Key Takeaways
- The Cyber Security and Resilience Bill was introduced to Parliament on 12 November 2025 and updates the NIS Regulations 2018.
- The Bill is designed to ensure that essential services and digital infrastructure can continue operating during cyber incidents and reflects a shift from purely protecting systems to emphasising system resilience and continuity
- It brings new organisations into scope, including datacentres, managed service providers and suppliers that regulators designate as critical.
- Many businesses that are not directly regulated will still feel it, as requirements pass down through contracts.
- Serious incidents must be flagged within 24 hours, with a full report within 72 hours and affected customers told.
The rules that govern cyber security in the UK are about to cover far more organisations than they do today. Until now, legal duties fell only on operators of essential services, in sectors such as energy, transport, water, health and digital infrastructure, and on a small group of digital providers, namely online marketplaces, search engines and cloud computing services. The Cyber Security and Resilience Bill changes that. This post explains what it does, who falls in scope, and how to stay ahead.
What the Cyber Security and Resilience Bill Actually Does
The Cyber Security and Resilience Bill is proposed UK legislation that reforms and expands the Network and Information Systems Regulations 2018, the country’s main cross sector cyber law. The government introduced it to Parliament on 12 November 2025, and it has since completed its second reading and committee stage in the House of Commons. The aim is to close what the National Cyber Security Centre calls the widening gap between the threats we face and the defences in place to stop them.
Attacks on essential services are becoming more frequent and more damaging. The June 2024 attack on Synnovis, which disrupted NHS blood services, illustrated how dependent ‘everyday life’ is on secure digital services and technology. The Bill raises the baseline across the sectors that keep the lights on, the water running and the NHS working and now reaching out to organisations that were not regulated before.
Who Now Falls Within Scope
The Bill brings three new groups into scope: Datacentres, Managed Service Providers, and suppliers that regulators designate as ‘critical’. A managed service provider is a business that runs another organisation’s IT systems on an ongoing basis, whether that is support, monitoring or administration. If you host, manage or maintain technology for others, you may now have legal responsibilities which extend beyond internal systems to include suppliers and service providers.
Datacentres are treated as an essential service in their own right. Those above a set size are in scope, measured by the power feeding their IT equipment: 1 megawatt for a commercial data centre, or 10 megawatts for one a company runs purely for itself. Ofcom will act as their regulator. Together, these additions pull a large slice of the digital supply chain inside the regulated perimeter, so the question is no longer only whether you run an essential service, but whether you support one.
Why the Supply Chain Is the Real Story
The most significant change is that regulators can designate individual companies as critical suppliers, in any sector, where their failure could seriously disrupt an essential service. This pushes the law deep into supply chains that were previously untouched. Even if your business is never designated, you will likely feel it through your contracts, as larger customers pass requirements down.
This is familiar territory for anyone who supplies defence, where buyers have long expected proof of security before award of a contract. Our guide on what real supply chain assurance looks like for PRIMEs explains how that works. Commercial organisations are heading the same way, and the lesson is clear: sort your security before a customer asks, not once a contract depends on it.
New Duties When Incidents Happen
Reporting will happen in two stages. First, a quick initial alert to your regulator within 24 hours of becoming aware of a significant incident, with the National Cyber Security Centre told at the same time. Then a fuller report within 72 hours, once you know more. The change matters because attacks like ransomware will now be reportable even before they cause visible disruption, giving responders an earlier chance to act.
There is also a new duty to tell customers when an incident has likely affected them, so they can protect themselves. Regulators will gain stronger enforcement tools too, including financial penalties for those who fail to meet their duties. If you are unsure what counts as reportable, our guide on what security incidents organisations must report walks through it. Knowing the rules is one thing; being ready to meet them is another.
How to Get Ahead of the Change
The most practical first step is to certify against Cyber Essentials, the UK’s foundational information security standard. It covers the controls that stop the most common attacks and gives customers recognised proof that your security and resilience meets a baseline. Pera Prometheus is an approved certifying body for both Cyber Essentials and Cyber Essentials Plus, so we can tell you which level fits your business. If you are weighing up the two, our guide on Cyber Essentials versus Cyber Essentials Plus explains the difference.
Before you can truly protect your critical information you must know what it is. Can you answer this question right now:
“What information is vital to your business operations and what would be the effect upon your business if you lost access to said information?”
If you don’t immediately know the answer to the above question, or at least where to find the answer, then you need to act. Pera Prometheus has developed a Business Impact Analysis which is a short process that will answer this question for you.
How Pera Prometheus Can Help
The Bill will keep developing as it passes through Parliament, and we are following it closely so our clients do not have to. We work with commercial organisations and defence suppliers alike, helping them make sense of what these changes mean in practice and prepare at a sensible pace. If you think you may need help or guidance on it then we are here when you need us.
Frequently Asked Questions
Q: When does the Cyber Security and Resilience Bill become law?
A: It is still passing through Parliament after being introduced on 12 November 2025, so it is not yet law. Prepare now rather than wait for the final date.
Q: Does the Bill apply to small businesses?
A: Many small businesses are not directly regulated, but they can still be affected through contracts with larger customers who pass requirements down the chain.
Q: What is a critical supplier?
A: It is a company that regulators can formally designate because its failure could seriously disrupt an essential service, even in an ordinary commercial sector.
Q: What is the single best thing we can do to prepare?
A: Certify against Cyber Essentials. It addresses the most common attacks and gives customers recognised proof that your information security meets a baseline.
Stay Safe, Stay Secure.


