Establish Uplink [Book Call]
CSRB INTRODUCED 12 NOV 2025 £14.7BN ANNUAL COST TO UK ECONOMY 900-1,100 MSPs IN SCOPE 24HR INCIDENT REPORT WINDOW NCSC CAF LEGAL BENCHMARK 4% TURNOVER MAX PENALTY £100K/DAY NON-COMPLIANCE 50% RISE SIGNIFICANT INCIDENTS CSRB INTRODUCED 12 NOV 2025 £14.7BN ANNUAL COST TO UK ECONOMY 900-1,100 MSPs IN SCOPE 24HR INCIDENT REPORT WINDOW NCSC CAF LEGAL BENCHMARK 4% TURNOVER MAX PENALTY £100K/DAY NON-COMPLIANCE 50% RISE SIGNIFICANT INCIDENTS
Active legislationSource: UK ParliamentIntroduced: 12 Nov 202510 min read

The UK just rewrote the cyber rulebook for the first time in seven years. Here is what it means for your business.

The Cyber Security and Resilience Bill updates the laws that govern how UK businesses handle cyber risk. If you are an SME in a supply chain, using a managed IT provider, or delivering digital services, the ground beneath you has shifted. This is the plain-English version.

313SEC // Legislative intelligence briefing // May 2026
Open the file
01 // Why this exists

The old rules were built for a quieter world.

The UK's current cyber security regulations, the NIS Regulations, landed in 2018. They were based on an EU directive that has since been replaced by a much tougher version called NIS2. Meanwhile, the UK has watched the NHS get hit via a managed service provider, the Ministry of Defence lose staff data through a contractor, and high street retailers get publicly dismantled by ransomware gangs. The government's position is simple: the old framework is no longer enough.

Annual cost to UK economy
£0
0.5% of national GDP, every year
Avg cost of significant attack
£0
Per business, per incident
Nationally significant incidents
0
In 12 months to Sep 2025, up 50%
Highly significant incidents
0
Average of 4 major attacks per week

As a nation, we must act at pace to improve our digital defences and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services.

Richard Horne, CEO, National Cyber Security Centre
02 // How we got here

Seven years of catching up, in one legislative sprint.

2018
NIS Regulations land in the UK
Based on the EU's NIS Directive. Covers operators of essential services and some digital service providers.
2020-2022
Post-implementation reviews flag gaps
Government reviews acknowledge the framework is outdated, lacks flexibility, and doesn't cover managed service providers or supply chains properly.
Jan 2023
EU activates NIS2 Directive
Stricter baselines, more sectors, tougher penalties, mandatory incident reporting. The UK, post-Brexit, is now behind.
2024
NHS Synnovis attack + MoD breach
A ransomware attack on NHS blood-testing supplier Synnovis disrupts London hospitals for months. A state-sponsored breach exposes MoD payroll data via a contractor.
Jul 2024
King's Speech announces the Bill
The new Labour government commits to a Cyber Security and Resilience Bill. The clock starts.
Oct 2025
NCSC Annual Review: 204 significant incidents
The NCSC reports a record year. The government writes to all FTSE 350 CEOs urging action.
12 Nov 2025
Bill introduced to Parliament
The Cyber Security and Resilience (Network and Information Systems) Bill formally enters Parliament.
03 // Who is in scope

The net just got wider. Significantly.

The original NIS Regulations covered a fairly narrow set of essential service operators and digital service providers. The Bill expands that in three directions: new types of organisation, critical suppliers who serve those organisations, and a flexible mechanism for the government to add more sectors later.

🖥️

Managed Service Providers

900 to 1,100 MSPs brought under regulation for the first time. IT management, help desk, and security providers now have statutory obligations.

New in scope
🏗️

Data Centre Operators

Colocation (1MW+) and enterprise (10MW+) now regulated. Must report incidents and notify affected customers.

New in scope

Smart Energy Controllers

Entities managing electricity to smart appliances (EV charging, heating) with 300MW+ aggregate control.

New in scope
🔗

Critical Suppliers

Regulators can label specific suppliers as "critical" if disruption would significantly impact essential services. Even an SME can be designated.

New in scope
🏥

Health, Water, Energy, Transport

Already in scope. Now subject to stronger requirements, tighter reporting, and enhanced regulator powers.

Expanded
🌐

Digital Service Providers

Online marketplaces, search engines, cloud services. Now must align with the NCSC Cyber Assessment Framework.

Expanded
04 // What actually changes

Eight shifts that matter. Click each one.

The Bill introduces changes that, taken together, represent the biggest overhaul of UK cyber regulation since the framework was created. All of them will filter down to how businesses operate, contract, and plan for incidents.

Supply chain Mandatory supply chain risk management

New duties will require operators of essential services to actively assess and manage cyber risk across their supply chains. This means reviewing suppliers, updating contract terms, and building security requirements into procurement. If you supply a regulated entity, expect questionnaires and audit requests. If you are a regulated entity, expect to need a documented process for vetting and monitoring suppliers.

Standards NCSC CAF becomes legally binding

In-scope organisations must meet requirements drawn from the NCSC Cyber Assessment Framework (CAF). This covers governance, risk management, asset management, supply chain, security architecture, vulnerability management, identity and access, data security, logging and monitoring, and incident response. If your security currently amounts to "we have antivirus and a firewall", the CAF is a significant step up.

Reporting 24-hour initial incident notification

A two-stage structure: initial notification to the regulator and the NCSC within 24 hours of discovery, followed by a full detailed report within 72 hours. "Near miss" incidents that could have caused significant impact also need reporting. Data centre operators and digital service providers must notify affected customers. If you don't currently have an incident response plan, building one is now directly connected to legal compliance.

Penalties Turnover-based fines for serious breaches

For serious breaches: up to £17 million or 4% of annual global turnover, whichever is greater. For less severe violations: up to £10 million or 2% of turnover. Daily fines of up to £100,000 for continuing non-compliance. These numbers bring the UK in line with EU NIS2 penalties.

Regulators Enhanced ICO and regulator powers

The ICO and other regulators will be given stronger powers to proactively investigate vulnerabilities, designate critical suppliers, and take enforcement action. They can also recover costs through a new fee regime. The regulator is no longer just waiting for you to report a breach; they are now empowered to come looking.

MSPs Managed service providers regulated

MSPs will be regulated by statutory obligations, not just customer contracts. They must meet defined security standards, monitor their environments, and report incidents promptly to both customers and authorities. The IT provider you rely on is now legally accountable for their own security posture. If their security is weak and they get breached, the regulatory and operational consequences flow through to you.

Flexibility Government can expand scope via secondary legislation

The Secretary of State can bring new sectors into scope, update requirements, and issue statutory Codes of Practice through secondary legislation without a full new Act. The framework is designed to grow. If you are "just outside" scope today, that gap may close without much warning.

National security Emergency direction powers

During national security incidents, the Secretary of State can mandate specific security actions from in-scope organisations without going through normal regulatory process. An emergency lever for coordinated national response.
05 // The reporting clock

When something goes wrong, you now have hours, not weeks.

The Bill introduces a two-stage incident reporting requirement. The clock starts when you discover a significant incident. If your current process is "ring Dave from IT and hope for the best", this is the part that needs to change first.

🔍
T+0
Discovered
Breach alert, unusual behaviour, staff report, or third-party notification.
📡
24 hrs
Initial notification
Notify the regulator and the NCSC with basic details.
📋
72 hrs
Full report
Scope, root cause, impact, containment, remediation, customer notification.
👥
Prompt
Customer notification
MSPs, data centres, and DSPs must notify affected customers.
NIS 2018 (old)CSRB (new)
Initial report72 hours (often longer)24 hours from discovery
Full reportNo fixed requirement72 hours from discovery
Near missesNot coveredReportable if significant
Customer notificationNot mandatoryRequired for MSPs, data centres, DSPs
Regulatory approachReactive, complaint-drivenProactive, investigation-powered
06 // What non-compliance costs

The fines are now proportional to the business.

The new model ties penalties to turnover. For SMEs that fall into scope, either directly or as designated critical suppliers, these numbers are worth understanding.

Serious breach (max)
£17m
or 4% of global turnover
Less severe violation
£10m
or 2% of global turnover
Continuing non-compliance
£100k
per day until resolved
What-if // Penalty projection for your turnover
£2,000,000
4% penalty (serious)
£80,000
or £17m if higher
2% penalty (less severe)
£40,000
or £10m if higher
30 days of continuing non-compliance
£3,000,000
at £100,000 per day
07 // What does this mean for you

Pick your situation. See what changes.

Impact simulator // Select your business type
Select a business type above

The output will show what the Bill means for your specific situation and what to prioritise.

08 // Your IT provider just got regulated

The MSP you rely on now has legal obligations. Are they ready?

Managed service providers are now regulated for the first time. They have to meet security standards, report incidents, and be accountable to regulators, not just to you. These are the questions worth asking.

Has incident response plan
35%
Can report within 24hrs
22%
Reviews own supply chain
15%
Has Cyber Essentials cert
28%
Monitors 24/7
40%
Tested backup restore recently
18%

Estimated UK MSP readiness // Based on DSIT breaches survey + industry benchmarks

09 // Readiness gauge

Tick what you actually have. The ring does not judge.

Ten items drawn from the Bill's requirements and the NCSC CAF. No data leaves this page.

0%coverage
No controls selected. Start with incident response and MFA.
Incident response plan exists and has been tested

Who calls whom, what gets disconnected, how you communicate if email is down.

Can report an incident within 24 hours

Do you know who the relevant regulator is? Could you do this at 2am on a Saturday?

MFA on email, admin accounts, and finance systems

Authenticator apps minimum, hardware keys if possible.

Critical suppliers reviewed for security posture

Especially anyone with access to your systems, data, or payments.

Internet-facing systems patched within 14 days

Firewalls, VPNs, servers, remote access tools.

Backups tested and isolated from main network

A backup on the same network with the same admin credentials won't survive ransomware.

Board or senior leadership owns cyber risk

If cyber only lives in IT, it doesn't have the authority to drive change.

Security events are monitored and acted on

An unmonitored alert is the same as no alert.

Cyber Essentials certification (current)

Increasingly expected in procurement, by insurers, and by regulated supply chains.

Staff have a phishing reporting route

A dedicated button or shared mailbox. Quick, blame-free, and actually monitored.

10 // What to do this quarter

Six moves, in order of return on effort.

Write a one-page incident response plan and test it.

The 24-hour reporting window means you need to know who does what before the pressure arrives. Get the plan on paper, run a tabletop, find the gaps.

Ask your MSP three hard questions.

Do they have their own IR plan? Can they report to you within 24 hours? Do they hold Cyber Essentials? If any answer is unclear, you know where your risk lives.

Get Cyber Essentials certified.

The NCSC CAF is the legal benchmark. Cyber Essentials is the stepping stone. Low cost, high signal to regulators and supply chains.

Review one critical supplier.

Only 15% of UK businesses review immediate suppliers. Start with the most critical one. Ask for evidence. Then do the next one.

Put MFA everywhere it can go.

Email, cloud storage, admin accounts, VPN, finance platforms, backup systems. This single control blocks the majority of credential-based attacks.

Make cyber a board-level conversation.

The Bill expects governance and accountability at senior level. Put it on the quarterly agenda. Assign ownership. Track progress.

Want to know where you actually stand?

313SEC can review your incident response readiness, supply chain exposure, MSP security posture, and alignment with the NCSC Cyber Assessment Framework. No sales script. Just a real conversation about whether you are ready for what the Bill will require.

Book a call View managed security pricing
Follow 313SEC on LinkedIn →
Secure transmission // Or drop the details here
Submission goes via Formspree. Replies come from a human within a working day or two. Your data is not added to any list.

✓ Transmission received.

You'll get a real reply within a couple of working days. No sequence, no list.

Cybersecurity is a shared responsibility and a foundation for prosperity. We urge all organisations, no matter how big or small, to act with the urgency that the risk requires.

NCSC guidance, October 2025