30 March 2026
The UK government is moving forward with the Cyber Security and Resilience Bill, a major update to the nation’s cyber security regulations first introduced in November 2025 and set to roll out from mid-2026.
While it mainly targets operators of critical infrastructure and large organisations providing essential services, mid-market businesses should pay attention: changes in regulatory expectations and supply chain requirements could reach them sooner than expected.
The bill reflects a broader shift in regulatory treatment of cyber risk. Large organisations in scope will need to show stronger cyber resilience across operations and supply chains, which will in turn raise expectations for suppliers, partners, and service providers. Mid-market businesses may face stricter cyber requirements through procurement, contracts, and third-party risk assessments.
Much like GDPR reshaped data governance, this legislation signals a move toward more structured cyber resilience across the UK economy to counter rising cyber claims.
Businesses engaging with larger enterprises or operating in their supply chains should view the bill as a clear indicator of where future expectations are heading. Understanding its provisions, timeline, and preparation needs is increasingly crucial.
What is changing?
The Cyber Security and Resilience Bill updates the UK’s existing cyber security framework established by the Network and Information Systems Regulations 2018. Those regulations were designed to improve cyber security among organisations responsible for essential services such as energy, water, healthcare and transport. Since their introduction in 2018 the threat landscape has changed significantly, with cyber-attacks becoming more frequent, more organised and more disruptive.
One of the most important changes proposed in the bill is the expansion of the organisations that may fall within regulatory oversight.
The current NIS regulations apply mainly to operators of essential services and a limited group of digital service providers. The new framework is expected to broaden this scope to include a wider set of digital infrastructure organisations.
This could include managed service providers, data centre operators, additional digital service providers and key technology suppliers that support critical infrastructure.
Cyber risk does not sit solely with infrastructure operators. Many vulnerabilities exist within the technology and service providers that support them. Expanding the regulatory scope is intended to address these wider ecosystem risks.
The bill also plans to introduce stronger cyber security obligations. Organisations within scope will need to demonstrate that cyber risk is being managed systematically. This includes things such as formal cyber risk management processes, continuous monitoring and threat detection, clear incident response procedures and stronger oversight of third-party and supplier risks.
The emphasis is moving away from basic technical controls towards broader operational resilience. Organisations will be expected to show that they can detect, respond to and recover from cyber incidents effectively.
Incident reporting requirements are also likely to become stricter.
Existing reporting arrangements are often criticised for being inconsistent or slow. The new legislation is expected to introduce tighter timelines for reporting serious cyber incidents and clearer thresholds for what must be reported.
Regulators will require earlier notification of significant incidents and more detailed information on how they are being managed. This is intended to improve visibility of emerging threats and enable quicker responses to incidents that may affect critical services.
Regulators themselves will gain additional powers under the proposed legislation. These powers may include the ability to carry out proactive cyber security audits, request evidence of security controls and investigate cyber incidents in greater depth. In some cases, regulators may also examine the cyber resilience of suppliers where those suppliers play a role in delivering essential services.
The bill also proposes stronger enforcement mechanisms. Financial penalties for serious non-compliance could reach up to £17 million or a percentage of global turnover, reflecting the enforcement approach used in other regulatory frameworks such as GDPR.
These maximum penalties apply only to organisations directly regulated under the new framework. The aim is to ensure cyber security is treated as a board-level risk rather than a purely technical issue.
When does it come into force?
The final timeline will evolve as the legislation progresses, but the overall direction is becoming clearer. As outlined earlier on, the government first submitted its plans for strengthening cyber regulation during 2025 when policy proposals for the bill were published and draft legislation was introduced to Parliament.
During 2026 the bill is expected to move through the remaining parliamentary stages and receive Royal Assent. Some regulatory powers may begin to take effect shortly after this point.
More detailed requirements are likely to follow between 2026 and 2027 through secondary legislation and guidance issued by regulators. This phased approach means many practical obligations will be clarified after the law is formally passed.
Organisations should therefore expect further detail over the next 12 to 24 months as regulators publish sector guidance and implementation timelines.
Who is affected and why mid-market businesses should pay attention?
The organisations most clearly targeted by the bill are operators of essential services, major digital infrastructure providers, large digital service companies and managed service providers that support critical sectors. Despite this focus the impact of the legislation will extend further across the economy. One of the key themes of the bill is supply chain security. Organisations regulated under the new framework will need to demonstrate that their suppliers meet appropriate cyber security standards.
In practice this means that many businesses outside the direct scope of the legislation will still face stronger expectations from their customers. Cyber resilience is increasingly becoming a procurement requirement rather than simply a regulatory one.
This could appear in several ways. Businesses may face more detailed cyber security questionnaires during procurement. Some contracts may require formal security certifications or defined cyber controls. Larger organisations may introduce ongoing supplier security monitoring or periodic cyber assessments.
For mid-market organisations that supply technology, services or operational support to larger enterprises this shift could be significant. Even companies that do not operate within critical sectors may find that their customers expect higher cyber standards.
These expectations are already emerging. Many organisations are seeing greater scrutiny through procurement processes, third-party risk management programmes and cyber insurance requirements. Security frameworks such as Cyber Essentials and ISO/IEC 27001 are increasingly used by larger organisations to assess supplier security maturity.
The Cyber Security and Resilience Bill is likely to accelerate this trend and businesses that rely on contracts with larger enterprises should assume that cyber resilience will become a more prominent requirement.
How businesses can prepare?
Although the final details of the legislation are still developing, organisations do not need to wait for the law to take effect before strengthening their cyber resilience.
One of the most important steps is improving cyber governance. Cyber security should be recognised as a business risk rather than solely an IT responsibility.
Senior leadership teams should understand the organisation’s cyber risk exposure and have clear oversight of how those risks are managed.
Businesses should also consider where they sit within wider supply chains. Organisations that provide services to infrastructure providers, large enterprises or regulated sectors may face greater scrutiny in the coming years. Understanding these relationships can help identify where cyber expectations may increase.
Assessing current cyber maturity is another useful step. Many organisations benefit from benchmarking their existing controls against recognised frameworks. Examples include Cyber Essentials, ISO 27001 and the NIST Cybersecurity Framework. These frameworks provide structured guidance on risk management, governance and technical security controls.
Incident response preparation is equally important.
Organisations should ensure they have clear procedures for detecting, responding to and recovering from cyber incidents. This includes defined responsibilities, communication processes and escalation procedures. Testing these plans periodically can help ensure the organisation is prepared when incidents occur.
Businesses should also expect an increase in security assurance requests from customers. Supplier questionnaires, requests for evidence of controls and periodic cyber reviews are becoming more common. Organisations that can clearly demonstrate their cyber security practices are likely to find this process easier to manage.
What comes next?
The Cyber Security and Resilience Bill is still moving through the legislative process, but its direction is clear. The UK government is placing greater emphasis on cyber resilience as part of national infrastructure protection and economic stability.
For organisations directly within scope the legislation will introduce stronger regulatory oversight. For many mid-market businesses the impact will be indirect but still significant, particularly through supply chains and commercial relationships.
Further detail will emerge as the bill progresses and regulators publish additional guidance on how the framework will operate in practice. Implementation timelines, sector-specific expectations and compliance requirements will become clearer as the law approaches its enforcement stage. For organisational leaders, the message is clear: cyber resilience is now a strategic priority, not just an IT responsibility. Those who invest early in governance, controls, and incident readiness will be best positioned to meet evolving regulatory and customer expectations.
We will provide more updates as the legislation moves closer to implementation and further guidance becomes available. However, businesses that begin strengthening their cyber posture early will be better placed to respond as expectations evolve. For now, it remains a space worth watching closely as that deadline approaches!
