The UK Cyber Security and Resilience Bill explained

UK cyber law is about to change significantly. The Cyber Security and Resilience Bill—introduced to Parliament in November 2025—is the most significant overhaul of the UK's cyber security regulatory framework in nearly a decade. For a wide range of organisations, it will change what is legally required of them, who oversees them, and what happens if they fall short. 

Whether you've heard about the Bill and want to find out more or are actively assessing how it applies to your business, this blog dives into what the CSR Bill is, why it’s being introduced, and who it affects. 

What is the Cyber Security and Resilience Bill? 

The Cyber Security and Resilience Bill—commonly referred to as the CSR Bill—is UK primary legislation that modernises and expands the Network and Information Systems (NIS) Regulations 2018. Where the original NIS framework set a baseline for cyber security across essential services, the CSR Bill raises that bar considerably and extends it to a broader set of organisations. 

In short, the CSR Bill is the UK government's answer to a threat landscape that has changed dramatically since 2018. High-profile ransomware attacks, major data centre outages, and supply chain compromises targeting managed service providers have all exposed gaps in existing frameworks. The Bill is designed to close them. 

The UK's approach differs from the EU's NIS2 Directive, which embeds detailed technical requirements directly in legislation. The CSR Bill instead creates a flexible framework, with much of the granular detail—sector thresholds, reporting criteria, codes of practice—to follow through secondary legislation and regulatory guidance. This allows the government to adapt requirements as threats evolve, without needing to pass new primary legislation each time. 

Why has the UK introduced this legislation now? 

The NIS Regulations 2018 were a meaningful step forward at the time, but they were written for a different era. Since then, the threat environment has intensified significantly, and several structural weaknesses in the existing framework have become apparent. 

Critical services now depend heavily on managed service providers and third-party digital infrastructure that were never brought under direct regulation. The definition of what counts as a reportable incident has been too narrow, meaning serious attacks were often not reported to regulators at all. And the existing penalty structure has proven difficult for regulators to apply effectively—too complicated to enforce consistently, and with maximum fines that did not meaningfully deter larger organisations. 

The CSR Bill addresses each of these issues directly. It also acknowledges the lesson learned from GDPR and NIS2: that systemic cyber resilience cannot be achieved by regulating only the most visible organisations. Supply chains, service providers, and digital infrastructure must all be part of the framework. 

Who does the CSR Bill affect? 

The Bill retains all sectors covered under NIS 2018—energy, transport, health, drinking water, and relevant digital service providers—but significantly expands the scope of who is regulated. The most notable new categories include managed service providers (MSPs), data centres above certain capacity thresholds, and organisations that control substantial loads within the electricity grid. 

Beyond these defined categories, regulators will gain the power to designate individual suppliers as 'critical' and bring them into scope directly—even if they don't fit neatly into existing sector definitions. The Bill also grants the Secretary of State authority to expand the regulated population further through secondary legislation, meaning the scope of who is covered can change relatively quickly. 

You could be affected by the UK's new cyber resilience requirements if any of the following apply: 

• You operate in a sector covered by the original NIS Regulations—energy, transport, health, water, or digital services 
• You provide managed IT services to other organisations, operate a data centre, or manage significant electrical loads 
• You are a key supplier to any of the above, even if you don't fall neatly into a regulated sector yourself 

What does the CSR Bill change? 

At a high level, the Bill introduces three major shifts for in-scope organisations. 

• Faster and broader incident reporting. The timelines for reporting significant cyber incidents tighten considerably, and the definition of what must be reported expands—explicitly capturing ransomware and certain pre-attack activity that the current rules largely miss. 
• Stronger regulatory powers. Regulators gain wider inspection and information-gathering rights, along with the ability to recover costs associated with enforcement action. 
• Higher and clearer penalties. The existing three-band penalty structure is replaced with a simpler two-band system, with maximum fines scaled to worldwide turnover—making non-compliance a material financial risk for organisations of all sizes. 

You can find out what each of these changes means for your organisation—and how to meet the requirements—in our full guide. 

Organisations should start preparing now 

The Bill has not yet received Royal Assent, but that is not a reason to defer. Regulatory reform of this kind does not arrive with much warning between commencement and active enforcement. Organisations that begin aligning their governance, incident response, and resilience capabilities now are in a significantly stronger position than those that wait for a final date. 

For organisations already working towards NIS2 compliance, the good news is that much of the groundwork carries over. The strategic priorities—risk management, supply chain oversight, incident response, business continuity—are consistent across both frameworks. What remains is adapting those efforts to the UK-specific regulatory landscape. 

For organisations encountering these requirements for the first time, the Bill's phased approach—with detailed requirements emerging through secondary legislation and codes of practice—means the window to prepare is open. The direction of travel, however, is clear. 

Ready to go deeper? Our full guide covers the CSR Bill in detail—including who’s in scope, what the new requirements mean in practice, and how to build the cyber resilience your organisation will need.