Join Our Mailing List

Be the first to hear about updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Stay informed about compliance requirements, key changes, and important announcements.

UK Cyber Security Legislation

What is the Cyber Security and Resilience Bill?

The UK's biggest update to cyber security legislation in over a decade. Learn what it means, who it affects, and how to prepare your organisation.

Book Compliance CallTake Assessment

What is the Cyber Security and Resilience Bill?

The Cyber Security and Resilience (Network and Information Systems) Bill (Bill 329) was introduced to Parliament on 12th November 2025. This legislation marks the UK's most comprehensive update to cyber legislation in over a decade, significantly expanding the scope of existing NIS Regulations 2018. The Bill is structured in 5 Parts with 61 sections and 2 Schedules, creating comprehensive regulatory frameworks for managed service providers, cloud platforms, data centres, and critical suppliers.

Part 2 amends the NIS Regulations to bring new entities into scope. Part 3 grants the Secretary of State powers to set strategic priorities and make regulations. Part 4 introduces national security directions. Organisations delivering essential or digital services must proactively manage cyber risk throughout their supply chains. Failing to comply may result in financial penalties of up to £17,000,000 or 10% of global turnover (Section 21), plus daily penalties of up to £100,000 for continuing violations (Section 49).

Expanded Scope (Part 2)

Section 9: MSPs as RMSPs. Section 4: Data centres (1MW/10MW thresholds). Section 6: Load controllers (300MW+). Section 12: Critical suppliers.

Strategic Priorities (Part 3)

Section 25: Statement of Strategic Priorities. Section 36: Codes of Practice. Section 29: Regulations on security and resilience.

Incident Reporting (Section 15)

24-hour initial notification, 72-hour full report. Section 16: Customer notification required. Must copy CSIRT.

Supply Chain Security (Section 12)

Regulation 14H: Critical supplier designation. Section 30: Activity-critical supply requirements.

Enforcement (Part 2, Chapter 3)

Section 21: Penalties up to £17M or 10% turnover. Section 20: Information gathering. Schedule 1: Inspection powers.

National Security (Part 4)

Section 43: Directions to regulated persons. Section 49: Penalties up to £100K/day. Section 47: Inspection powers.

See Who's Affected by CSRB

Why is CSRB Being Introduced?

Digital Dependency & Rising Threats

The UK's digital economy has grown exponentially, but so has our vulnerability to cyber attacks. Recent high-profile incidents targeting critical infrastructure have exposed gaps in our current regulatory framework.

CSRB addresses these challenges by extending regulatory oversight to previously unregulated sectors and strengthening requirements for existing ones.

£8.1bn
Annual cost of cybercrime to UK businesses
39%
of UK businesses experienced cyber attacks in 2023

Key Drivers for CSRB

  • Increasing sophistication of cyber threats
  • Growth in critical digital services and dependencies
  • Regulatory gaps in current NIS legislation
  • Need for stronger supply chain security

Who Does CSRB Apply To?

Part 2, Chapter 1 of Bill 329 significantly expands the scope of cybersecurity regulation beyond traditional critical infrastructure. Section 9 brings MSPs into scope, Section 4 designates data centres, Section 6 covers load controllers, and Section 12 enables critical supplier designation.

Managed Service Providers

Section 9: RMSPs - ongoing IT management services. Must register within 3 months (Section 14).

See Details

Cloud Service Providers

Section 7: RDSPs providing cloud computing services. Excludes managed services.

See Details

Data Centres

Section 4: Essential services. Thresholds: 1MW (general) or 10MW (enterprise-only).

See Details

Public Services

Government departments and local authorities.

See Details

NHS Organizations

Healthcare trusts and affiliated entities.

See Details

Critical Suppliers

Section 12: Can be designated if failure impacts national infrastructure. Includes SMEs.

See Details

Bill Structure

Bill 329 is organized into 5 Parts with 61 sections and 2 Schedules, creating a comprehensive regulatory framework.

Part 1

Introduction

Sections 1-2: Definitions and overview of the Act

  • • Section 1: Meaning of "NIS Regulations"
  • • Section 2: Overview of Act structure
Part 2

The NIS Regulations

Sections 3-23: Amendments to NIS Regulations 2018

  • • Chapter 1: Regulated persons (Sections 3-12)
  • • Chapter 2: Information & reporting (Sections 13-16)
  • • Chapter 3: Other amendments (Sections 17-23)
Part 3

Security & Resilience Functions

Sections 24-42: Secretary of State powers

  • • Chapter 2: Strategic priorities (Sections 25-28)
  • • Chapter 3: Regulations (Sections 29-35)
  • • Chapter 4: Code of practice (Sections 36-39)
Part 4

National Security Directions

Sections 43-58: Emergency powers

  • • Section 43: Directions to regulated persons
  • • Section 49: Penalties up to £100K/day
  • • Section 47: Inspection powers
Part 5

General

Sections 59-61: Extent, commencement, short title

  • • Section 60: Phased commencement
  • • Section 61: Short title - Act 2026
Schedules

Enforcement & Amendments

2 Schedules with detailed provisions

  • • Schedule 1: Enforcement and appeals
  • • Schedule 2: Minor and consequential amendments

Key Changes

CSRB introduces several major reforms to the UK's cybersecurity landscape. Here's what you need to know:

Bringing More Organisations Into the Frame

Part 2, Chapter 1 of the Bill significantly expands who must comply with cyber regulations. Section 9 brings Managed Service Providers (MSPs) into scope as 'Relevant Managed Service Providers' (RMSPs), subject to security duties under Section 10. Section 4 designates data centres as essential services with thresholds of 1MW (general) or 10MW (enterprise-only). Section 6 brings large load controllers (300MW+) into scope. Section 12 allows designation of critical suppliers. These changes close major gaps in the UK's cyber defence chain, bringing hundreds of previously unregulated entities under oversight.

Need help preparing?

Our compliance team can guide you through the new requirements

Talk to our compliance team