.jpg)
Why the Bill has been introduced
The UK’s cyber threat landscape has evolved dramatically since the 2018 NIS regime was introduced. Incidents such as the Synnovis attack against hospitals and the British Library ransomware attack show how quickly operational risk can become public harm. In this context, the UK Department for Science, Innovation and Technology estimates that cyber-attacks cost UK businesses around £14.7 billion each year.
At the same time, the widespread adoption of AI has expanded organisations’ attack surfaces and empowered threat actors to launch more effective and sophisticated activities, including crafting convincing phishing campaigns, exploiting vulnerabilities and initiating ransomware attacks at unprecedented speed and scale.
The CSRB responds to these challenges by widening who is regulated, accelerating incident reporting and tightening supply chain accountability, while enabling rapid updates that keep pace with technology and emerging risks.
Key provisions of the Cyber Security and Resilience Bill
A wider set of organisations in scope
The Bill significantly broadens the range of organisations regulated under the NIS framework.
- Managed service providers (MSPs) - medium and large MSPs, including MSSPs, managed SOCs, SIEM providers and similar services,will now fall under NIS obligations due to their systemic importance and privileged access to client systems. The Information Commissioner’s Office (ICO) will act as the regulator. Government analysis anticipates that a further 900 to 1,100 MSPs will be in scope.
- Data infrastructure is now recognised as essential to the functioning of the economy and public services. Medium and large data centres, as well as enterprise facilities meeting specified thresholds, will be required to implement appropriate and proportionate measures to manage cyber risk. Oversight will be shared between DSIT and Ofcom, with Ofcom serving as the operational regulator.
- Organisations that manage electrical loads for smart appliances, such as those supporting EV charging during peak times, are now within scope.
These additions sit alongside existing NIS-regulated sectors such as transport, energy, water, health, digital infrastructure, and certain digital services (including online marketplaces, search engines, and cloud computing).
Stronger supply chain requirements
Under the CSRB, regulators can now designate third-party suppliers as ‘designated critical suppliers’ (DCS) when certain threshold criteria are met and where disruption could have significant knock-on effects. Designated suppliers will be subject to the same security and incident-reporting obligations as Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSPs).
Government will scope the supply chain duties for OES and RDSPs via secondary legislation, following consultation. infrastructure incidents where a single supplier’s compromise caused widespread disruption.
Faster incident reporting
Sector-specific regulators, 12 in total, will be responsible for implementing the CSRB, allowing for more effective and consistent reporting. In addition, the CSRB introduces a two-stage reporting process and expands incident reporting criteria. Regulated entities must submit an initial notification within 24 hours of becoming aware of a significant incident, followed by an incident report within 72 hours. Incident reporting criteria are also broadened to capture incidents beyond those which actually resulted in an interruption, ensuring earlier visibility for regulators and the National Cyber Security Centre (NCSC). The importance of information sharing across agencies, law enforcement and regulators is also facilitated by the CSRB.
The reforms also require data centres and managed service providers to notify affected customers where they are likely to have been impacted by a cyber incident.
An agile regulatory framework
To keep pace with technological change, the CSRB will enable the Secretary of State to update elements of the framework via secondary legislation. Supporting materials such as the NCSC Cyber Assessment Framework (CAF) are to be "put on a stronger footing” allowing for requirements to be more easily followed, managed and updated. Regulators will also now be able to recover full costs associated with NIS duties meaning they are better resourced to carry out their associated responsibilities.
Relevant Managed Service Providers must identify and take appropriate and proportionate measures to manage risks to the systems they rely on for providing services within the UK. Importantly, these measures must, having regard to the state of the art, ensure a level of security appropriate to the risk posed, and prevent or minimise the impact of incidents.
The Secretary of State will also be empowered to issue a Statement of Strategic Priorities, setting cross-regime outcomes to drive consistency across the 12 competent authorities responsible for implementation.
Penalties
The enforcement framework will be strengthened, with maximum fines aligned with comparable regimes such as the GDPR, which incorporate maximums tied to turnover. Under the CSRB, maximum penalties for more serious breaches could be up to £17 million or 4% of global turnover, whichever is higher.
Next steps
The Bill is expected to progress through Parliament over the course of 2025 and early 2026, with Royal Assent anticipated in 2026. Once enacted, most operational measures will not take immediate effect. Instead, Government will bring key components into force through secondary legislation following further consultation, providing regulators and industry with time to adjust practices and prepare for compliance.
Anticipated timeline
- 2025-2026: Parliamentary scrutiny and passage;
- 2026: Royal Assent;
- 2026 consultation: DSIT intends to consult on detailed implementation;
- From 2026 onwards: Phased implementation via secondary legislation, following further consultation led by DSIT.
How Darktrace can help
The CSRB represents a step change in how the UK approaches digital risk, shifting the focus from compliance to resilience.
Darktrace can help organisations operationalise this shift by using AI to detect, investigate and respond to emerging threats at machine speed, before they escalate into incidents requiring regulatory notification. Proactive tools which can be included in the Darktrace platform allow security teams to stress-test defences, map supply chain exposure and rehearse recovery scenarios, directly supporting the CSRB’s focus on resilience, transparency and rapid response. If an incident does occur, Darktrace’s autonomous agent, Cyber AI Analyst, can accelerate investigations and provide a view of every stage of the attack chain, supporting timely reporting.
Darktrace’s AI can provide organisations with a vital lens into both internal and external cyber risk. By continuously learning patterns of behaviour across interconnected systems, Darktrace can flag potential compromise or disruption to detect supply chain risk before it impacts your organisation.
In a landscape where compliance and resilience go hand in hand, Darktrace can equip organisations to stay ahead of both evolving threats and evolving regulatory requirements.
[related-resource]
Get the Ultimate Guide to Automating Incident Response
Your guided playbook for ensuring security events are properly handled, before the risk of escalation.
.jpg)
%5B2%5D%20copy.avif)
