Legislative Changes

What's Changing Under CSRB?

The UK's new Cyber Security and Resilience Bill (introduced November 2025) is the biggest update to cyber legislation in over a decade. It expands who needs to comply, introduces stricter incident reporting rules, and gives regulators stronger enforcement powers. This guide explains 11 major changes and what they mean for your organisation - in plain English.

Get Compliance SupportGet Support

Need Help Navigating These Changes?

Our cybersecurity compliance experts can help you understand how these changes impact your organisation and develop a roadmap for compliance.

Book a Compliance ConsultationBook Consultation Take the Readiness AssessmentTake Assessment

Join Our Mailing List

What's Changing Under CSRB?

More Organisations Now Regulated

Faster Incident Reporting Required

New Codes of Practice & Strategic Priorities

Supply Chain Security Requirements

Stronger Inspection & Enforcement Powers

National Security Emergency Powers

Rules Can Change Quickly

More Information Sharing Between Authorities

You Must Notify Customers of Incidents

You May Pay Regulatory Fees

When Rules Start & How to Appeal

Need Help Navigating These Changes?

Join Our Mailing List

What's Changing Under CSRB?

More Organisations Now RegulatedCSRB brings many previously unregulated organisations into scope, including MSPs, data centres, and load controllers.

More Organisations Now Regulated

Faster Incident Reporting RequiredYou must report cyber incidents within 24 hours and notify customers. The definition of what counts as an 'incident' has also been expanded.

Faster Incident Reporting Required

New Codes of Practice & Strategic PrioritiesThe government can issue Codes of Practice and set Strategic Priorities that guide how regulators enforce the rules.

New Codes of Practice & Strategic Priorities

Supply Chain Security RequirementsSuppliers to regulated organisations can be designated as 'critical suppliers' and face the same regulatory duties, even if you're a small business.

Supply Chain Security Requirements

Stronger Inspection & Enforcement PowersRegulators can now inspect your premises, test your systems, and require information on demand. Penalties have also increased significantly.

Stronger Inspection & Enforcement Powers

National Security Emergency PowersIn national security emergencies, the government can issue directions requiring immediate action. These can override other regulatory requirements.

National Security Emergency Powers

Rules Can Change QuicklyThe government can update requirements through new regulations and codes without waiting for Parliament, so you need to stay informed.

Rules Can Change Quickly

More Information Sharing Between AuthoritiesRegulators can share your information with GCHQ, law enforcement, and overseas authorities for national security and enforcement purposes.

More Information Sharing Between Authorities

You Must Notify Customers of IncidentsAfter reporting an incident to regulators, you must also notify affected customers as soon as reasonably practicable.

You Must Notify Customers of Incidents

You May Pay Regulatory FeesRegulators can charge periodic fees and recover costs of inspections and enforcement actions from regulated organisations.

You May Pay Regulatory Fees

When Rules Start & How to AppealDifferent parts of the Bill come into force at different times. You can appeal enforcement decisions, penalties, and critical supplier designations.

When Rules Start & How to Appeal

Need Help Navigating These Changes?