The Cyber Security and Resilience Bill (CSRB), Mandatory Ransomware Reporting and What You Need to Know

The Cyber Security and Resilience Bill (CSRB) will change how UK organisations report incidents, including ransomware. 

The Bill doesn’t explicitly mandate ransomware reporting, but it does bring in broad incident reporting obligations which will, de facto, cover ransomware.

SECFORCE's Ransomware Readiness Assessment and Gold Teaming exercises help you stress test the reporting capabilities that the Cyber Security and Resilience Bill will require. 

Under current legislation, organisations don’t need to report incidents such as ransomware unless the incident has already resulted in damage. 

The Cyber Security and Resilience Bill changes this. Once enacted, the CSRB will introduce mandatory reporting of ransomware and other incidents, including incidents that have not yet caused disruption but are likely to have a significant impact. 

The reasoning is simple: modern economies depend on interconnected systems across sectors, so an attack on one organisation can quickly spread to many others. The Bill will move the UK from a reactive to a preventative model. By acting as an early warning system, mandatory reporting allows national authorities to coordinate a response and alert other organisations before a campaign can cause widespread harm.

This article breaks down what the new CSRB’s mandatory incident reporting rules will require, who they will apply to, and what your organisation can do to prepare before the new legislation comes into force. 

Below, we also call the CSRB "the Bill," in case you were wondering.

Current Ransomware Reporting Rules In the UK

Here’s a quick overview of the incident reporting rules that apply today as of 2026. 

Reporting only after disruption has occurred

Under current legislation, ransomware and other incidents only have to be reported once they’ve actually disrupted the provision of essential or digital services. Attackers who have already gained access and are capable of causing disruption, but who have not yet acted, are invisible to regulators. 

Reporting within 72 hours

Right now, organisations must report ransomware (or another incident) to regulators within 72 hours of finding out about a breach. The regulator only then notifies the National Cyber Security Centre (NCSC), which means there’s a delay in their ability to help with incident response. 

Reporting without necessarily telling customers

Currently, organisations are not required to tell customers when they may have been affected by an incident such as ransomware. This means that customers are unable to take their own actions to mitigate potential exposure, even when they are directly impacted. 

New Ransomware Reporting Rules Under the Cyber Security and Resilience Bill

The new rules flip the above. They lower the threshold for what must be reported, shorten the timelines for reporting, and create an obligation to notify affected customers.

Reporting incidents that meet 3 broad criteria

Though broadly similar across the regulated entities, exactly what types of incidents you will need to report will depend on whether you are a Relevant Digital Service Provider (RDSP), a Relevant Managed Service Provider (RMSP), an Operator of Essential Services (OES), or a data centre operator.

If you are an RDSP, RMSP, or OES (excluding data centre providers)

Under the new Bill, you must report an incident if:

• It has affected or is affecting the operation or security of the network and information systems relied on to provide the relevant service.
• The impact is, or is likely to be, significant.
• The impact relates to the whole or part of the UK.

The Bill also lists specific factors that organisations need to take into account when assessing an incident’s significance, like the:

• Extent of any disruption that has happened (or is happening/likely to happen) to essential services provision.
• Number of users affected (or are affected or will be affected).
• Duration of the incident.
• Geographical area the incident affects (or has affected or will affect). 
• Confidentiality, authenticity, integrity or availability of data relating to users of the essential service has, is being, or will likely be compromised.

There is one additional important point for digital and managed service providers: They also need to consider whether the incident has affected, or could affect, users' network and information systems, as well as any broader impact on the economy or people's daily lives.

If you are a data centre operator

Under the new Bill, you must report an incident if it has, or could have, a significant impact on:

• The operation or security of the network or information systems used to deliver the data centre service in the UK.
• The continuity of the data centre service in the UK.
• All or part of the UK.

The government will use secondary legislation to define the factors that data centre operators should consider when assessing whether an incident has had, or could have, a significant impact. 

Reporting incidents within 24 hours

Under the new CSRB Bill, you will need to send two notifications to your regulator and the NCSC simultaneously: an initial notification and a more detailed report. 

An initial notification within 24 hours of finding out that an incident is happening

The initial notification, due within 24 hours of finding out an incident is happening, needs to contain only minimal information, like the entity’s name, the service affected by the incident, and brief details about the incident. 

The idea behind the initial notification is to let the regulator and the NSCS know about the incident as soon as possible so that they can provide support at the earliest stage of the incident.

Another, more detailed report after 72 hours

The more detailed report, due after 72 hours, must include:

• The entity's name.
• The affected service.
• When the incident happened, and whether it’s ongoing. 
• Information about the nature of the incident.
• If the incident was caused by a separate incident affecting another regulated entity.
• Information about the impact or potential impact from the incident. 
• Any other information that might be helpful. 

Organisations only have to report the information known to them. 

Notifying affected customers 

One of the most significant new obligations introduced by the Bill, and one that many organisations may not yet have taken into account in their incident response planning, is the requirement to notify customers.

After RDSPs, RMSPs, or data centre OESs report on the incident in full, they must then take steps to understand whether any of their UK customers are likely to be adversely affected by the incident. 

If so, they’ll need to let those customers know “as soon as reasonably practicable,” including details about the incident and why they think those customers may have been affected. 

Though the current iteration of the Bill does not say exactly how to notify affected customers, in most cases, organisations tend to do this via emails, portal notifications or in-account alerts, and formal written communication. Public statements are generally reserved for widespread outages. 

The important thing to note is that a good communication strategy should be defined before an incident occurs to ensure communications do not worsen the situation, increase legal or regulatory exposure, create confusion, or further damage customer trust.

In terms of what those notifications should contain, useful guidance can be borrowed from GDPR breach notification practice. Communications should be clear, actionable, and written in plain language rather than technical jargon and should cover, as a baseline, the following:

• What happened.
• What was affected (e.g., data, services, systems).
• Whether customers need to do anything.
• What the organisation is now doing to get to the bottom of and resolve the incident. 
• Where customers can get additional updates or support.

This gives customers a chance to protect themselves, whether that's changing passwords, watching out for phishing attempts, or keeping an eye out for follow-on attacks on their accounts or systems.

What Happens After You Report?

Once you report an incident, you may receive support from regulators and the NCSC. Providing support as early as possible is one of the main reasons for the 24-hour reporting rule.

Regulators and the NCSC may also share the information you provide more widely, including potentially with other organisations that might be vulnerable to similar attacks and, in some cases, with the public. 

The sharing is subject to strict limits, so as to protect the confidentiality and commercial interests of the affected organisations. 

Information sharing works both ways. Your organisation may also gain access to early warning threat intelligence drawn from incidents reported by others, giving you a head start on defending against similar attacks.

Penalties for Non-Compliance

Under the CSRB Bill, penalties are tiered. 

• A higher fine band applies to serious breaches (such as failing to report a security incident). These can introduce fines of up to £17 million or 4% of global turnover, whichever is higher. 
• A standard fine band applies to less serious breaches (like missing a registration deadline). These can bring fines of up to £10 million or 2% of global turnover, whichever is higher.

Proactive preparation is the most effective way to avoid these kinds of fines. 

Organisations that have already validated their ransomware defences and crisis response processes through services like SECFORCE's Ransomware Readiness and Gold Teaming exercises will be in a better place to demonstrate the due diligence regulators will expect, and to actually meet the 24-hour and 72-hour reporting windows under real-world attack conditions.

When Will New Ransomware Reporting Rules Come Into Force?

The new rules will be brought into force through secondary legislation after Royal Assent.

What will count as a "significant" impact (which determines whether a ransomware attack or another incident type triggers the reporting obligation) will also be clarified through secondary legislation. 

What Should UK Organisations Do Now?

Prepare!

By that, we mean validate your incident readiness before the Cyber Security and Resilience Bill becomes law. 

Ransomware Readiness Assessment - Preparing for the worst

Only 29% of security professionals say they feel very prepared for ransomware attacks. If you're in the other 71%, a readiness assessment is a good place to start.

SECFORCE's Ransomware Readiness Service assesses whether your organisation could actually prevent, detect, and recover from a ransomware attack, confirming that security and detection controls work as expected, recovery procedures are sound, and your team knows what to do. 

This is particularly relevant given the Bill's proactive stance: you now need to ideally be able to report incidents that are likely to cause disruption, which means you need to be able to identify threats as early as possible. 

Gold Team Exercise - Testing responses

If you are confident in your ransomware readiness, the next question is whether you would be able to meet the reporting requirements in time. 

A Gold Team exercise can help you stress test your notification and crisis response processes. The bill's 24-hour and 72-hour reporting windows will apply under real attack conditions, when systems may be down, teams may be under extreme pressure, and decisions will need to be made quickly. 

SECFORCE's Gold Teaming Service is a tabletop exercise that simulates high-stakes scenarios like a major ransomware incident to test your technical, executive, legal, and PR teams together.  

Getting Ahead of the Cyber Security and Resilience Bill 

The goal of preparation is simple. When the new rules come into effect, you want to be confident that your organisation can defend against an incident (whether it’s ransomware or something else) and also report it, manage it, and communicate about it within the timeline that the law requires.

Want to learn more about SECFORCE’s ransomware preparedness and gold teaming services? Contact us today for a free consultation.