This Is Not a Distant Proposal. It Is Happening Now.
The Cyber Security and Resilience Bill completed its committee stage in the House of Commons in late February 2026. The amended bill was published on 25 February. It is now heading for report stage, third reading and then over to the Lords, with Royal Assent expected by the end of 2026.
Source: Parliament.uk – Bill 385 2024-26, last updated 27 February 2026
That means the legislation is largely settled. The big decisions have been made. And unlike some bills that languish in committees for years, this one has cross-party support and genuine momentum behind it. The committee scrutinised it across seven sessions. The Government clearly wants this done.
If you have been waiting for the “final version” before paying attention, this is as close as you are going to get before it becomes law.
Why Now? The Numbers Are Brutal.
The Government did not draft this legislation on a whim. The threat landscape forced their hand.
The NCSC’s Annual Review 2025 revealed that the UK experienced 204 nationally significant cyber incidents between September 2024 and August 2025. That is up from 89 the previous year – a 130% increase. It works out at roughly four significant attacks per week.
Source: NCSC – “UK Experiencing Four Nationally Significant Cyber Attacks Weekly”
NCSC CEO Richard Horne did not mince words at the launch event: “Cyber security is now a matter of business survival and national resilience.”
Source: NCSC Annual Review 2025 launch speech
Meanwhile, the UK Government’s own Cyber Security Breaches Survey 2025 found that 43% of UK businesses reported experiencing a cyber breach or attack in the past 12 months. That is equivalent to around 612,000 companies. Among medium-sized businesses, that figure was 67%. Among large businesses, 74%.
Source: DSIT/Home Office – Cyber Security Breaches Survey 2025
The estimated annual cost of cyber attacks to the UK economy? £14.7 billion. That is roughly 0.5% of GDP.
This bill is the Government’s response. And it is backed by a £210 million Cyber Action Plan, launched on the same day as the bill’s second reading, which includes a new centralised Government Cyber Unit and a cross-government Cyber Profession initiative.
Source: Computer Weekly – “UK Government to Spend £210m on Public Sector Cyber Resilience”
Secretary of State Liz Kendall put it plainly: “Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life.”
Who Is Now in Scope? (This Is the Bit Most People Miss)
The existing NIS Regulations 2018 already cover operators of essential services – energy, transport, health, water and digital infrastructure – plus some digital service providers like cloud computing, search engines and online marketplaces.
The Cyber Security and Resilience Bill does not replace those regulations. It amends and extends them. This is important – it is a different approach to the EU, which replaced its original NIS Directive wholesale with NIS2.
Here is who gets brought into scope for the first time:
Managed Service Providers (MSPs)
Medium and large MSPs providing services in the UK will be classified as “Relevant Managed Service Providers” (RMSPs). They will need to conduct risk management against their network and information systems, register with the ICO and follow any guidance the ICO issues.
Data Centres
Data centres are brought into scope as operators of essential services. The thresholds are 1MW rated IT load for standalone facilities and 10MW for enterprise data centres (those operated exclusively to support the owner’s own business).
Critical Suppliers
Regulators will be able to designate certain suppliers as “critical” based on disruption risk. If a supplier’s products or services are essential enough that a compromise could cause substantial economic disruption, they are in scope.
Large Load Controllers
Entities controlling 300MW or more of energy smart appliances – think EV charging networks and virtual power plants – are brought in as operators of essential services.
Sources: TLT LLP, 26 January 2026; Travers Smith
This is a significant moment for the IT services industry. If you are a UK business using an MSP – and most SMBs are – your provider is about to face direct regulatory obligations for the first time.
The Supply Chain Effect: Why This Matters Even If You Are Not Directly Regulated
Here is where it gets real for most UK businesses.
Even if your organisation is not directly in scope, the supply chain provisions mean you will almost certainly feel the effects. The Government has signalled it intends to use powers from the Bill to enact secondary legislation specifically addressing supply chain cyber risks. This could mean new contractual requirements, mandatory security checks and continuity plans flowing down from regulated entities to their suppliers.
Source: Macfarlanes – “Cyber Security and Resilience Bill Progresses Through Parliament”, March 2026
In practical terms: if you supply services to anyone who falls under the expanded NIS regime, expect tougher questions about your security posture, incident response capabilities and business continuity planning. Your MSP contracts are going to get longer.
What Changes for Incident Reporting?
This is one of the sharpest changes in the Bill and the one that will require the most operational preparation.
Currently, under the NIS Regulations 2018, regulated entities must notify their regulator of significant incidents “without undue delay and in any event no later than 72 hours” after becoming aware.
Under the new Bill, the timelines get much tighter:
There is also a lower reporting threshold. Incidents “having, or capable of having” an adverse effect must now be reported – not just incidents that are actually causing harm.
Sources: TLT LLP, 26 January 2026; Kennedys Law, 27 January 2026
That 24-hour initial reporting window is tight. Very tight. If your incident response plan currently assumes 72 hours to get things in order, you have just lost two-thirds of that time.
Penalties: Now Matching GDPR
The enforcement framework gets serious teeth.
There is also a power to increase turnover-based penalties up to a maximum of 10% of worldwide turnover. On top of that, regulators gain cost recovery powers, meaning they can charge regulated entities for the cost of investigations and oversight activities. The ICO has explicitly welcomed this provision.
These are not theoretical penalties. With enhanced enforcement powers and information-sharing protocols with law enforcement, regulators will have both the motivation and the tools to act.
How Does This Compare to EU NIS2?
If you read our recent post on the EU AI Act and its implications for UK businesses, you will know that UK businesses cannot ignore European regulation just because of Brexit. The same logic applies here.
The UK Government has been explicit that it wants UK cyber law to “sit more comfortably alongside international frameworks, particularly the EU’s NIS2.”
Source: Macfarlanes, March 2026
UK Bill vs EU NIS2: The Key Differences
The key similarities: both require 24-hour initial incident notification, both bring MSPs and data centres into scope and both mandate customer notification. The key difference: the UK Bill amends the existing NIS framework rather than replacing it, and relies more heavily on secondary legislation for operational detail.
For businesses operating across both jurisdictions, this alignment is good news. Compliance with one should largely satisfy the other – though the devil will be in the detail of the secondary legislation.
Your 7-Step Action Plan (Start This Week)
You do not need to wait for Royal Assent. The policy intent is settled. Here is what to do now:
Work out if you are in scope
Are you an MSP, data centre operator, or supplier to organisations that are? Even if you are not directly regulated, your customers’ compliance obligations will flow down to you. If you are not sure, our free cyber risk assessment is a good starting point.
Audit your incident response timeline
Can your team detect, assess and report a cyber incident within 24 hours? If you have not tested this under realistic conditions, a tabletop exercise will show you exactly where the gaps are. We wrote about why this matters back in October – it is worth a re-read.
Review your MSP contracts
If you outsource IT, check what your provider’s incident reporting obligations are. What does your contract say about notification timelines? Are there clauses covering customer notification? If not, these need adding.
Document your security posture
The Bill introduces outcome-based duties rather than tick-box checklists. You need to be able to demonstrate that your security measures are appropriate, proportionate and effective. If you do not have formal policies in place, start with our free IT policy templates and build from there.
Get Cyber Essentials certified
The Government is pushing Cyber Essentials harder than ever. The data backs it up: organisations with Cyber Essentials certification see 92% fewer insurance claims. It is the minimum credible standard and it is increasingly being demanded by enterprise clients and public sector buyers.
Brief your board
Only 27% of UK businesses now have a board member responsible for cyber security, down from 38% in 2021. That is a worrying trend and one the Bill is designed to reverse. Make sure your leadership team understands what is coming and has signed off on a readiness plan. If you do not have a CTO or IT Director to drive this, a fractional technology leader can fill that gap without the six-figure salary commitment.
Monitor the secondary legislation
The Bill grants the Secretary of State significant powers to expand scope and introduce detailed requirements through secondary legislation. This means the regulatory perimeter is not fixed. Keep watching – or better yet, have someone watch for you.
Source (Cyber Essentials stat): UK Government summary of economic impact research, November 2025
Source (board stat): DSIT/Home Office – Cyber Security Breaches Survey 2025
The Bottom Line
The Cyber Security and Resilience Bill is not a surprise. It has been telegraphed since the King’s Speech in July 2024. But now it is real, it is detailed and it is moving fast.
For UK businesses – especially those using or providing managed IT services – this is the most significant change to cyber security regulation since the original NIS Regulations in 2018. The combination of expanded scope, compressed reporting timelines, GDPR-level penalties and supply chain obligations means that ignoring it is not an option.
The good news? If you have been following sensible cyber hygiene practices – the kind we have been writing about and implementing for clients for years – you are already most of the way there. The Bill rewards organisations that take security seriously. It punishes those that do not.
Start preparing now. Do not wait for Royal Assent.
Sources & Further Reading
- Cyber Security and Resilience Bill – Parliamentary Bills – Parliament.uk
- UK Experiencing Four Nationally Significant Cyber Attacks Weekly – NCSC
- NCSC Annual Review 2025 Launch Speech – Richard Horne, NCSC CEO
- Cyber Security Breaches Survey 2025 – DSIT / Home Office
- UK Government to Spend £210m on Public Sector Cyber Resilience – Computer Weekly
- Understanding the UK’s Legislative Response to Digital Threats – TLT LLP
- The UK’s New Cyber Security and Resilience Bill – Travers Smith
- Cyber Security and Resilience Bill Progresses Through Parliament – Macfarlanes
- The Bill Reshaping the Cyber Security Landscape – Kennedys Law
- A New Era for UK Cybersecurity Regulation – Trowers & Hamlins
- Economic Impact of Cyber Attacks on the UK – UK Government
Where AssurePath Fits In
We help UK businesses get ready for exactly this kind of regulatory change without overcomplication or enterprise cost. Whether you need to tighten your incident response, review MSP contracts or build a proper security posture from scratch, we have done this before.
- Incident response planning and tabletop exercises
- Cyber Essentials certification support
- MSP contract review and security audits
- Fractional CISO and compliance leadership
The Bill is moving. Your preparation should be too.