As cyber threats mount in scale and complexity, the UK has taken a definitive step to modernize its national defenses. On April 1, 2025, the UK government announced the new Cyber Security and Resilience Bill (CS&R), a wide-reaching legislative proposal designed to reinforce the country’s ability to mitigate, respond to, and recover from cyber incidents. Built on the foundation of the existing Network and Information Systems (NIS) Regulations, the proposed bill dramatically broadens the scope of obligations and oversight for digital infrastructure, critical suppliers, and information services.
New Bill Reflects an Urgent Need to Modernize Cyber Resilience
The CS&R Bill is being introduced at a time of heightened digital vulnerability, following a series of high-impact cyberattacks targeting UK institutions. Recent ransomware campaigns have severely disrupted NHS operations, hindered delivery services at Royal Mail, and breached highly sensitive environments like the Ministry of Defence. In a notable attack in June, cyber disruptions caused over 10,000 outpatient cancellations and nearly 1,700 postponed elective surgeries across major NHS hospitals in England.
These events underscore the growing assault on critical infrastructure and have prompted the government to take decisive action. The CS&R bill not only updates legacy regulations but also equips the UK with a forward-leaning legislative framework aligned with emerging threats and technologies.
Expanded Scope Brings Critical Suppliers and MSPs into Regulatory Focus
The CS&R bill significantly extends regulatory obligations beyond the five core sectors—transport, energy, drinking water, health, and digital infrastructure—historically covered under the UK NIS regime. New additions to the scope include:
- Managed Service Providers (MSPs): Organizations offering IT management and cloud services will now be held accountable for security incidents impacting essential services.
- Relevant Digital Service Providers (RDSPs): Online marketplaces, search engines, and cloud hosting solutions will face enhanced cybersecurity requirements.
- Designated Critical Suppliers (DCS): Suppliers supporting critical functions—such as data centers and utility coordinators—will be subjected to stricter oversight.
By embedding these entities within its jurisdiction, the bill aligns the UK more closely with the EU’s NIS2 directive, closing historic coverage gaps and reducing systemic risk from third-party dependencies.
New Incident Reporting Requirements Aim to Improve Threat Visibility
One of the most transformative aspects of the CS&R bill is the overhaul of cyber incident reporting obligations. Organizations within scope will now be required to:
- Submit an initial incident report within 24 hours of becoming aware of a significant event. This report must be provided to both the responsible regulator and the National Cyber Security Centre (NCSC).
- File a comprehensive incident report within 72 hours, detailing root causes, impact assessments, and recovery plans.
Additionally, entities must report ransomware incidents and material service disruptions—data crucial for enabling proactive threat analysis and coordinated national response. These measures aim to create a real-time, national picture of cyber threats and responses.
Governance, Audits, and Vendor Risk Management Prioritized
The proposed law also emphasizes the role of leadership and governance in cybersecurity. Organizations will be expected to adopt frameworks like Cyber Essentials and instill cyber governance responsibilities at board level. To improve accountability and ensure baseline security hygiene across digital infrastructure, the bill requires:
- Regular internal and external security audits
- Mandatory system updates and patching
- Strengthened supply chain controls, including third-party risk management across all tiers
Regulators, including the Information Commissioner’s Office (ICO), will gain enhanced powers to issue information notices, request registration data, and access inter-organizational intelligence via new information sharing gateways. These expanded authorities are intended to streamline oversight, reduce compliance gaps, and enable rapid enforcement action where needed.
Empowered Regulators and Up-to-Date Enforcement Mechanisms
Another major change is the repositioning of regulatory enforcement. The bill provides additional powers to the Technology Secretary to update security requirements dynamically, allowing the government to adapt quickly to new threat vectors.
Twelve sector regulators—known as competent authorities—will maintain responsibilities for implementing the regulation, yet with bolstered authority to:
- Monitor emerging threats across sectors
- Prioritize systemic risks introduced by digital supply chains
- Impose financial penalties for non-compliance with new cyber security duties
Though exact fine amounts have not yet been disclosed, the language suggests alignment with more robust EU-style enforcement models, signaling a marked increase in regulatory expectations.
Post-Implementation Reviews Reveal Progress and Gaps
The CS&R Bill builds on findings from two prior post-implementation reviews of the NIS Regulations (conducted in 2020 and 2022). While both reports acknowledged that the existing framework had a positive impact—particularly in safeguarding CNI (critical national infrastructure)—they concluded that progression had not kept pace with the evolving threat environment.
The 2022 review noted that:
- Only about 50% of operators of essential services had meaningfully updated their cybersecurity policies since 2018.
- The existing regulatory model lacked agility in addressing fast-moving, complex threats.
- Government visibility into critical cyber incidents was inadequate due to under-reporting.
These issues are now addressed directly through clearer mandates, broader legal coverage, and more proactive oversight protocols.
Preparing for Compliance: Key Considerations for Organizations
With the bill expected to reach Parliament later in 2025, organizations should begin preparing for a more stringent compliance environment. Preparatory actions should include:
- Assessing supply chain risk and bolstering third-party contract requirements
- Reviewing or adopting leadership-aligned risk frameworks such as Cyber Essentials Plus
- Establishing incident response protocols aligned with the 24/72-hour reporting model
- Engaging with regulators and stakeholders as part of ongoing consultations
Given the bill’s UK-wide applicability and evolved scope, cyber teams, compliance officers, and supply chain managers across sectors will need to align on strategy and execution well ahead of enforcement.
“Providers of essential services in the UK cannot afford to ignore these threats,” warned Felicity Oswald, CEO of the National Cyber Security Centre, during a recent speech at CyberUK.
Strengthening UK Cyber Resilience for a Digital Future
The Cyber Security and Resilience Bill reflects the UK government’s recognition that national security and economic stability are now tightly interwoven with digital infrastructure protection. By expanding sector coverage, strengthening governance, and introducing rigorous incident reporting, the bill aims to create a more defensible posture against the rising tide of sophisticated cyberattacks.
While the path to compliance will require significant effort across industries, the proposed reforms lay critical groundwork for a more resilient and secure digital economy—one equipped to withstand the challenges of both today and tomorrow.
