Following a series of high-profile cyberattacks this year including M&S, Jaguar Land Rover and on systems affecting European airports, the UK Government is elevating security standards in accordance with rising threat levels, to protect UK citizens. As the recent National Cyber Security Centre review found, the UK experienced 204 “nationally significant” cyber incidents in the 12 months up to August 2025 — of which 18 were classified as “highly significant,” representing a 50% increase on the previous 12 months.
The resulting legislation, The Cyber Security and Resilience (updated Network and Information Systems) Bill, was introduced by Parliament on 12 November and is set to scale up UK national cybersecurity across Britain’s critical sectors including public services, such as healthcare, utilities, transport and energy.
The legislation specifically aims to prioritise the security of the UK’s essential services or critical national infrastructure (CNI). An example in one market alone is that there will be safeguards to cover organisations that manage the flow of electricity to smart appliances like electric vehicle charge points and electrical heating appliances in homes. This is to reduce the risk of disruption to consumers using smart-energy appliances, and the grid, bolstering the UK’s energy security.
While the Bill will improve cybersecurity measures essential for maintaining high safety standards, it will also present challenges for UK organisations. Boards, senior executives, and risk managers must ensure that they have conducted thorough due diligence to identify their specific risks and implement the correct cybersecurity measures. Failure to do so may leave organisations vulnerable and potentially in breach of the law. Incident reporting requirements will tighten, including mandatory initial notifications within 24 hours should a breach occur.
Therefore, business leaders in the scope must sit up and listen. For those that fall directly under the regulations, this means higher standards, more accountability, and zero tolerance for weak links. Both business and cybersecurity leaders must understand the implications of the Bill and take steps to get in shape for new regulatory requirements, with regulators given more power to issue penalties for failures.
Fundamental to this new approach is a legal requirement to demonstrate trained cybersecurity exercises. Ultimately, organisations that fall within the scope need to prove that they have undertaken the necessary training and exercising to ready themselves for when a breach occurs. Therefore, tomeet new compliance targets, training managers will need to step up their learning programmes to build resilience to protect their employees, customers, their reputation, and their future.
The Bill, which supports the government’s Plan for Change, will strengthen national security and protect growth by boosting cyber protections for the services that people and businesses rely on every day. In the face of increasing cyber threats, it will prevent disruption while making sure those who supply our vital services have tougher cyber protections.
There are three key areas of reform which include expanding the regulatory scope; empowering regulators and enhancing oversight; and ensuring and adaptive regulatory landscape to respond to the evolving threat landscape. Let’s first look at the expanded scope of this legislation.
The expanded scope is to include:
- Managed Service Providers (MSPs)
The Bill aims to bring MSPs within scope of the regime. Those that provide a service to another organisation which relies on the use of network and information systems to deliver the service must comply with new requirements. Since they manage a network connection and access to the customer’s systems, MSPs can be an attractive target for cyber criminals.
It’s also proposed to bring data centres in scope, which last year were designated as part of the UK’s critical national infrastructure. With the Bill likely to classify these centres as an essential service as they underpin ‘almost all economic activity and innovation’ in the UK, data centre operators will need to observe and adhere to the new stipulations.
- Designated Critical Suppliers
In recognition of the importance of addressing supply chain risk, the Bill will enable regulators to bring specific, high-impact suppliers to OES’ and Relevant Digital Service Providers (RDSPs) in scope. They might be classified as “Designated Critical Suppliers”, even if that supplier is an SME who would previously have been exempt. Essentially, that supplier’s goods or services must be regarded as so critical that its disruption could cause a significant disruptive effect on essential services.
Enforcement will include tougher turnover-based penalties for serious breaches, ensuring compliance is more cost-effective than cutting corners. Adhering to the 12 key cybersecurity controls is vital for companies delivering essential services to maintain system security and reliability.
The Bill grants the technology secretary new authority to direct regulators and the organisations they oversee — such as NHS trusts and Thames Water — to implement measures preventing cyberattacks when UK national security is threatened. This includes enhanced monitoring and isolating high-risk systems to protect essential services.
In escalating the reporting of incidents, this will have implications for all organisations. The new requirements include reporting significant or potentially significant cyber incidents promptly – within 24 instead of the previous 72 hours – to their regulator and the National Cyber Security Centre (NCSC) and they must have robust plans in place to deal with the consequences.
Should a data centre, or digital and managed service provider face a significant or potentially significant attack, they will have to promptly notify customers which are likely to be impacted as part of the new remit to protect their business, people and services.
Having crisis management plans and a clear plan for when the worst occurs is essential for organisations in all industries, particularly those critical suppliers to the UK’s essential services such as those providing healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria.
What’s new about this Bill is the regulated element of it to report and respond and react in the right way to meet compliance. Regular training is now essential to elevate the cybersecurity knowledge and practices for organisations. Among enterprises obligated, there should be a Head of HR or Chief People Officer to understand the level of training and awareness that’s required for their specificorganisation.
In the lead up to this important new regulation, we would strongly advise business leaders to start byhaving a level of understanding of where they sit in the supply chain. It’s thinking first where the biggest impact could be and then working through what measures they need to undertake to improve resilience. This requires organisations to conduct thorough supply chain reviews to close potential security gaps.
For the first time, companies providing IT management, help desk support, and cybersecurity services to both private and public sector organisations must fulfil clear security obligations, including the prompt reporting of significant or potentially significant cyber incidents to the Government and their customers. As a result, these companies will need strong incident response plans, continuous monitoring, and close coordination with regulators and the National Cyber Security Centre (NCSC).
Leadership training programmes provide individuals with the tools and techniques needed to assess risks, make informed decisions, and implement effective strategies for risk mitigation. From scenario planning and crisis simulation exercises to workshops on communication and decision-making, leadership training equips individuals with the competencies required to lead confidently through turbulent times. Beyond just standard training which tests managers on what they know, more immersive experiential training ensures key business operatives across various business functions work as a team through scenario-based problems, testing their actions and collaborative efforts amidst a simulated crisis.
A Cyber Incident Exercise (CIE) is a simulated cyber-attack that allows organisations to practice their incident response and crisis management procedures in a safe and controlled environment. Implementing an organisational culture of training and cyber incident exercising protects your business and people in the event of cyber incident.
Conducting scenario-based cyber exercises brings numerous benefits to organisations. These exercises help identify strengths and weaknesses in cybersecurity practices, test and refine incident response plans, enhance team collaboration, improve preparedness and resilience against cyber threats, raise awareness and educate employees, meet compliance requirements, gain external perspective, and foster a culture of continual improvement.
By simulating real-world scenarios and engaging participants from various departments, organisations can proactively strengthen their cybersecurity defences, minimise the impact of cyber incidents, and protect valuable assets.
Whilst many cybersecurity companies may offer various forms of CIE, the NCSC provide a list of Assured Providers which are companies that have been independently assessed by the NCSC to deliver cyber exercises that meet recognised national standards. Using an assured provider gives organisations confidence that exercises are credible, realistic, and defensible to boards, regulators, insurers, and auditors. Unlike non-accredited providers, NCSC Assured CIE providers offer quality and assurance that helps organisations evidence real preparedness and reduce risk, not just run a simulation.
While The Cyber Resilience Bill brings opportunity to improve cybersecurity, it will have clearimpacts on various sectors and throw up some compliance challenges. One of the first challenges for an organisation will be to communicate the level of awareness and the consequences around their responsibilities at board level.
Those organisations included as critical infrastructure must ensure that third-party providers comply with standards, have incident-reporting frameworks in place, and maintain business continuity plans to address cyber disruptions. Contingency planning, resilience, and vendor governance are key priorities.
With cybersecurity now mandated for all organisations, business leaders must find the best approachto train teams on their new responsibilities and test readiness for compliance before they fall foul of regulations, lose customer trust or allow weak links to pose a risk to their business.