Orangeit

Cyber Security and Resilience Bill Explained

What is the Cyber Security and Resilience Bill?

Cyber threats are becoming more frequent, more sophisticated and more damaging. From ransomware attacks to supply chain breaches, UK businesses of all sizes are facing increased pressure to secure their systems and data.

In 2025, Jaguar Land Rover (JLR) suffered a major cyber attack that brought production to a standstill across multiple sites. The incident had a cascading effect, disrupting the broader automotive supply chain, delaying outputs for manufacturers and causing reputational damage both nationally and internationally.

This Bill builds on existing laws like the Network and Information Systems (NIS) Regulations 2018, which already apply to certain essential services and digital providers. However, with the pace of change in technology and cyber threats, those regulations need modernising.

The Cyber Security and Resilience Bill is expected to be introduced to Parliament in 2025 and will apply across the UK. While still in development, the direction and key proposals are already clear.

Cyber security and resilience bill

What is the Objective of the Bill?

The primary aim of the Bill is to improve the UK's national cyber resilience. That means:

  • Making sure more organisations that are critical to the economy and public services are properly secured.
  • Giving regulators the tools they need to monitor and enforce compliance.
  • Ensuring that laws can evolve as new threats and technologies emerge.

In simple terms, the Bill is about modernising cybersecurity law to reflect today’s digital risks and making sure businesses, supply chains and infrastructure providers can keep up.

Key Aspects of the Bill

1. Bringing More Businesses Under the Regulatory Framework

Currently, only certain essential services and digital service providers are regulated under the NIS framework. However, cyber threats don’t respect sector boundaries and many businesses not previously considered critical have become essential links in the UK’s digital and operational supply chains.

When these businesses lack robust cybersecurity measures, they don't just put themselves at risk, they expose their partners and clients to potential breaches as well. This makes them a key point of vulnerability within broader national infrastructure.

The Bill addresses this by expanding the scope of regulation to include:

Managed Service Providers (MSPs)

Companies like Minster that deliver outsourced IT, cloud and cybersecurity services to other organisations. These providers often have privileged access to clients' systems and data. If compromised, the impact can ripple through multiple businesses. Bringing MSPs under regulation reflects their growing importance, as well as the scale of risk if they are not secure.

Critical Suppliers

These are businesses that supply or support essential services, such as those in utilities, healthcare or transport. A disruption at this level could affect multiple operators and even public safety. By regulating critical suppliers, the Bill aims to improve cybersecurity throughout supply chains, not just at the top tier.

Data Centres

Although not yet confirmed, data centres could fall under regulation depending on factors such as their energy capacity, the type of data they host and their role in the digital supply chain. These facilities often underpin cloud services, national databases and core platforms, making them central to operational resilience across sectors.

Bringing these groups under the regulatory umbrella means a significant number of new organisations may need to comply with enhanced cyber obligations. These include:

  • Conducting regular risk assessments of systems and processes
  • Maintaining robust cybersecurity policies and controls
  • Monitoring third-party suppliers for vulnerabilities
  • Reporting incidents promptly, even if core services aren’t directly disrupted

This marks a shift from reactive to proactive cybersecurity governance. For MSPs and their clients, this could also mean tighter contracts, greater transparency and more collaboration around resilience planning.

2. Strengthening Regulator Powers and Increasing Accountability

To effectively enforce these expanded rules, regulators will be given a strengthened toolkit. This includes:

  • Charging fees to fund their compliance and enforcement activities
  • Investigating cyber risks more deeply and regularly, including the power to compel information
  • Issuing fines and public enforcement notices where there’s failure to meet the required standards
  • Setting strict incident reporting timelines, initial notification within 24 hours, with a full report expected within 72 hours

There is also a growing expectation that organisations will need to report incidents not just to regulators but also to affected customers and the National Cyber Security Centre (NCSC).

This stronger regulatory oversight underscores the government’s push toward accountability and transparency, recognising that cyber incidents are now as disruptive as traditional business risks.

3. Keeping Cyber Regulations Flexible and Future-Ready

The Bill recognises that cyber threats change faster than traditional legislation can adapt. That is why it introduces flexibility-by-design, allowing the government to:

  • Update the list of regulated sectors, services or thresholds via secondary legislation
  • Introduce or revise technical standards and codes of practice, aligned with the NCSC Cyber Assessment Framework
  • Direct regulated organisations to act in times of national cyber emergency or threat escalation

This adaptive approach aims to keep the UK’s cyber regulations fit for purpose, even as new technologies, threat actors and vulnerabilities emerge. For businesses, it means staying compliant will require ongoing vigilance and adaptability, not just a one-time checklist.

In short, the Bill creates a living framework: one that evolves alongside the very threats it aims to mitigate. It places security at the heart of operations and demands that organisations of all sizes take their role in national resilience seriously.

How Will the Bill Affect Your Business?

If you run an SME, especially in manufacturing or if you provide or rely on managed IT services, you may be impacted by this Bill. Certain SMEs could be:

  • Brought into the scope of regulation for the first time
  • Required to meet new security standards
  • Obliged to report certain cyber incidents within strict timelines
  • Asked to demonstrate oversight of your supply chain and vendors

Even if your business is not directly named, you may still be affected through client requirements, contract changes or supplier audits. Preparing early is a smart move.

What should you do now?

  • Assess your current cyber risk, especially in your supply chain
  • Review your incident response plans
  • Consider Cyber Essentials or other certifications as a foundation
  • Stay informed as the Bill progresses

If you work with an IT support provider like Minster, it is worth discussing how these changes might affect you and what steps you can take to stay ahead.

Frequently Asked Questions

Does the Cyber Security and Resilience Bill apply to small businesses?

Potentially, yes. If you provide essential digital services or are part of a regulated supply chain, you may fall under the new rules.

What is a "critical supplier"?

A business that provides services or products essential to the functioning of another company that is itself critical to the UK’s infrastructure or economy.

Will I need to report cyber incidents?

If you are in scope, yes. Serious cyber incidents may need to be reported within 24 hours of detection.

Is this linked to Cyber Essentials?

Cyber Essentials is not a legal requirement under this Bill, but it is an important starting point to take control of your cyber security and demonstrate compliance with broader cybersecurity best practices with a government-backed certification.

When will this become law?

The Bill is expected to be introduced to Parliament in 2025, with further details and timelines to follow.

Related Articles

Screen showing code asking what is antimalware software

What is Anti-Malware Software & What Does It Do?

Minster Cyber Security Image 1

Supporting Security: Why a Cyber Essentials Certification Alone isn’t Enough

Intelligence (BI) and business analytics (BA) with key performance indicators (KPI) dashboard concept.Website designer working digital tablet and smart phone.

In the Business World, How Useful Is It to Use Business Intelligence Tools for Decision Making?

Speak to the experts
that put your business first