Anacruses Associates Ltd
← Back to ISO InsightsISO 27001

The Cyber Security and Resilience Bill: What It Means for Your Business

2026-07-06

## A law that's about to catch a lot more businesses

If you run IT services for other companies, or you supply into a critical sector, there's a piece of legislation making its way through Parliament that deserves your attention now — not when it becomes law.

The Cyber Security and Resilience Bill is the most significant update to UK cyber security legislation since the Network and Information Systems (NIS) Regulations arrived in 2018. It doesn't replace those regulations; it expands and sharpens them. And critically, it widens who they apply to.

## Who's newly in scope

The original NIS Regulations covered a fairly narrow band of "operators of essential services" — energy, transport, health, drinking water, digital infrastructure, and a handful of digital services like cloud computing and online marketplaces.

The new Bill brings in several groups that weren't covered before:

  • **Managed service providers (MSPs)** — a new category called "Relevant Managed Service Providers" is created specifically to bring MSPs into scope
  • **Data centres** above a defined capacity threshold
  • **Large-scale electricity load controllers** managing significant electrical load
  • **"Critical suppliers"** — any organisation whose disruption could seriously affect an essential or digital service, even if that organisation wouldn't otherwise qualify

If your business provides outsourced IT, cloud services, or sits in the supply chain of a regulated organisation, this Bill is very likely written with you in mind.

## What actually changes

Three things stand out for businesses that fall into scope:

Faster incident reporting. Where the current regime is relatively loose, the Bill introduces a 24-hour early warning requirement, followed by a full report within 72 hours. In some circumstances, affected customers must be notified directly.

Tougher penalties. A two-tier penalty structure is proposed: up to £10 million or 2% of global turnover for standard breaches, rising to £17 million or 4% of global turnover for the most serious. Regulators also gain powers to impose daily fines of up to £100,000 for ongoing non-compliance.

Wider enforcement powers. Regulators get stronger investigatory powers and the ability to share information with EU counterparts under the equivalent NIS2 regime, reflecting a broader push toward cross-border cooperation on cyber threats.

## Where it stands right now

The Bill was introduced to Parliament in November 2025 and has moved through committee stage. Royal Assent is expected later in 2026, but most of the detailed requirements will be set out afterwards through secondary legislation, following further government consultation. In practice, that means a phased rollout — some reports suggest full implementation may not land until 2028.

That gap matters. It's the window in which businesses can prepare properly, rather than scrambling once the requirements are confirmed.

## Why this is good news if you're already ISO 27001 certified — and a warning if you're not

Here's the part that should reassure existing clients and prompt everyone else to act: the foundations the Bill expects you to have are the same foundations ISO 27001 already requires.

A certified Information Security Management System already gives you:

  • A documented risk assessment and treatment process
  • A tested incident response and reporting procedure
  • Ongoing monitoring, internal audit, and management review
  • Evidence you can hand to a regulator, a customer, or an auditor on request

None of that disappears once the Bill passes — if anything, it becomes more valuable, because it's the fastest route to demonstrating compliance rather than building a response function from scratch under pressure.

If you're not yet certified and you fall into one of the newly expanded categories — particularly if you're an MSP — this is a natural trigger point to start the conversation now, while there's still time to do it properly rather than reactively.

## Next steps

Whether you're already certified and want a gap check against the Bill's likely requirements, or you're assessing for the first time whether you'll be in scope, it's worth getting ahead of the detail before secondary legislation locks it in.

[Get in touch](/contact/) to talk through what this means for your business.

Frequently asked questions

What is the Cyber Security and Resilience Bill?

It's UK legislation that reforms and expands the Network and Information Systems (NIS) Regulations 2018. It widens the range of organisations covered, tightens incident reporting timescales, and increases enforcement powers and penalties for regulators.

When will the Cyber Security and Resilience Bill become law?

The Bill is progressing through Parliament, with Royal Assent expected later in 2026. Most operational requirements will follow through secondary legislation, so full implementation is likely to be phased in gradually, potentially through to 2028.

Does the Cyber Security and Resilience Bill apply to managed service providers?

Yes. The Bill introduces a new category of regulated entity, the Relevant Managed Service Provider, bringing MSPs into scope for the first time alongside data centres, large-scale electricity load controllers, and organisations designated as critical suppliers.

How does ISO 27001 help with compliance?

ISO 27001 certification requires a documented risk management system, an incident response process, and evidence of ongoing monitoring and review. These are the same building blocks the Bill expects organisations to have in place, so a certified ISMS gives you a head start rather than a standing start.

Ready to talk about your business?

Book a free, no-obligation call. We will tell you exactly what certification would involve for your size, sector, and starting point.