The Cyber Security and Resilience Bill: What UK businesses must do to stay compliant

Robert Taylor of 360 Law Services

By Robert Taylor, CEO and General Counsel at 360 Law Group ^[1]

The UK government is tightening its stance on digital threats with the introduction of the Cyber Security and Resilience Bill, a major legislative reform aimed at enhancing the UK’s cyber resilience across the public and private sectors. This Bill introduces new and far-reaching compliance obligations for businesses, particularly those operating in essential sectors or offering digital services.

With cyber-attacks on the rise in both volume and sophistication, the Bill marks a significant shift towards mandatory reporting, tighter supply chain security, and proactive risk management.

The Bill seeks to:

• Improve the UK’s national cyber resilience and incident readiness;
• Strengthen the cyber security standards expected of essential and digital service providers;
• Align UK regulation more closely with international best practices, including elements from the EU’s NIS2 Directive and the US Cyber Incident Reporting for Critical Infrastructure Act.

It builds upon the UK’s existing Network and Information Systems (NIS) Regulations 2018 but expands the list of in-scope organisations and compliance requirements.

The Bill applies primarily to:

• Operators of Essential Services (OES), including energy, transport, water, health, and digital infrastructure providers;
• Relevant Digital Service Providers (RDSPs), such as online marketplaces, cloud services, and search engines;
• Organisations designated as Critical National Infrastructure (CNI);
• Businesses within the wider digital supply chain, particularly those offering managed services.

The scope may broaden over time, with powers granted to the Secretary of State to bring additional sectors or technologies into scope through secondary legislation.

Key compliance obligations

1. Mandatory cyber incident reporting

The Bill introduces a duty to report material cyber incidents to the relevant regulator, typically within a short statutory timeframe (anticipated to be 24 to 72 hours) of becoming aware of the incident. This includes:

• Ransomware attacks;
• Data exfiltration or destruction;
• Significant disruption to services;
• Any breach with systemic implications or posing a risk to public safety.

Organisations must maintain internal systems for detecting, triaging, escalating, and recording incidents, to ensure compliance with this duty.

2. Enhanced risk management duties

Businesses must adopt a proportionate and proactive approach to risk management. This includes:

• Implementing technical and organisational security measures;
• Conducting regular vulnerability assessments;
• Reviewing the security of supply chain partners and third-party vendors;
• Maintaining updated incident response and business continuity plans.

3. Regulatory oversight and enforcement powers

Competent authorities (such as the NCSC or relevant sectoral regulators) will have wider enforcement powers, including:

• Conducting inspections;
• Issuing binding improvement notices;
• Levying civil penalties for non-compliance (potentially into the millions, depending on turnover and sector).

It is anticipated that, in line with international practice, serious cases of non-compliance may also be made public to ensure accountability.

4. Supply chain assurance requirements

Businesses that rely on external IT or security providers will be required to conduct due diligence and ensure contractual agreements reflect security expectations. This extends to cloud infrastructure, software-as-a-service (SaaS), and managed IT services.

Preparing for compliance: what should businesses do now?

1. Conduct a cyber risk assessment
   Evaluate whether your organisation falls within scope and identify any gaps in current cyber security frameworks.
2. Review incident response plans
   Ensure they include the capability to detect, record, and report qualifying incidents within statutory timeframes.
3. Strengthen supply chain controls
   Introduce cyber risk clauses into supplier agreements and assess the cyber maturity of third-party vendors.
4. Appoint a responsible officer
   Designate a board-level or senior executive role for cyber security governance and regulatory compliance.
5. Engage with sectoral regulators
   Understand sector-specific guidance and begin dialogue with relevant authorities to ensure preparedness.

Emerging developments

Alongside the Bill, the government has recently announced tighter controls on ransomware payments. From July 2025, critical infrastructure providers and public bodies will be largely prohibited from paying ransoms, while private businesses must notify authorities before making payments and ensure they are not paying sanctioned groups.

This development signals that UK cyber regulation is moving beyond reactive compliance and into preventative, “secure by design” approaches. Businesses should therefore look beyond minimum compliance to embed resilience at the heart of their operations.

Our opinion

The Cyber Security and Resilience Bill represents a critical evolution in UK cyber regulation. It moves away from voluntary frameworks and encourages a culture of accountability, especially in organisations that underpin the economy and public services.

For many businesses, the challenge lies not in intent but in execution — translating principles into operational readiness, robust incident detection, and meaningful supplier oversight.

Rather than viewing the Bill as a burden, businesses should see it as an opportunity to embed resilience, build trust, and gain competitive advantage in an increasingly digital and interconnected world. Now is the time to act.