Ransomware poses a significant operational risk to UK organisations, with recent attacks disrupting hospitals, production lines, and even entire data centres.
The UK government has introduced the Cyber Security and Resilience Bill to address this growing threat landscape, which is set to be the most significant overhaul of UK cyber law since the Network and Information Systems (NIS) Regulations came into force in 2018.
The Bill widens the net of who is covered, tightens what's expected of them, and raises the cost of getting it wrong, making it a crucial piece of legislation for business leaders to pay attention to, regardless of whether their organisation was already regulated.
The Cyber Security and Resilience Bill modernises and extends the NIS Regulations, adding several categories that previously sat outside regulation entirely, such as managed service providers, data centres above defined capacity thresholds, and organisations that remotely control large amounts of electrical load on the grid.
Under the Bill, regulators gain the power to designate individual suppliers as "critical" even if they don't fit any of the listed sectors, rather than embedding detailed technical requirements directly in legislation like the EU NIS2 Directive.
An organisation could be brought into scope if it operates in a sector already covered by the NIS Regulations, provides managed IT services to other organisations, runs a qualifying data centre, or manages significant electrical loads, or if it acts as a key supplier to any of the above.
Smaller suppliers may assume regulation is a large-enterprise problem, but under the CSR Bill's supplier designation powers, a micro-business occupying a pivotal position in a critical supply chain can be pulled into scope directly.
The Bill's requirements include tighter incident reporting timelines, with a 24-hour initial notification to regulators and the National Cyber Security Centre, followed by a full written report within 72 hours, and broader definitions of what counts as reportable, including ransomware and "prepositioning" activity.
Regulated organisations will also be expected to map dependencies, strengthen supplier contracts, and verify that third parties handling their data meet equivalent resilience standards, and face new enforcement measures, including a two-band penalty system tied to global turnover.
The Bill aligns with the NCSC's Cyber Assessment Framework (CAF), which is moving from a voluntary reference point toward something closer to a legal expectation for in-scope organisations.
The direction of travel is settled: a wider population of UK organisations will face binding cyber resilience obligations, faster reporting timelines, and materially larger financial exposure if they fall short.
Business leaders should establish whether the organisation—or its critical suppliers—falls within scope, and how that might change as the framework develops, to help prepare for the practical implications of the Bill.