The UK's Cyber Security and Resilience Bill is working its way through Parliament, and if you haven't started paying serious attention yet, now is the time. Introduced to the House of Commons in November 2025, the Bill represents the most significant overhaul of UK cyber regulation since the NIS Regulations in 2018, and its implications for security practitioners are immediate and practical.

One of the most significant shifts for practitioners working in or alongside managed services is the creation of a new regulated entity category: the Relevant Managed Service Provider (RMSP). For the first time, MSPs providing services to in-scope sectors face direct regulatory obligations. If your organisation is an MSP, or relies heavily on one, your compliance exposure has materially changed.

Maximum Penalty Structure

• Standard maximum penalty - £10m or 2% of global turnover
• Higher maximum (serious breaches) - £17m or 4% of worldwide turnover
• Continuing contraventions (daily) - Up to £100,000 per day
• Extended ceiling (exceptional cases) - Up to 10% of worldwide turnover

These are not hypothetical. Regulators will also gain cost recovery powers, able to levy periodic fees to fund their oversight activities. Expect more active enforcement, not passive monitoring.

Practitioners managing cross-border environments will need jurisdiction-specific runbooks. A single process attempting to satisfy both simultaneously risks failing both under pressure.
Supply Chain Risk Is Now Statutory

The Bill introduces the concept of designated "critical suppliers" organisations whose compromise could cause major disruption to the economy or wider society, even if they are not themselves regulated entities. These suppliers will receive formal written notice and will have the right to make representations or appeal.

Secondary legislation will likely impose specific supply chain security obligations on regulated entities potentially including contractual requirements, security assessments, and continuity planning mandates. The era of passing a questionnaire and considering supply chain risk managed is ending.

• Determine whether your organisation or key MSPs fall into newly in-scope categories, including data centres with Rated IT Load above 1 MW
• Review incident detection and escalation workflows against the 24-hour initial notification requirement
• Map divergence between your current NIS/NIS2 compliance posture and what the UK Bill will require
• Audit your supplier assurance programme, move beyond annual questionnaires towards continuous oversight
• Engage legal, compliance, and operational teams together; this cannot be owned by security alone
• Monitor the Bill's progress and watch for secondary legislation, which will contain the operational detail

The regulatory environment for UK cyber security is shifting substantially. The organisations best placed when the Bill receives Royal Assent will be those treating this as a live operational project, not a future compliance task.

Track the Bill's progress via the UK Parliament Bills tracker and the House of Commons Library briefing.