The cyber security and resilience bill: Practical steps to prepare your business
The cyber security and resilience bill: Practical steps to prepare your business
Publish Date: 2026-07-06 11:05:00
Source Domain: www.openaccessgovernment.org
Image: © Alexander Sikov | iStock
Andrew Ingram, Director of High Tide Group, discusses the implications of the new Cyber Security and Resilience Bill for organisations of all sizes and outlines practical steps to take as cyber security transitions from good advice to legal obligation
As I write, the Cyber Security and Resilience Bill is completing its passage through the House of Commons, having reached its report stage and third reading this June. It is the most significant overhaul of the UK’s cyber security law since 2018, and it deserves the attention of every organisation, not just the large ones it appears to target. In my first two pieces I touched on the direction of travel; here I want to set out what the Bill actually changes, and the practical steps you can take now.
What the Cyber Security and Resilience Bill changes
The Bill updates the ageing Network and Information Systems Regulations of 2018, which were widely felt to have fallen behind the threats we now face. The headline changes are significant. For the first time, managed service providers like us are brought directly into scope, with a duty to register with the regulator and to maintain appropriate, proportionate security. Data centres and cloud platforms are recognised as essential services in their own right. There are stronger expectations around supply chains, faster reporting of serious incidents, and a firmer footing for the National Cyber Security Centre’s Cyber Assessment Framework. In short, the Government is trying to harden the whole digital ecosystem, not just the obvious targets.
Why it reaches smaller organisations
You might read all of that and conclude it has nothing to do with you. That would be a mistake. Even if your organisation is never directly regulated, the new duties on larger bodies – councils, NHS trusts, big corporates – will flow straight down to their suppliers as contract clauses and security questionnaires. We are already…