The UK Cyber Security and Resilience Bill (CSRB) represents the most significant overhaul of UK cybersecurity legislation since the Network and Information Systems (NIS) Regulations 2018. Being implemented in stages through 2026 and 2027, the Bill expands the scope of regulation, introduces mandatory incident reporting with tight deadlines, and establishes turnover-based penalties that bring cybersecurity compliance into the same enforcement league as data protection. If your business operates in a regulated sector, provides digital services, or supplies organisations that do, the CSRB affects you — regardless of whether you consider yourself "in scope" or not.

This guide explains what the CSRB contains, who it affects, the key changes from the current NIS regime, specific obligations for each type of affected organisation, and what organisations should be doing now to prepare for the new regulatory landscape.

Background: Why the CSRB Exists

NIS Regulations 2018, based on the EU NIS Directive, established cybersecurity requirements for operators of essential services (OES) and relevant digital service providers (RDSPs) across sectors including energy, transport, health, water, and digital infrastructure. While the regime represented a significant step forward, several limitations became apparent:

  • The scope was narrow — many organisations providing critical digital services fell outside the definition of RDSP
  • Incident reporting requirements were inconsistent across sectors and lacked the urgency that modern threats demand
  • Supply chain security was not explicitly addressed, despite supply chain compromise being one of the most significant threat vectors
  • Penalties did not provide sufficient deterrence for the largest organisations

The CSRB addresses each of these gaps, creating a framework that is significantly more comprehensive than the EU's updated NIS 2 Directive in several respects, particularly around supply chain obligations and reporting timelines.

What Is the Cyber Security and Resilience Bill?

The CSRB was introduced by the UK government to address gaps in the existing NIS Regulations that became apparent following several high-profile cyber incidents affecting critical national infrastructure and digital service providers. The Bill represents the government's response to a rapidly evolving threat landscape in which ransomware groups, state-sponsored actors, and cyber criminals increasingly target the UK's digital supply chains and essential services.

The Bill amends and strengthens the NIS Regulations 2018, which implemented the EU NIS Directive in the UK. Post-Brexit, the UK has the freedom to move beyond the original NIS Directive framework, and the CSRB is the first major exercise of this independence.

Who Is Affected by the CSRB?

The CSRB significantly expands the scope of organisations subject to cybersecurity regulation. In addition to the existing NIS sectors (energy, transport, health, water, digital infrastructure), the new regime brings in:

  • Managed Service Providers (MSPs) — IT support companies, managed security providers, and cloud service brokers are now explicitly in scope. This is a major expansion given the number of UK businesses that rely on MSPs for their daily IT operations.
  • Data centre operators — facilities that host critical digital infrastructure are now regulated entities in their own right, reflecting the systemic risk that data centre failures pose to multiple sectors simultaneously.
  • Digital supply chain providers — organisations that supply software, hardware, or digital services to regulated entities must meet specified security standards. This creates a cascading compliance obligation: regulated entities must ensure their suppliers are compliant, and suppliers in turn must demonstrate their security posture.
  • Tier 2 critical national infrastructure — the Bill expands the definition of digital service providers to capture a broader range of organisations whose disruption would have significant economic or societal impact.

If you provide outsourced IT services, manage cloud infrastructure for clients, operate data centre facilities, supply software to healthcare or energy organisations, or operate in any sector that the government considers part of the UK's critical national infrastructure, the Bill almost certainly affects you.

Key Changes from the Current NIS Regime

1. Mandatory Incident Reporting

The CSRB introduces one of the most demanding incident reporting regimes in the world. Organisations must notify both the relevant competent authority (such as the ICO, Ofcom, or sector-specific regulators) and the NCSC within 24 hours of becoming aware of a significant cyber incident. This initial notification must be followed by a detailed report within 72 hours and a final report within one month.

This represents a dramatic tightening from the current NIS regime, which has no fixed initial notification deadline for most sectors. The 72-hour detailed report deadline also mirrors — but is separate from — the UK GDPR's personal data breach notification requirement under Article 33. Organisations will need to manage two parallel reporting obligations for incidents that involve both operational disruption and personal data compromise.

The NCSC has indicated that "significant" incidents are those that have caused, are causing, or have the potential to cause: disruption of service, financial loss, unauthorised access to sensitive data, or reputational damage. Organisations are expected to make a good-faith assessment based on available information — the system is not designed to penalise organisations that report in good faith but later refine their understanding of the incident's scope.

2. Supply Chain Security

Regulated entities under the CSRB must assess and manage cybersecurity risks in their digital supply chains. This is not optional risk management guidance — it is a statutory obligation. Regulated entities must:

  • Conduct supply chain risk assessments for all critical suppliers
  • Require suppliers to demonstrate their cybersecurity posture (through certifications, audit reports, or security questionnaires)
  • Include security requirements in supplier contracts, including incident notification obligations
  • Monitor supplier security on an ongoing basis, not just at onboarding

For suppliers to regulated entities, this means that having ISO 27001 certification, Cyber Essentials Plus, or an equivalent independently verified security programme is increasingly becoming a contractual requirement rather than a differentiator.

3. Turnover-Based Penalties

Non-compliance with the CSRB is expected to carry an enforcement regime tied to turnover, broadly mirroring the UK GDPR model. Under that model the statutory ceiling is significant turnover-based penalties at the top of the statutory scale, but such figures apply only to the most serious failures by the largest organisations. For most businesses the practical exposure is corrective enforcement action and the operational and reputational cost of an incident, rather than a maximum fine — which is why proportionate, evidenced security measures matter more than the headline penalty.

This represents a significant escalation from the current NIS penalty regime and aligns cybersecurity regulatory risk with data protection regulatory risk. Organisations that fail to invest adequately in cybersecurity now face penalties that can be existential for smaller businesses.

4. Enhanced Enforcement Powers

The CSRB gives regulators enhanced enforcement tools, including:

  • The power to issue compliance notices requiring specific actions within defined timeframes
  • Increased information-gathering powers to assess compliance
  • The ability to require organisations to submit to independent security audits
  • Stronger powers to require organisations to notify affected customers and partners

Implementation Timeline

The CSRB is being implemented in stages. While the exact phased timeline depends on the final regulations and parliamentary process, the expected milestones are:

  • 2026 — the Bill receives Royal Assent. New sector designations (MSPs, data centres) come into force.
  • Late 2026 to early 2027 — mandatory incident reporting requirements take effect for in-scope organisations.
  • Mid 2027 — full enforcement regime active, including supply chain security obligations and penalty provisions.

The window for preparation is now — it is already 2026. Organisations that treat this year as a preparation year rather than a waiting year will be significantly ahead when full enforcement begins. Those that delay risk being caught unprepared when the first major incident triggers regulatory scrutiny under the new regime.

Interaction with Existing UK Regulations

The CSRB does not exist in isolation. In-scope organisations will need to manage compliance across multiple overlapping regulatory frameworks:

  • UK GDPR / Data Protection Act 2018 — personal data breaches require notification to the ICO within 72 hours (Article 33). An incident that involves both operational disruption and personal data may trigger both CSRB reporting hours would trigger both CSRB reporting (24 hours to NCSC/competent authority) and UK GDPR reporting (72 hours to ICO).
  • FCA Operational Resilience (PS21/3) — financial services firms already have operational resilience obligations that overlap with CSRB requirements. Firms should integrate CSRB compliance into their existing operational resilience programmes.
  • Cyber Essentials / Cyber Essentials Plus — while not a direct regulatory requirement, achieving Cyber Essentials Plus provides evidence of the security controls that CSRB-compliant organisations are expected to maintain.

Our consultants recommend that organisations map their compliance obligations across all applicable frameworks to identify overlaps, reduce duplication of effort, and ensure that a single incident response process satisfies multiple reporting requirements.

How to Prepare

  1. Determine if you are in scope — review the expanded scope carefully. If you provide managed IT services, cloud services, data centre capacity, or digital services to regulated sectors, assume you are affected and plan accordingly.
  2. Conduct a gap assessment — evaluate your current cybersecurity posture against the CSRB's expected requirements. Key areas: incident response capability (can you detect, classify, and report within 24 hours?), supply chain risk management, and security governance.
  3. Strengthen your incident response plan — the 24-hour reporting requirement is the most demanding single change. Your incident response process must include: automated or near-real-time detection, rapid classification/triage, a defined communication channel to the NCSC/competent authority, and pre-drafted notification templates.
  4. Review your supply chain security — both your own obligations as a regulated entity and (if you supply regulated entities) the obligations that will flow down to you. ISO 27001 certification provides strong evidence of a robust security programme.
  5. Engage security leadership — a fractional vCISO can provide the strategic direction and regulatory knowledge needed to navigate CSRB compliance without the cost of a full-time executive.

Why Early Preparation Matters

Our consultants advise organisations not to wait for the final regulations. The direction of travel is clear: wider scope, tighter reporting, stronger enforcement. Organisations that invest in compliance now will not only be better prepared when the CSRB takes full effect, but will also demonstrate to clients, regulators, and insurers that they take cybersecurity seriously. In a regulatory environment that is moving decisively toward accountability-based enforcement, good-faith preparation is the strongest defence.

Get vCISO support for CSRB readiness →

Assess your compliance posture →