The UK Cyber Security and Resilience Bill is generating a lot of attention, but plenty of details remain uncertain.
Not sure if the UK Cyber Security and Resilience Bill applies to your organisation? SECFORCE's Compliance and Audit Readiness service helps you understand your obligations and build a straightforward path to compliance.
Who does the Cyber Security and Resilience Bill apply to? Will you need to comply? Or is the UK Cyber Security and Resilience Bill more of a “best practices” recommendation? These are questions we've been hearing a lot, so we sat down with SECFORCE’s Head of Consulting Services, Nikos Vassakis, to put together this straightforward guide.
Announced in the July 2024 King's Speech and introduced to Parliament in November 2025, the UK Cyber Security and Resilience Bill essentially does two things:
- Updates the existing Network and Information Systems Regulations 2018.
- Expands regulatory scope, strengthens enforcement, and improves incident reporting.
Unsurprisingly, sectors that are already in scope under NIS 2018 (energy, transport, health, drinking water, digital infrastructure, and some digital services) remain in scope under the UK Cyber Security and Resilience Bill.
However, the bill also adds some new categories and introduces important updates to existing ones.
Read on to find out if you’re in scope of the UK Cyber Security and Resilience Bill and what will the Cyber Security and Resilience Bill do. Plus, how to prepare for it.
These Types of Organisations ARE In Scope of the UK Cyber Security and Resilience Bill
Does your organisation provide a service that, if disrupted, would affect people’s daily lives in the UK? If so, then you’re probably in scope of the Cyber Security and Resilience Bill.
Importantly, the disruption doesn’t need to come from a direct attack on an essential service. A compromised supplier could have the same effect (see the “critical suppliers” section below).
Here’s who is in scope.
Managed Service Providers (MSPs)
An MSP is a company that manages another organisation’s IT systems remotely under a contract. Since MSPs tend to have access to their clients’ networks and data, they’re a tempting target to cybercriminals (hence why they’re brought in under the new bill).
To be classified as a relevant MSP (RMSP) under the UK Cyber Security and Resilience Bill, you have to:
- Be a medium or large MSP providing a managed service in the UK (regardless of if you’re based in the UK).
- Not be subject to public authority oversight and derive more than half of your income from commercial activities.
NOT in scope: Small and micro enterprise MSPs unless they are designated as critical suppliers separately. Other examples of out-of-scope entities include operational technology providers (e.g., industrial automation), companies that install systems but don’t manage them, software companies that sell products but don’t manage them, and consultancies that provide legal, tax, or accounting services.
What MSPs in scope for the Cyber Security and Resilience Bill will need to do
If you’re an MSP that is affected by the Cyber Security and Resilience Bill, you will need to:
- Register with the Information Commission within three months of the regulations coming into force.
- Appoint a UK representative (but only if you’re based overseas).
- Report significant incidents to the Information Commission.
- Put in place “appropriate and proportionate” security measures (including measures to prevent and minimise the impact of incidents).
Additional technical information will be shared through secondary legislation.
Data centres
Another prime target for cyber attacks, data centres host important records (e.g., NHS patient records) and systems.
Two capacity thresholds will determine whether you fall in scope of the bill as a data centre:
- 1MW for commercial data centres open to multiple customers.
- 10MW for enterprise data centres owned or managed by a single organisation solely for their own IT operations.
Government-run data centres are in scope.
NOT in scope: Data centres operated by the Security Service, Secret Intelligence Service or GCH, and data centres operated commercially on behalf of His Majesty's Government but used to store, process or transmit information classified as secret or top secret.
What data centres in scope for the Cyber Security and Resilience Bill will need to do
If you’re a data centre affected by the Cyber Security and Resilience Bill, you will need to:
- Register with Ofcom within three months of designation.
- Put security and resilience measures in place proportionate to your risk.
- Report significant incidents to Ofcom, including near-misses.
- Notify customers when incidents occur.
More details will be shared by secondary legislation after Royal Assent.
Large Load Controllers
A large load controller is any load controller with a potential electrical control capacity of 300MW or more, managing energy smart appliances (ESAs).
Relevant energy smart appliances (ESAs) include:
- Electric vehicles and their charge points.
- Electrical heating appliances (hydronic heat pumps, hot water heat pumps, hybrid heat pumps, direct electric hot water cylinders, electric storage heaters, and heat batteries).
- Battery energy storage systems.
- Virtual power plants.
A load controller is considered to "manage" an ESA if it directly sends signals to that appliance to control when electricity flows in or out of it.
What load controllers in scope for the Cyber Security and Resilience Bill will need to do
If you’re a load controller affected by the Cyber Security and Resilience Bill, you will need to:
- Register with the regulator within three months of hitting the 300 MW threshold, though there may be a transitional period on top of that.
- Put in place security measures to protect your network and information systems.
- Report (in writing) any significant incidents to regulators.
A quick note on intermediaries
When a load controller sends signals through an intermediary to reach appliances, the regulatory treatment depends on what the intermediary does with the signals:
- Intermediary passes the signals unchanged = Only the original load controller is regulated.
- Intermediary can modify those signals (and is allowed to) = Both the intermediary and the original load controller are treated as load controllers and could face the same regulatory obligations.
This rule stops load controllers from avoiding regulatory obligations by routing their signals through intermediaries and ensures that intermediaries with genuine control over electricity flows are brought within scope themselves.
“Critical suppliers”
Under the Cyber Security and Resilience Bill, regulators will be able to designate specific suppliers as "critical suppliers." The goal is to close the loophole where suppliers to essential services are unregulated, even if their failure could cause widespread harm.
You may be designated as a “critical supplier” if you meet the following criteria:
- You supply goods or services to regulated entities (an OES, RDSP, or RMSP).
- You rely on network and information systems for that supply.
- An incident affecting those systems could disrupt essential, digital, or managed services with a significant impact on the UK economy or day-to-day society.
Designated competent authorities will handle designations for suppliers to operators of essential services (OES), and the Information Commission will handle designations for suppliers to digital and managed service providers.
The regulator will have to consult other relevant regulators, give proposed suppliers written notice with reasons, and give them a reasonable period to make representations before any designation takes effect.
If you’re a supplier who could fall under multiple regulators, those regulators must actively coordinate to decide whether to designate, and if so, by whom.
Designation can be revoked if the conditions for it are no longer met. Importantly, designated suppliers themselves have a proactive duty to notify the regulator if they believe they no longer meet the conditions for designation.
You can be designated whether or not you are established in the UK, and the supply relationship can involve goods or services provided outside the UK.
NOT in scope: Organisations already regulated as an OES, RDSP, or RMSP in relation to the same service.
What critical suppliers in scope for the Cyber Security and Resilience Bill will need to do
If you’re a designated supplier, you will need to meet cybersecurity requirements set out in secondary legislation, which will follow Royal Assent.
Organisations ALREADY In Scope Under NIS 2018, But With UPDATED and EXPANDED Obligations In the UK Cyber Security and Resilience Bill
Already in scope under NIS 2018? You’re not in the clear.
If you’re any of the below, you have updated and expanded obligations under the UK Cyber Security and Resilience Bill.
Operators of Essential Services (OES)
With the Cyber Security and Resilience Bill, OES no longer need to be established in the UK to be in scope. This means that if you’re a foreign entity providing essential services in the UK, you can now be designated as an OES.
NOT in scope: Operators of public electronic communications networks and services (they are regulated separately).
Relevant Digital Service Providers (RDSP)
The UK Cyber Security and Resilience Bill renames "digital service provider" to "relevant digital service provider" (RDSP) and rewrites and expands the definition of cloud computing services.
If you’re an affected RDSP, your security obligations will now extend to third-party systems you rely on, not just your own. Security measures will need to ensure not just "continuity" but also the availability, authenticity, integrity, and confidentiality of services.
Again, as with OES, relevant digital service providers don’t need to be established in the UK to be in scope, only to provide services in the UK.
As an affected RDSP, you will need to provide a proper registered address and confirm which type of service they offer (marketplace, search engine, cloud, or a combination).
NOT in scope (with one exception): Small and micro digital service providers. Plus, entities that are subject to public authority oversight unless they derive more than half their income from commercial activities.
For Organisations That Are Out of Scope NOW, Could you Be In Scope In the FUTURE?
Short answer: yes.
The UK government could potentially bring more sectors into scope through secondary legislation in the future.
This is stated explicitly in the “future-proofing” section of the UK Cyber Security and Resilience Bill’s summary.
“The government will be more agile and responsive to evolving to cyber threats with powers to make changes to the regime in secondary legislation, such as bringing more sectors into scope.”
That said, for that to happen, strict conditions would have to be met.
Any expansion of scope would require:
- The service to be essential to the economy or how UK society functions
- An evidence-backed decision, such as threat intelligence
- Relevant stakeholder consultation and an affirmative procedure
When Is the Bill Coming Into Effect?
It’s hard to know. At the time of writing, there isn’t a single "go-live" date.
To find out the UK Cyber Security and Resilience Bill status, see the Parliament bill tracker.
When the bill goes into effect, it will be implemented in a phased approach rather than one fell swoop.
This means that while some measures will come into force on Day 1 (future proofing, the post implementation review) or on Month 2 (statement of strategic priorities, information sharing), other requirements (including incident reporting) will be brought into force through secondary legislation following further consultation.
Besides the Parliament bill tracker, we also recommend periodically checking the GOV.UK Cyber Security and Resilience Bill collection page, which is the hub for all supporting documents on the bill, including press notices, the Bill policy statement, factsheets that go over each measure in detail, and the Bill impact assessment.
You can also sign up for email updates directly on that page (there is a "Get emails about this page" button), which will alert you when there are new factsheets, updated guidance, secondary legislation consultations, and commencement regulations as they are published.
What Does the Bill Change for Organisations That Are In Scope?
If your organisation has never been in scope of the UK's NIS Regulations or the EU's NIS 2, the UK Cyber Security and Resilience Act will bring you completely new obligations.
If you’re already in scope for NIS, the main framework remains the same, but there will be some meaningful changes, particularly around incident reporting, i.e., what kind of cyber incidents are reported, and when.
Currently, you don’t need to report attacks like ransomware or criminals gaining access to a network unless they have already caused damage.
Under the UK Cyber Security and Resilience Bill, you will need to report attacks that could cause major disruption in the future, even if nothing bad has happened yet.
You’ll also need to report on incidents faster:
- Within 24 hours: A quick notification (who you are, what service is affected, and a brief description).
- Within 72 hours: A full, detailed report on what happened, the impact, and how it happened.
Plus, you’ll need to notify both the relevant regulator and the National Cyber Security Centre (NCSC) at the same time.
If you’re a digital or managed service provider and you experienced an incident that likely affected your customers, you must also let those customers know.
Cost Recovery
The new bill, when it becomes an act, will allow regulators to charge the businesses they oversee to cover the costs associated with overseeing and enforcing the new rules.
However, they will need to be transparent in how that money is being spent.
Financial Consequences of Non-Compliance
According to the UK government, current regulations around non-compliance fines are confusing and inconsistent, and the maximum fine (£17 million) is too low (i.e., it may actually be cheaper for large companies to pay the fine than to comply with the law).
The UK Cyber Security and Resilience Bill proposes two fine categories:
- Higher fine band - up to £17 million or 4% of global turnover, whichever is higher - for serious breaches (like failing to report a security incident).
- Standard fine band - up to £10 million or 2% of global turnover, whichever is higher. - for less serious breaches (like missing a registration deadline).
Regulators will also be able to take into account a number of factors when setting a fine, such as whether an organisation tried to fix the problem and whether they have a history of breaking the rules.
What You Can Do Now to Get Ahead of the Cyber Security And Resilience Bill
You don’t need to wait until the UK Cyber Security and Resilience Bill becomes an Act to start preparing for it. If you know or suspect that you’re in scope of the UK Cyber Security and Resilience Bill, now is the time to get ahead of it.
Our advice: Conduct a gap analysis, test your cyber resilience, and review your incident reporting and response capabilities so that you can meet new requirements quickly and without any stress.
Get Compliance-Ready with SECFORCE
SECFORCE's Compliance and Audit Readiness service helps you plot where you stand today and what you need to do to comply with the UK Cyber Security and Resilience Bill once it becomes an Act.
Our experienced cybersecurity consultants work with your team to determine your current position, identify gaps, and build a practical plan to close them, whether you’re already familiar with NIS 2018 and need to understand what changes, or you’re new to the regulation entirely.
Contact us for a free initial cybersecurity strategy consultation.
