Larkspur International

Strengthening the UK’s Cyber Defences: What the Cyber Security and Resilience Bill Could Mean for Industry

Mar 31, 2026By Larkspur International
Larkspur International

Strengthening the UK’s Cyber Defences: What the Cyber Security and Resilience Bill Could Mean for Industry


The proposed Cyber Security and Resilience (Network and Information Systems) Bill aims to modernise the UK’s cyber regulatory framework by expanding its scope to managed service providers and critical suppliers. While many of the implementation concepts are still under development and not yet agreed government policy, the proposals signal how the UK’s approach to cyber resilience could evolve in the coming years.


Introduction

As cyber threats continue to evolve and digital systems become increasingly interconnected, governments are reassessing how best to regulate cyber risk across critical infrastructure and supply chains. The UK’s proposed Cyber Security and Resilience (Network and Information Systems) Bill represents a significant step in this direction, aiming to expand the scope of existing cyber regulations and strengthen the resilience of services that underpin the economy and society.

While many of the implementation concepts currently being explored are not yet finalised government policy, they provide an indication of how the UK’s cyber regulatory framework could develop in the coming years.


Strengthening the UK’s Cyber Resilience Framework

The Cyber Security and Resilience Bill builds on the Network and Information Systems (NIS) Regulations 2018, which currently regulate operators of essential services and certain digital service providers.

The new legislation proposes to expand the scope of the regulatory framework to include additional organisations whose services play a critical role in supporting the UK’s digital infrastructure and economic activity.

The proposed reforms aim to:
- broaden the range of organisations subject to cyber regulation
- strengthen regulators’ ability to respond to cyber incidents
- improve information sharing between government, regulators and industry
- enhance cyber resilience across supply chains supporting essential services.

“The Cyber Security and Resilience Bill represents a significant expansion of the UK’s cyber regulatory framework, reflecting the growing importance of digital infrastructure to the economy.”

Taken together, these changes are intended to ensure the UK’s cyber regulatory framework reflects the increasing complexity and interdependence of modern digital systems.


Implementation Will Be Phased

Although the Bill has been introduced to Parliament, its provisions will not come into force immediately once it receives Royal Assent.

Instead, implementation is expected to take place in stages. The Government has indicated that further consultation, secondary legislation, and guidance will be required to operationalise the framework.

Current indicative timelines suggest that consultations on implementation could take place in late summer or early autumn 2026, with implementing regulations expected to follow once the legislative process is completed.

Businesses are also expected to be given a proportionate adjustment period to allow organisations time to prepare for the new regulatory requirements.


Bringing Managed Service Providers into Scope

One of the most significant proposed changes is the inclusion of Relevant Managed Service Providers (RMSPs) within the scope of cyber regulation.

Managed service providers have become increasingly important to the operation of modern digital infrastructure, providing services such as monitoring, maintenance, and administration of IT systems for organisations across both the public and private sectors.

Under the proposed framework, medium and large managed service providers operating in the UK could fall within scope of the regulatory regime, with oversight expected to sit with the Information Commission.

Managed services are expected to be defined as services delivered under contract for the ongoing management of a customer’s information technology systems, typically involving activities such as system monitoring, support, and active administration.

To qualify as a managed service, the service must involve connection to or access to the customer’s network and information systems. This distinction is intended to exclude services that simply use IT but do not involve ongoing management of systems.

Certain services such as data centre provision and public electronic communications networks are not expected to fall within this definition.


Proposed Obligations for Managed Service Providers

Organisations that fall within the RMSP category may face a number of regulatory obligations under the proposed framework.

These could include requirements to:
- register with the Information Commission
- provide organisational and service information during registration
- report significant cyber incidents to both the Information Commission and the National Cyber Security Centre
- notify customers when incidents affect service delivery
- implement appropriate and proportionate security measures to manage cyber risks associated with their services.

Further technical requirements including the thresholds for incident reporting and the detailed security expectations are expected to be defined through secondary legislation.


Risk-Based Registration and Oversight

To support effective oversight, regulators may require additional information from organisations during the registration process.

Examples of potential information requirements include:
- company size, including headcount and revenue
- high-level descriptions of services provided
- the approximate number of UK customers served
- whether services are supplied to critical national infrastructure sectors
- general information on existing cybersecurity measures.

These measures are intended to help regulators understand the risk profile of organisations within the sector, enabling them to apply a proportionate and risk-based regulatory approach.


Addressing Supply Chain Risks

Alongside the inclusion of managed service providers, the Bill proposes a new mechanism for designating Critical Suppliers.

This reflects growing recognition that cyber vulnerabilities increasingly arise from complex digital supply chains. Essential services often depend on a network of technology providers, and disruption to a key supplier can create cascading impacts across multiple sectors.

The proposed Designated Critical Supplier (DCS) mechanism would allow regulators to designate a small number of suppliers whose disruption could have a significant impact on the economy or the day-to-day functioning of society.

Suppliers designated under this framework could be required to meet enhanced security and resilience requirements proportionate to their systemic importance.


A Targeted and Proportionate Approach

The proposed supplier designation framework is intended to be highly targeted.

Rather than applying regulation broadly across all suppliers, the mechanism would focus only on suppliers whose disruption could create systemic risks across sectors or services.

The framework emphasises that designation decisions must be evidence-based and follow defined statutory processes, including consultation and opportunities for suppliers to challenge decisions.

This approach is intended to strengthen cyber resilience while avoiding unnecessary regulatory burdens on the wider technology sector.


Looking Ahead

The Cyber Security and Resilience Bill signals a significant evolution of the UK’s cyber regulatory landscape.

By expanding regulation to include managed service providers and introducing mechanisms to address systemic supply-chain risks, the proposals reflect the growing importance of digital infrastructure to the UK’s economy and society.

However, much of the framework remains under development. Many of the concepts currently being explored are not yet finalised government policy, and further consultation will shape how the regime is ultimately implemented.

For organisations operating within the UK’s digital ecosystem, engaging with this process will be essential to ensure that the emerging framework delivers both strong cyber resilience and practical, proportionate regulation.