Cyber Security and Resilience Bill explained

The Cyber Security and Resilience Bill cleared its third reading in the House of Commons on 10 June 2026 and received its first reading in the House of Lords on 17 June. It’s the most significant update to UK cyber security law since the Network and Information Systems (NIS) Regulations 2018, and its scope extends well beyond the critical national infrastructure sectors those regulations covered. Managed service providers, critical suppliers and data centre operators are now firmly in the frame.

What the Cyber Security and Resilience Bill actually changes

The NIS Regulations 2018 introduced mandatory security and incident reporting obligations for operators of essential services and certain digital service providers. The Bill extends that framework significantly. It brings a new category of organisation into scope, creates a mandatory ransomware reporting obligation that sits outside the existing NIS regime, and introduces a two-stage incident reporting requirement with tighter timelines.

The Bill also broadens the powers available to regulators and competent authorities, including the ability to designate specific suppliers as critical on the basis of their systemic importance, regardless of their size.

The UK government’s stated aim is to close the gap between the current threat environment and what the 2018 regulations were designed to address. The National Cyber Security Centre (NCSC) has described the Bill as closing the widening gap between the cyber threats the UK faces and the ability to defend against them. techUK has called it “a significant step forward in prioritising the security of our nation’s essential services,” though it has raised concerns about the extent to which key definitions and technical requirements have been left to secondary legislation.

Which organisations fall within the new scope

The Bill retains the existing categories: Operators of Essential Services (energy, transport, health, water, digital infrastructure, financial market infrastructure) and Relevant Digital Service Providers (online marketplaces, search engines, cloud computing).

It adds three new categories.

Data centre operators are brought in as a distinct regulated category. Designated Critical Suppliers is a new designation that allows the relevant Secretary of State to bring any supplier into scope if their systems, if compromised, could cause serious disruption to an Operator of Essential Services or a Relevant Digital Service Provider. Critically, a small or micro-enterprise excluded from direct obligations as a Relevant Managed Service Provider (RMSP) could still be designated as a critical supplier.

Relevant Managed Service Providers are the category most likely to affect organisations outside critical national infrastructure directly. An RMSP is defined as a provider of ongoing IT management services in the UK, where that service involves connecting to or accessing the network and information systems of customers in connection with a business activity. This covers IT outsourcing, remote IT support, managed applications, IT infrastructure management, and managed security services including Security Operations Centre (SOC) and Security Information and Event Management (SIEM) services.

The RMSP category targets medium and large MSPs. Micro and small enterprises are excluded from direct RMSP obligations, though precise size thresholds have not been fixed in the primary legislation and will be confirmed through secondary legislation following consultation. The government estimates approximately 900 to 1,100 MSPs will fall within scope.

What managed service providers must now do

RMSPs will be required to implement appropriate and proportionate technical and organisational security measures. The NCSC’s Cyber Assessment Framework (CAF) is set as the security baseline. Detailed technical requirements will follow in secondary legislation.

Beyond baseline security controls, RMSPs will be subject to the Bill’s incident reporting obligations and must identify and notify affected UK customers following a qualifying incident. The supply chain dimension is deliberate: an RMSP sits between its customers and their critical systems, which makes it a plausible entry point for a broader attack. The 2021 Kaseya incident demonstrated this risk at scale; the Bill’s extension to MSPs reflects how attack patterns have developed since the NIS Regulations were designed.

The 24-hour incident reporting rule and what it requires

The Bill introduces a two-stage reporting process.

Stage one requires an initial notification to the relevant competent authority (for RMSPs, this is the Information Commissioner’s Office), with the NCSC sighted, within 24 hours of becoming aware that an incident has occurred or is occurring. This is a notification of the incident’s existence, not a full technical account.

Stage two requires a detailed report within 72 hours.

Following the full report, data centre operators, Relevant Digital Service Providers and RMSPs must also identify and notify UK customers likely to be adversely affected.

Separately, the Bill introduces a mandatory ransomware reporting requirement. This operates as a distinct obligation from the NIS incident reporting regime.

Non-compliance carries serious financial consequences. The penalty structure has two bands. Band 1 covers the most serious breaches and carries fines of up to £17 million or 4% of worldwide annual turnover, whichever is higher. Band 2 breaches carry fines of up to £10 million or 2% of worldwide annual turnover, whichever is higher. Continuing contraventions attract daily fines of up to £100,000.

What regulated businesses should check now

Organisations that rely on third-party IT providers should treat this Bill as a prompt to review those supply chain relationships rather than wait for Royal Assent.

The questions worth asking now are straightforward. Does your MSP fall within the likely RMSP definition? Will your provider be subject to the CAF baseline? What incident notification processes will they need to have in place, and what does that mean for how quickly you’ll be informed of an incident affecting your systems? If your MSP is a small provider currently excluded from direct RMSP obligations, could it still be designated as a critical supplier given its role in your operations?

The Bill is in the House of Lords at first reading. All Lords stages remain ahead. Royal Assent is anticipated in 2026, with full implementation not expected until 2028. The government has committed to consulting on implementation proposals in 2026 and laying secondary legislation in tranches. Organisations have a window to prepare, but the framework is clear enough now to begin.

Where Cyber Essentials fits into the picture

The Bill establishes the NCSC’s Cyber Assessment Framework as the security baseline for RMSPs. The CAF is a more detailed framework, designed for operators of network and information systems at scale. Cyber Essentials addresses a different level of assurance.

That said, Cyber Essentials remains a widely recognised and Government-backed certification, and for organisations within the regulated sectors it provides a documented, externally verified baseline that can support broader compliance conversations. For organisations assessing their current posture ahead of the Bill’s full implementation, Cyber Essentials certification offers a clear and auditable starting point.

The Bill does not reference Cyber Essentials directly, but the two frameworks are not in conflict. Achieving Cyber Essentials does not satisfy CAF requirements, but it demonstrates a level of security hygiene that regulators and procurement functions across the UK public and regulated private sector treat as a minimum.

The Cyber Security and Resilience Bill’s significance lies as much in what it signals as in what it mandates. The extension to managed service providers acknowledges that the threat has evolved to exploit dependencies in the supply chain rather than targeting organisations directly. Critics have noted that companies such as Marks and Spencer and Jaguar Land Rover, both of which suffered significant cyber incidents in 2025, fall outside the Bill’s current scope. That observation does not reduce what the Bill achieves. It underlines that regulation addresses the boundaries it can define, not the full shape of the risk.