READ TIME: 3 MIN // IMPORTANT UPDATE
Recognising the escalating risk of digital threats, the UK government has introduced the Cyber Security and Resilience Bill (April 2025). This isn't just another minor update; it's a fundamental shift in how the UK approaches cyber resilience, expanding upon the 2018 NIS Regulations.
Key Updates in the Bill
1. Managed Service Providers (MSPs) Are Now In Scope
Previously, many MSPs operated outside direct cyber regulation. Now, providers offering ongoing IT management or support fall under the regulatory umbrella. They face robust security measures and incident reporting duties.
2. Sharper Focus on Supply Chain Security
The Bill empowers regulators to designate specific high-impact suppliers as 'Designated Critical Suppliers' (DCS). Businesses already regulated will face stricter requirements to manage cyber risks within their own supply chains.
3. Faster, Broader Incident Reporting
A strict two-stage timeline applies: an initial notification to the regulator within 24 hours of awareness, followed by a detailed report within 72 hours.
The Impact on Business
| Violation | Potential Fine |
|---|---|
| Failure to implement security | Up to £17 million or 4% of global turnover. |
| Late incident reporting | Up to £8.5 million or 2% of global turnover. |
How to Prepare
- Know Your Status: Determine if you fall into scope as an MSP or potential DCS.
- Assess Third-Party Risk: Talk to your current MSP about their readiness.
- Review Incident Response: Update your plan to meet the 24/72 hour reporting deadlines.