The UK Cyber Security Resilience Bill

The highly disruptive and destructive cyber incidents across the past year have reinforced the need for the U.K to raise the level of cyber resilience in all critical sectors. Attacks are increasing in both frequency and sophistication, often enabled through the exploitation of supply‑chain vulnerabilities. Their effects are often far‑reaching — disrupting operations, threatening public safety, undermining the country’s industrial base and ultimately constraining economic growth. Against this backdrop, the U.K. government’s forthcoming Cyber Security and Resilience (CSR) Bill marks a decisive shift in national posture: cyber resilience is no longer optional, it is a legal duty. It’s time now to prepare your organisation for the increasing frequency of severe cyber threats.

What is the Cyber Security and Resilience Bill?

Introduced to Parliament on 12 Nov. 2025, the CSR Bill is intended to modernize the U.K.’s cyber regulatory framework by updating and strengthening the existing Network and Information Systems Regulations 2018 (NISR 2018). Its aims are to strengthen the nation’s cyber resilience through:

• Improved oversight of essential services and their digital ecosystems
• Enhanced requirements for detection and incident reporting
• Increased ability for organisations to withstand and recover from cyber attacks

The Bill will bring the U.K. into better alignment with the EU’s NIS2 Directive reframing cyber resilience beyond the prevention of cyber attacks to managing cyber risks to acceptable level while maintaining the ability to both continue business operations in the event of an incident and recover under strained conditions. 

What Does the Bill Propose to Do?

At its core, the CSR Bill has three main goals:

1. Expand the Scope of Compliance

The range of organisations required to comply will be widened beyond already covered sectors such as energy, transport, health, drinking water and digital infrastructures. The broader scope accounts for critical parts of supply chains to critical sectors, including:

• Data Centres

Data centres will be recognised as essential services. As such, commercial and enterprise data centers that meet their Rated IT Load (RITL) threshold will be regulated under joint oversight from the Department for Science, Innovation and Technology; and Ofcom. RITL is a clear measure of a data centre’s scale and potential impact.

• Managed Service Providers

Medium and large managed service providers (MSPs) will be brought into scope. The government expects this change will add around 900–1,100 MSP organisations to the regulated population. Service providers are increasingly targeted by threat actors as they are high-leverage entry points to impact multiple connected organizations.

• Designated Critical Suppliers

Regulators will gain new powers to formally designate critical suppliers that rely on network and information systems to support operators of essential services — for example, technology providers to the National Health Service (NHS).

2. Tighter Reporting Requirements

The CSR Bill aims to modernise incident reporting by instigating a two-stage process:

1. Impacted entities must provide an Initial notification to regulators and the National Cyber Security Centre (NCSC) within 24 hours.
2. A full incident report is then anticipated within 72 hours, including a direct notification to customers if services are likely to be affected

As well as these timescales, it appears that reporting thresholds are likely to change too. The Bill updates wording to include incidents “capable of having… adverse effect” or near misses within the reporting requirements. Enhanced reporting aims to remedy uncertainty, and improve cross-sector visibility and co-ordination to better contain the blast radius of an attack.

3. Strengthen Enforcement and Agility

Under the CSR Bill, regulators will have broader powers including:

• The new regime will amend existing NIS regulations to introduce new two tier-system based on worldwide turnover:
  • Higher Band: Up to £17 million, or 4% of a regulated entity’s worldwide turnover, whichever is higher for more serious breaches
  • Standard Band: Up to £10 million, or 2% of a regulated entity’s worldwide turnover, whichever is higher, for less serious breaches
• Cost-recovery mechanisms
• Direction powers that would allow the government to mandate specific actions during live, national security threats
  

Why is the CSRB Bill Relevant Now?

The CSR bill comes at a time when geopolitics, complex supply chains, new technology and evolving threat actor tactics are transforming the cyber threat landscape. 2025 was a year dominated by high-profile cyberattacks. In ransomware alone, Intel 471 observed over 200 ransomware and extortion breach incidents impacting U.K. organisations, an increase of at least 10.6% from 2024. Sustained digital transformation of critical infrastructure and increasingly interconnected supply chains have dramatically expanded the attack surface, resulting in incidents that often resonate far beyond the victim organization.

Disruption Becomes a Macroeconomic Risk

In August, a U.K. based car manufacturer suffered a ransomware attack that forced production to halt in its U.K. factories for weeks. The breach was estimated to have cost the UK economy up to £1.9 billion due to the effect on thousands of suppliers across Britain in its complex supply chain. The shutdown also directly contributed to the U.K. economy experiencing slower GDP growth. A single cyber incident translated into profound macroeconomic shock. This systematic risk is what the CSR Bill aims to reduce by strengthening oversight, reporting and resilience.

Critical Services at Risk

Hacktivist activity impacting the U.K. has spiked after Russia’s invasion of Ukraine in 2022. Pro-Russia hacktivist groups routinely target critical national infrastructure (CNI) to amplify their political message through disruption. Just this week, the National Cyber Security Centre (NCSC) has issued an alert highlighting the persistent targeting of U.K. organisations by Russian state-aligned hacktivist groups aiming to disrupt networks.

Typically, these groups carry out Distributed Denial of Service (DDoS) attacks, taking systems offline by overwhelming them with traffic. In 2025, many of these attacks targeted U.K. local government. However, in December 2025, the NCSC co-sealed an advisory highlighting that pro-Russian hacktivists groups, including NoName057(16), were successfully targeting supervisory control and data acquisition (SCADA) networks. The attackers reportedly used common scanning and vulnerability tools to find and brute force exposed remote access services protected by default or weak credentials. This can enable interaction with operational technology (OT)/ICSs, including human-machine interface (HMI)/ (SCADA) interfaces used to control and monitor physical processes. The advisory warns that their capabilities are limited and they often misunderstand the processes they aim to disrupt. Paradoxically, this increases risk as haphazard attacks in these sensitive environments may result in unintended consequences, posing significant real-world impact.

These attacks show why cyber resilience and regulatory oversight can no longer be optional. The Bill will ensure that operators of these critical services — and their critical suppliers – will be legally obligated to detect, report and absorb such attacks.

NCSC Offers Best-Practice for ‘Good’ Cyber Resilience

Security obligations for regulated entities have not been determined, however DSIT has suggested secondary legislation that would use the Cyber Assessment Framework as a baseline for cyber governance, risk management and incident response aligned with NIS2 security requirements. The NCSC recently outlined in its guidance for critical infrastructure operators, which is intended to “help regulators – and overseers of sector resilience in government – to understand best practice.”

The NSCS’s benchmark for ‘good’ cyber resilience includes:

• Well-defined incident response processes
• Increased monitoring of the external attack surface
• Proactive threat hunting in response to intelligence rather than alerts
• Comprehensive network and endpoint logging
• Threat intelligence focussing on tactics, techniques and procedures (TTPs).
• Engaging with intelligence sharing communities such as trust groups
• Establishing frameworks for threat information sharing
• Hardening defenses across systems, networks and processes

Three Things You Can do to Prepare Now

The CSR Bill enshrines a proactive defence, incident reporting and resilience in national policy. As it moves through parliament, what can organizations do now to prepare?

1. Make Cyber Threat Intelligence Central

Expanded reporting requirements and timelines establish the need for actionable intelligence flows across all sectors. By receiving timely warnings of potential threats, shifting tactics, techniques and procedures of adversaries; and sector-specific trends, organisations can proactively map risk across their organization to prioritise monitoring and response.To meaningfully strengthen resilience, intelligence must be operationalised: It must reach the right stakeholders, at the right time, and in the right form to drive action. A structured intelligence program becomes a priority, where a prioritised set of stakeholder intelligence requirements is established for the targeted collection and clear reporting across tactical, operational and strategic levels to drive decisions.

2. Monitor and Manage Third Parties Risk

The Bill recognizes that systematic cyber risk often originates from shared service providers as such organisations will need to be more cognizant of third-party cyber risk. Monitoring the external attack surface of your priority vendors and tracking near real-time data on breaches, marketplaces and exposed credentials will enable your teams to proactively adapt security controls and policies when these incidents occur so that vulnerabilities outside of your organization’s direct control do not undermine compliance or resilience.

3. Assess Threat Detection Maturity

The CSR Bill would require organizations to detect threats proactively and report significant incidents within strict timelines. To meet these obligations, organisations should refine threat hunting capabilities. Using behaviour-based threat hunts, those based on adversary TTPs gathered directly from bespoke cyber underground sources and malware intelligence, helps detect advanced threats that evade traditional controls. Earlier detection enables faster containment, improves incident scoping and supports the Bill’s intent by reducing late-stage discovery and enabling faster, higher-quality reporting.

As the CSR Bill progresses through Parliament, organizations should treat this as a practical deadline to mature their CTI, third-party monitoring and threat hunt capabilities to instill readiness and resilience across their ecosystems.

For those looking to operationalise threat intelligence and strengthen proactive threat hunting, Intel 471 offers workshops helping teams create intelligence plans and mature their threat hunting programs. To learn more or request a place, just reach out.