New
Request a Demo

How to comply with the UK Cyber Security and Resilience Bill

Compliance
Andrew Simmonds photoAS
Andrew Simmonds

Content Writer

Andy French photoAF
Andy French

Director of Product Marketing

The Cyber Security and Resilience Bill is upcoming UK legislation that will extend mandatory cyber security obligations to a wider set of organisations—including managed service providers and data centres—and tightens the rules for sectors already covered under the NIS Regulations 2018.  

To comply with the Cyber Security and Resilience Bill, organisations should align security controls, incident reporting procedures, and recovery capabilities with the NCSC Cyber Assessment Framework (CAF). Adherence to this framework is moving from voluntary to a more mandatory footing. By adopting the framework now, organisations can ensure that when a cyber incident occurs, they can detect, report, and recover within the timeframes the law requires.  

This guide offers steps on how to achieve just that. For more information on the legislation itself, see our full article on what the Cyber Security and Resilience Bill is and how it impacts businesses. 

Key takeaways 

  • The CSR Bill applies to organisations running essential services and a new set of digital infrastructure providers—including managed service providers and data centres—many of which were outside the previous NIS framework entirely. 
  • The Bill lays out broad expectations around governance, risk management and operational resilience. 
  • Areas of focus to achieve compliance should include: security controls aligned with the NCSC CAF, incident reports filed within 24 and 72 hours, active management of supply chain risk, and the ability to show regulators evidence of risk management on demand. 
  • In practice, regulators will almost certainly scrutinise backup and recovery capabilities. Backups that an attacker can reach, alter, or delete do not offer a compliant recovery posture. 
  • Absolute Immutability means zero access to destructive actions, so no one—not even the most privileged admin or a fully compromised attacker—can modify or delete backup data. This satisfies key elements of the CAF's Objective D requirements in practice. 
  • Object First delivers secure, simple, and powerful backup storage that’s absolutely immutable and purpose-built for Veeam, ensuring alignment with the CSR Bill. 

Who must comply with the Cyber Security and Resilience Bill? 

The Bill retains every sector covered by the NIS Regulations 2018 and adds several categories that were previously outside the framework: 

Operators of Essential Services (retained from NIS 2018) 

  • Energy: electricity generators and distributors, oil and gas operators, and energy network operators. Utilities providers fall under this category. 
  • Transport: air, rail, road, and maritime operators whose services are critical to national infrastructure. 
  • Health: NHS trusts, private healthcare providers, and other healthcare organisations. Securing healthcare backup and data recovery is a particular focus given the sector's exposure to ransomware. 
  • Drinking water: water supply and distribution operators. 
  • Digital infrastructure: internet exchange points, domain name system providers, top-level domain name registries, and digital infrastructure operators more broadly. 
  • Relevant Digital Service Providers (RDSPs): online marketplaces, online search engines, and cloud computing services already regulated under NIS 2018. Large SaaS and enterprise software vendors that meet the relevant thresholds also fall within this category. 

Other sectors that fall under the OES and RDSP definitions in practice include financial services and fintech platforms (where they operate critical digital infrastructure), telecommunications providers and internet service providers, universities and research institutions handling sensitive data, and public services operating network and information systems. 

New categories added by the CSR Bill 

  • Managed Service Providers (MSPs): any organisation providing ongoing IT management, support, maintenance, or monitoring under contract, where it connects to or accesses a customer's network. MSPs will be regulated by the Information Commissioner's Office (ICO). Small and micro-enterprises are currently exempt, though businesses that grow beyond those thresholds will fall into scope. 
  • Data centres: shared or multi-tenant facilities at or above 1 MW capacity, and single-tenant enterprise facilities at or above 10 MW. Ofcom and DSIT will act as joint regulators. The thresholds are designed to capture facilities large enough that their failure would cause significant economic or operational disruption. 
  • Large load controllers: organisations that remotely manage substantial electrical loads (300 MW or more) within the electricity grid and can therefore influence grid stability. Ofgem is the relevant regulator. 
  • Designated Critical Suppliers (DCS): regulators gain the power to bring individual suppliers into scope directly, regardless of whether they fit the sector categories above. The criteria for designation: supplying goods or services to a regulated organisation, where a failure at the supplier would cause significant disruption to an essential service, where the supplier's operation depends on network and information systems, and where no equivalent cyber regulation already applies. Small businesses are not automatically exempt—a micro-enterprise occupying a critical position in a supply chain can still be designated. 

The Secretary of State also has the right to extend the regulated population through secondary legislation, without needing new primary legislation. 

For even more specifics, download our full guide to the CSR Bill

Key UK CSR Bill requirements for businesses 

The CSR Bill places the following four core duties on in-scope organisations: 

  1. Align with the NCSC Cyber Assessment Framework

    The CAF is the technical standard against which regulators intend to assess compliance - moving from a voluntary to a legal footing for regulated organisations. The CAF is organised around four objectives—managing security risk, protecting against cyberattack, detecting cyber security events, and minimising the impact of incidents. In-scope organisations are expected to demonstrate progress against all four.

  2. Report incidents within 24 and 72 hours 

    A significant incident must be reported to the relevant regulator and the National Cyber Security Centre within 24 hours of becoming aware of it. A full written report, including an impact assessment, must follow within 72 hours. What triggers reporting is broader than under NIS 2018—ransomware is now explicitly covered, as is prepositioning activity, where an attacker has gained access but has not yet caused visible disruption. MSPs and RDSPs must also notify affected customers as soon as reasonably practicable after filing a regulator report. 

  3. Manage supply chain risk

    OES and RDSP organisations are required to identify and actively manage the cyber risks posed by their suppliers. This includes mapping dependencies, strengthening contractual protections, and verifying that data held or managed by third parties meets the same resilience standards as data held internally.

  4. Prepare evidence of continuous risk management

    Regulators have expanded inspection and information-gathering powers. They can request evidence of how risk is being managed on an ongoing basis, inspect premises, examine documentation, test systems, and interview staff. 

Penalties 

The Bill replaces the existing three-tier penalty regime with a cleaner two-band structure scaled to turnover. Serious breaches—failure to meet security duties or report incidents—carry a maximum fine of £17 million or 4% of worldwide turnover, whichever is higher. Less serious infringements, such as registration failures, carry a maximum of £10 million or 2% of worldwide turnover. Daily penalties of up to £50,000 apply for continuing violations. Regulators can also take into account mitigating factors, including whether the organisation made genuine attempts to address a breach and its prior compliance record. 

 

The backup, restore, and recovery controls that satisfy the Bill 

Compliance across all CAF Objectives will be important, but when a real incident triggers an investigation, regulators will certainly focus on whether the organisation can actually recover. Here are some things to bear in mind: 

What is CAF Objective D? 

CAF Objective D, “Minimising the impact of cyber security incidents”, is the relevant standard here. This objective examines an organisation's capability to respond to incidents and restore essential functions. It is structured around two principles:  

  • D1: Response and Recovery Planning 
  • D2: Lessons Learned 

Meeting Objective D requires more than a documented recovery plan. In an audit following an incident, evidence of three things will be expected: backups that an attacker could not reach or alter, proof those backups have not been corrupted, and tested restore records showing how quickly the organisation can return critical systems to operation. 

Why do regulators care about backups? 

The reason regulators care so specifically about backup integrity is that modern ransomware attacks increasingly target backup repositories directly, corrupting data, deleting recovery points, or quietly altering retention settings. An organisation whose backups have been compromised has, in effect, lost its ability to recover.  

The Bill's emphasis on recoverability reflects this threat directly. Under Clause 10 of the current draft, Relevant Managed Service Providers must "identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies"—measures that must "ensure a level of security of network and information systems appropriate to the risk posed, and prevent and minimise the impact of incidents."  

How Absolute Immutability Contributes to CSR Bill Compliance 

Immutability is the technical control that addresses the elements raised above. When backup data is written to immutable storage, it cannot be modified or deleted during the retention period—whether by an attacker who has gained network access or by an administrator acting under duress. 

However, some systems that claim to offer 'immutable' backups have hidden exceptions and loopholes. Absolute Immutability means that even the most privileged admin or attacker with access to backup storage cannot modify or delete data. This can only be achieved using a backup storage system that is 'secure-by-design' with Zero Access to perform destructive actions, and this Zero Access must be verifiable with third-party testing. 

Rapid restoration matters as much as the integrity of what is stored. The CSR Bill's focus on operational resilience recognises that prolonged outages in essential services carry economic and societal consequences; clean data is only useful if it can be restored quickly. 

Cyber Security and Resilience Bill Compliance Checklist 

Demonstrable compliance requires working through five key steps:  

  1. Confirming whether your organisation is in scope 
  2. Identifying your own critical suppliers 
  3. Monitoring forthcoming regulatory guidance 
  4. Reviewing incident response readiness 
  5. Validating that your risk management and recovery arrangement 

For a comprehensive guide on how to achieve each of these steps, download our CSR Bill Compliance Checklist

How Object First supports CSR Bill compliance 

When—not if—ransomware strikes, your future depends on cyber resilience. Object First is your ultimate defence—backup storage with Absolute Immutability that's purpose-built for Veeam that directly addresses Objective D controls that regulators scrutinise hardest. Based on Zero Trust and third-party tested and verified, Object First requires no security expertise and scales with your business. When backup storage is this secure, simple, and powerful, you and your organization are Simply Resilient. 

 

Summary 

Complying with the Cyber Security and Resilience Bill means meeting four obligations: aligning with the NCSC CAF, reporting incidents within 24 and 72 hours, managing supply chain risk, and demonstrating continuous resilience to regulators on demand.  

Organisations should confirm their scope status now but remain vigilant: the Bill's secondary legislation mechanism means that even those outside the current definitions may find themselves brought in as the framework develops.  

Of the obligations mentioned, backup integrity and recovery speed are what regulators scrutinise hardest after a real incident. Object First’s secure, simple, powerful backup storage appliance ensures resilient backups and rapid restore performance—meeting Objective D requirements and providing a fast, robust path to in case of a ransomware attack or other data loss. 

FAQs 

Is the CSR Bill the same as NIS? 

No. The CSR Bill updates and expands the NIS Regulations 2018 rather than replacing them entirely. The main differences are scope, reporting, enforcement, and flexibility.  

  • On scope: MSPs, large data centres, and large load controllers are added for the first time, and regulators can designate individual critical suppliers directly.  
  • On reporting: the 24/72-hour timeline replaces a looser regime, and the range of incidents that must be reported is wider—ransomware and prepositioning activity are now in scope, where they would not have triggered obligations under NIS 2018.  
  • On enforcement: the old three-tier penalty structure gives way to a turnover-based two-band model, removing the fixed upper limits that offered limited deterrence to larger organisations.  
  • On flexibility: rather than embedding technical detail in primary legislation, the Bill creates a framework that secondary legislation and regulatory codes of practice will fill out over time. 

What evidence will a regulator ask for after a cyber incident? 

A regulator is likely to ask for: 

  • The initial 24-hour notification and full 72-hour report 
  • A documented incident response plan showing the processes that were in place before the attack 
  • Evidence of backup integrity—specifically, records showing that backup data was stored in a form that could not be modified or deleted 
  • Restore test records demonstrating that the organisation had verified recovery times and procedures in advance 
  • A post-incident analysis addressing root cause and lessons applied.  

Where supply chain risk is a contributing factor, documentation of supplier security assessments will also be relevant. 

Will the CSR Bill require changes to my existing backup setup? 

It depends on what you have today. Organisations with backup solutions that store data in a form that can be overwritten, deleted by a privileged user, or accessed via an admin backdoor will likely need to address those gaps.  

Adding an immutable backup storage appliance like Object First is the most direct way to close that exposure without rebuilding the entire backup stack. It operates as a hardened target for backup data, while leaving existing tooling and workflows intact.  

Related Guides

View All