July 2024. But now it is real, it is detailed and it is moving fast.

For UK businesses — especially those using or providing managed IT services — this is the most significant change to cyber security regulation since the original NIS Regulations in 2018. The combination of expanded scope, compressed reporting timelines, GDPR-level penalties and supply chain obligations means that ignoring it is not an option.

The good news? If you have been following sensible cyber hygiene practices — the kind we have been writing about and implementing for clients for years — you are already most of the way there. The Bill rewards organisations that take security seriously. It punishes those that do not.

"Start preparing now. Do not wait for Royal Assent."

Where AssurePath fits in

We help UK businesses get ready for exactly this kind of regulatory change without overcomplication or enterprise cost. Whether you need to tighten your incident response, review MSP contracts or build a proper security posture from scratch, we have done this before.

  • Incident response planning and tabletop exercises
  • Cyber Essentials certification support
  • MSP contract review and security audits
  • Fractional CISO and compliance leadership

The Bill is moving. Your preparation should be too. Talk to an engineer.

Where to start

The Bill is moving. Your preparation should be too.

You don't need to wait for Royal Assent. The policy intent is settled. Start with a tabletop exercise, then close the gaps it reveals.

More from the blog

See all articles
CYBERSECURITY

UK Government Cyber Warning to Businesses: What It Actually Means for You (and What to Do Next)

The UK government has just launched a national campaign urging businesses to "lock the door" on cyber criminals. Cyber attacks now cost UK organisations £14.7bn per year. Here's what the push actually means, why Cyber Essentials matters, and a practical 30-day plan to respond.

Feb 2026 · 9 min
CYBERSECURITY

AI-Enabled Cyber Attacks in 2026: What's Changed, What Hasn't, and 12 Controls That Still Work

AI is not a new kind of cyber attack. It is a force multiplier for phishing, impersonation, payment diversion and data leakage. Here's what's genuinely changing and 12 practical controls you can implement this quarter.

Jan 2026 · 12 min
CYBERSECURITY

Your 2026 IT and Cyber Checklist for Businesses Without an IT Director

A practical 9-point IT and cybersecurity checklist for UK businesses heading into 2026. Cover the essentials: access audits, MFA, backups, incident response plans, and more.

Dec 2025 · 9 min
Talk to an engineer. Not a salesperson.

Worried the Bill will catch you out? Let's pressure-test your readiness.

No sales pitch. No scoping fees. A practical conversation about where the gaps are and what it would take to close them before the regulator notices.