The UK Cyber Security and Resilience Bill: A Global Organisation's Guide

The United Kingdom is fundamentally rewriting its rules on cyber security. For global organisations with any footprint in the UK—from critical infrastructure to digital services and their suppliers—the landscape of risk and compliance is about to change dramatically.

The proposed Cyber Security and Resilience Bill (CSRB), announced in 2024 and expected to be introduced to Parliament in 2025, represents the most significant update to UK cyber law since 2018. It moves cyber security from an IT "best practice" to a non-negotiable, board-level legal obligation.

This Bill builds on the foundations of the Network and Information Systems (NIS) Regulations 2018, which first applied security duties to operators of essential services (OES) and relevant digital service providers (RDSPs).

However, high-profile attacks on critical services and their supply chains have proven that the original NIS framework is no longer sufficient. The CSRB is the UK's answer to a new era of systemic cyber threats.

Expert Insight from Formiti Data International:

"The Cyber Security and Resilience Bill is a clear signal from the UK government that digital infrastructure is now as critical as physical infrastructure. The most profound change is its focus on the supply chain. Previously unregulated 'managed service providers' and even small 'critical suppliers' will be pulled into scope. For global companies, understanding your UK supply chain and service dependencies is no longer just good governance—it's a core legal and commercial imperative."

?️ The Three Pillars of the New Framework

The government's policy is built on three key objectives. Understanding them is key to understanding the Bill's impact.

  • Expanding the Scope: The single biggest change. The new rules will capture a much wider range of essential digital services and, crucially, their third-party suppliers.
  • Enhancing Resilience: The Bill will replace vague requirements with clearer, more robust, and legally enforceable security standards, empowering organisations to build stronger defences.
  • Empowering Regulators: Regulators, such as the Information Commissioner's Office (ICO), will be given new, flexible powers and "sharper teeth" to investigate, enforce, and adapt to new threats quickly.

? What to Expect: Key Changes for Your Business

While the final text is subject to parliamentary approval, the government's policy statements provide a clear roadmap. Here are the most significant changes global organisations must prepare for.

1. A Radically Expanded Scope: Are You In?

Your organisation may soon be "in scope" even if it wasn't before. The CSRB expands regulation to two major new categories:

  • Managed Service Providers (MSPs): Any business providing IT support, managed security, infrastructure management, or IT outsourcing will likely be brought into scope as a "Relevant Digital Service Provider." Because MSPs often have privileged access to many clients, they are seen as a high-value target and a systemic risk.
  • Data Centres: For the first time, data centres will be formally classified as essential services, subject to new resilience and security obligations.
  • "Designated Critical Suppliers" (DCS): This is a game-changer. Regulators will gain the power to "designate" any supplier, regardless of its size or sector, as critical. If your service or product is deemed essential to the operation of a critical service (like a hospital or energy grid), your firm could be designated and subject to the full weight of the regulations.

2. New Reporting Rules: The 24/72-Hour Mandate

Incident reporting is set to become much stricter, mirroring frameworks like the EU's NIS2 Directive.

  • New Definition: You will be required to report incidents that are "capable of having a significant impact," not just those that have already caused disruption.
  • Two-Stage Reporting: A new two-stage clock is expected:
    • 24-Hour "Early Warning": An initial notification to the relevant regulator (e.g., the ICO) and the National Cyber Security Centre (NCSC) within 24 hours of becoming aware of an incident.
    • 72-Hour Detailed Report: A more comprehensive incident report must follow within 72 hours.
  • Customer Notification: The Bill is expected to introduce a new legal duty to inform your customers if they are affected by a significant incident.

3. From Best Practice to Legal Duty: Stricter Standards

The days of "best-efforts" compliance are over. The CSRB will provide a stronger legal basis for specific security standards.

  • The NCSC Cyber Assessment Framework (CAF): This framework, which is already used as guidance, is expected to become the new benchmark for compliance. It provides a detailed, evidence-based model for assessing risk and resilience. Organisations will need to be able to demonstrate their adherence to its principles.
  • Board-Level Governance: The Bill, supported by the new Cyber Governance Code of Practice, firmly places responsibility in the boardroom. Cyber risk must be treated with the same seriousness as financial or operational risk. Regulators will expect to see clear lines of accountability extending to senior leadership.

4. A New Supply Chain Doctrine: You Are Responsible

This is the central theme of the Bill. The UK's resilience is seen as a collective effort, and operators of essential services will be held accountable for the security of their entire ecosystem.

  • New Duties: OESs and RDSPs will have new, explicit legal duties to manage their supply chain risk.
  • Supplier Audits: You will need to conduct due diligence on your suppliers, review contracts and Service Level Agreements (SLAs) to ensure they meet your new legal obligations, and have the right to audit their compliance.1
  • The "Designated Critical Supplier" (DCS) Power: This power allows regulators to bypass the operator and directly regulate a critical supplier, holding them to the same standards.

? CSRB vs. EU NIS2: A Quick Comparison

For global companies, navigating the patchwork of international regulations is a key challenge.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The Bottom Line: While not identical, the CSRB and NIS2 share the same DNA. Both prioritiseupply chain security, mandate fast incident reporting, and introduce severe penalties. If you operate in both the UK and EU, you must prepare for two similar but distinct compliance regimes.

❓ Q&A for Global Leaders

Q: We are a US-based MSP with UK clients. Does the CSRB affect us?

A: Almost certainly, yes. If you provide managed IT or security services to UK clients (especially those in essential sectors), you will likely be regulated directly as a "Relevant Digital Service Provider" (RDSP) by the ICO. You will need a UK representative and will be subject to the Bill's reporting and security duties.

Q: What are the penalties for non-compliance?

A: The penalties are expected to be severe, aligning with the UK's other major regulations like GDPR. The current NIS regime's maximum fine is £17 million. This is expected to be maintained or enhanced, with potential for fines based on a percentage of global annual turnover (e.g., 4%).

Q: How is this different from GDPR?

A: GDPR (General Data Protection Regulation) protects personal data.2 The CSRB protects network and information systems that underpin essential services. While an incident (like a ransomware attack) might trigger both laws, their focus is different. CSRB is about the resilience and security of services, while GDPR is about the privacy and confidentiality of personal data.

Q: When will this happen?

A: The Bill is expected to be introduced to Parliament in 2025. It will then go through the legislative process, with a likely implementation and "go-live" date in 2026 or 2027. The time to prepare is now.

? How to Prepare: A 5-Step Action Plan from Formiti

Waiting for the Bill to become law is a high-risk strategy. The principles are clear, and regulators will expect organisations to have started preparing.

  • Map Your Exposure:
    • Determine if you are (or will be) an OES, RDSP, MSP, or Data Centre under the new rules.
    • Crucially, identify if you are a "critical supplier" to any in-scope UK clients. This is your biggest potential blind spot.
  • Audit Your Supply Chain (Now):
    • Begin a comprehensive review of your entire digital supply chain.
    • Identify your "crown jewel" suppliers—those whose failure would halt your operations.
    • Review all supplier contracts and SLAs.3 Do they include clauses for 24-hour incident notification, right-to-audit, and compliance with NCSC standards?
  • War-Game Your Incident Response:
    • Update your incident response (IR) plans immediately to meet the 24/72-hour reporting timeline.
    • Run tabletop exercises. Can your team detect, triage, escalate, and report an incident to leadership and regulators within 24 hours?
  • Elevate Governance to the Boardroom:
    • Use the NCSC's Cyber Governance Code of Practice to brief your board and senior leadership.
    • Establish clear, top-down accountability for cyber resilience. This is no longer just the CISO's or IT Director's problem.
  • Benchmark Against the Cyber Assessment Framework (CAF):
    • Start mapping your existing security controls (e.g., ISO 27001, NIST) against the NCSC's CAF.
    • This "gap analysis" will show you exactly where you need to invest to meet the new, more robust legal standard.

? Your Partner in a New Regulatory Era

The Cyber Security and Resilience Bill is a complex but necessary evolution in UK law. It demands a proactive, holistic, and governance-led approach to cyber risk.

At Formiti Data International, our team of global data privacy and cyber security experts specialises in helping multinational organisations navigate complex regulatory landscapes.4 We can help you understand your new obligations under the CSRB, assess your supply chain risk, and build the robust, evidence-based resilience framework that the law will demand.

Managing Compliance with Privacy360

For organisations seeking to operationalise and manage these new obligations, Formiti's Privacy360 platform provides a central command centre. While born from data privacy, its capabilities are essential for the resilience and governance mandates of the CSRB:

  • Supply Chain & Vendor Management: The CSRB is built on supply chain accountability. Privacy360 allows you to digitally manage your entire vendor ecosystem, from initial due diligence and risk assessments to ongoing contract and audit management, creating a single source of truth for your critical suppliers.
  • Evidence & Audit Management: The Bill requires you to demonstrate compliance with standards like the CAF. Privacy360 provides the auditable, evidence-based records to prove your resilience measures are in place and effective, streamlining regulator (e.g., ICO) and internal audits.
  • Incident Response Orchestration: The platform's incident and breach management workflows are critical for meeting the new 24/72-hour reporting deadlines. It ensures your response is consistent, trackable, and logged from detection to resolution.
  • Asset & Risk Registers: A core principle of resilience is knowing what you need to protect. Privacy360's asset registers and risk-mapping tools help you identify your critical systems, data, and suppliers, allowing you to prioritise your security investments effectively.

Are you prepared for the UK's new cyber reality? Contact Formiti Data International today for an expert consultation on how the Cyber Security and Resilience Bill will impact your global operations.