What is the Cyber Security and Resilience Bill?
Understanding the UK's most comprehensive cyber security legislation update in over a decade and its impact on your organization.
What is the Cyber Security and Resilience Bill?
The Cyber Security and Resilience Bill (CSRB) marks the UK's most comprehensive update to cyber legislation in over a decade. Set to come into force in 2025, CSRB significantly expands the scope of existing NIS regulations to include managed service providers, cloud platforms, and data centres - sectors that underpin the UK's digital economy.
Organisations delivering essential or digital services will be expected to proactively manage cyber risk, including throughout their supply chains. Failing to comply may result in financial penalties, operational disruption, and reputational harm.
Expanded Scope
Includes MSPs, cloud providers, and digital supply chains
Cyber Assessment Framework
Mandatory CAF alignment for regulated entities
Incident Reporting
24-hour notification and 72-hour detailed reports
Supply Chain Security
Extended responsibility for third-party risks
Enforcement
New powers for regulators with meaningful penalties
Regulatory Oversight
Enhanced supervision and compliance monitoring
Why is CSRB Being Introduced?
Digital Dependency & Rising Threats
The UK's digital economy has grown exponentially, but so has our vulnerability to cyber attacks. Recent high-profile incidents targeting critical infrastructure have exposed gaps in our current regulatory framework.
CSRB addresses these challenges by extending regulatory oversight to previously unregulated sectors and strengthening requirements for existing ones.
Key Drivers for CSRB
- Increasing sophistication of cyber threats
- Growth in critical digital services and dependencies
- Regulatory gaps in current NIS legislation
- Need for stronger supply chain security
Who Does CSRB Apply To?
CSRB significantly expands the scope of cybersecurity regulation beyond traditional critical infrastructure to include digital service providers and supply chain partners.
Key Changes
CSRB introduces several major reforms to the UK's cybersecurity landscape. Here's what you need to know:
Bringing More Organisations Into the Frame
The Bill significantly expands who must comply with cyber regulations by bringing Managed Service Providers (MSPs) and other digital support firms into scope. These companies often have deep access into client systems, making them prime targets for attackers - and vital links in protecting the UK's digital backbone. Previously outside of regulatory reach, these providers will now be treated as Relevant Digital Service Providers, subject to security standards and oversight from the Information Commissioner's Office (ICO). With an estimated 900–1,100 MSPs now covered, the legislation closes a major gap in the UK's cyber defence chain.
Need help preparing?
Our compliance team can guide you through the new requirements
Talk to our compliance teamBringing More Organisations Into the Frame
The Bill significantly expands who must comply with cyber regulations by bringing Managed Service Providers (MSPs) and other digital support firms into scope. These companies often have deep access into client systems, making them prime targets for attackers - and vital links in protecting the UK's digital backbone. Previously outside of regulatory reach, these providers will now be treated as Relevant Digital Service Providers, subject to security standards and oversight from the Information Commissioner's Office (ICO). With an estimated 900–1,100 MSPs now covered, the legislation closes a major gap in the UK's cyber defence chain.
Need help preparing for these changes?
Our compliance team can guide you through the new requirements