It’s been a long time coming. Having been trailed as far back as the King’s Speech in 2024, the Cyber Security and Resilience Bill (CSRB) has finally been introduced to parliament. In the intervening 20 months or so, the UK’s critical national infrastructure (CNI) has been buffeted by its fair share of major incidents – from the Synnovis ransomware attack to the unprecedented cyber-espionage theft targeting the MoD.

The fact that CNI sectors need a regulatory shove to improve security and resilience is therefore not in any doubt. The question is how can operators of essential services (OES) and their digital counterparts manage the extra compliance burden heading their way?

Who Does it Cover?

The final list of in-scope organisations has yet to be released. But it’s sure to include those sectors already covered by the NIS Regulations 2018, which this proposed law updates. They include healthcare, transportation, energy, water and digital infrastructure. These are all classed as OES.

The CSRB will also apply to:

  • Relevant digital service providers (RDSPs): Other digital service providers such as those offering cloud computing, search engines and online marketplaces
  • Datacentre operators
  • Managed service providers (MSPs)
  • Companies managing “the flow of electricity to smart appliances” and EV charging points.

What’s in the Bill?

The legislation is still making its way through parliament. However, we’re likely to see at least the following headline measures adopted:

  • Regulators will be granted powers to designate critical suppliers which must meet minimum security standards. This is to close down any supply chain security gaps
  • OES will be required to manage supply chain risks in a more proactive manner, although these new duties will need to be defined in secondary legislation
  • OES will need to meet “proportionate and up-to-date security requirements” drawn from the NCSC Cyber Assessment Framework (CAF) and closely aligned to NIS 2
  • A wider scope for reportable incidents – to now include events “capable of having a significant impact on the provision of an essential or digital service” as well as “incidents that significantly affect the confidentiality, availability, and integrity of a system”.
  • More prescriptive requirements for incident reporting: initial reporting to the NCSC must happen no later than 24 hours after an incident, followed by a full report within 72 hours. Digital and datacentre providers will also need to notify customers of any service interruption
  • The Information Commissioner’s Office (ICO) will get new powers to help it identify the most critical digital service providers and proactively assess their cyber risk
  • Regulators will be able to recover costs through a new fee regime
  • Tougher penalties will be introduced for serious offenses – rising to £17m or 4/10% of turnover
  • The technology secretary will get new powers to instruct regulators and OES to take specific steps to prevent attacks where there’s a threat to national security. This could include that they patch or isolate critical systems.

Time to Get Ready

Although the legislation has still to pass through parliament, it’s unlikely to change much as “cybersecurity remains a largely apolitical policy issue”, according to NCC Group UK head of government affairs, Verona Johnstone-Hulse. That means security and compliance teams can get ahead of the game by planning their compliance journeys now.

As an organisation, the first step is to determine whether you are, in fact, in-scope. For many, this will be relatively clear cut – either because you are already regulated under UK NIS or because your organisation clearly meets the definitions and thresholds of the sectors being brought into scope under the bill,” she tells ISMS.online.

“For those organisations that could be designated ‘critical suppliers’ – and therefore subject to NIS rules – it may be less clear whether you will meet the ‘critical’ threshold. Closely reviewing your customers and the types of services and products you provide will help to determine whether you are likely to be designated ‘critical’ in future.”

Rhiannon Webster, UK head of cybersecurity at global law firm Ashurst, agrees that firms can get a head start on compliance.

“I would say that the categories of new persons in scope are unlikely to change and therefore those companies should dust off their cyber-response plans,” she tells ISMS.online. “They should prepare for enhanced reporting obligations, review their cybersecurity frameworks against the anticipated requirements, and take a good look at their supply chain and contracts. Obligations may need to flow down through procurement processes.

NCC Group’s Johnstone-Hulse advises teams to:

  • Engage early with government and regulators
  • Enhance governance and accountability by ensuring board-level buy in for compliance programmes
  • Assess current incident response processes and technologies to understand what may need to change

Charlotte Walker-Osborn, knowledge director at law firm Clifford Chance, warns UK organisations currently in-scope for NIS2 to brace for a bigger compliance burden.

“With the scope of the UK’s Cyber Security and Resilience Bill being somewhat different to EU cybersecurity legislation in various ways, multinational companies with operations across Europe will, once again, need to grapple with the practical implications of complying with two distinct regimes,” she tells ISMS.online.

“It seeks to align with parts of NIS 2 but also recognises the UK’s own challenges.”

How Standards Can Help

Julian Brown, managing consultant at NCC Group, explains that some of the key technical details have yet to be clarified. These include the “appropriate and proportionate” security measures organisations are expected to take. This is where existing standards can help.

“While further detail is expected – including through a Code of Practice and sector-specific guidance from regulators – existing cybersecurity standards and frameworks can aid compliance by providing a structured, auditable, and internationally recognised approach to meeting the bill’s core requirements,” he tells ISMS.online.

“Using these standards also creates the evidence that regulators will expect: risk assessments, policies, controls, metrics, and continuous-improvement activities. ISO 27001 offers this through its ISMS, the CAF through its outcome-based assurance model, NIST CSF through its governance lifecycle, and 62443 through its OT-specific security requirements. Adopting any of these frameworks means an organisation can confidently show it is managing cyber risk in a proportionate, accountable, and defensible way once the legislation takes effect.”

There’s still plenty up in the air then. Clifford Chance’s Walker-Osborn says it’s still unclear whether the bill will include recently publicised plans to ban ransomware payments and mandate reporting for some companies. The scale of the penalty regime may also be up for debate, given the parlous state of the economy, she adds.

However, there’s certainly enough to be going on with. Smarter organisations already running ISO 27001 or other compliance programmes should find the bill’s requirements a much easier lift.