On 12 November 2025, the Government introduced the Cyber Security and Resilience (Network and Information Systems) Bill (CSRB), the most significant reset of UK cyber rules since the original NIS Regulations in 2018.
This legislation raises the bar for resilience across essential services and their supply chains, requiring organisations to ensure that critical digital services and infrastructure are robust, secure, and capable of withstanding and recovering from cyber incidents.
In short, this bill:
- Expands who is in scope, mandating obligations for a wider range of sectors,
- Tightens incident reporting, setting clear expectations,
- And modernises enforcement, introducing tougher penalties and driving accountability.
This isn’t just about compliance; it’s a structural shift in how organisations manage cyber risk.
Read on to find out if you’re impacted and what changes you need to prepare for.
What it is (and what it isn't)
At its core, the CSRB modernises the UK’s Network and Information Systems (NIS) Regulations, rather than replacing them. The NCSC's Cyber Assessment Framework (CAF) sets the technical standard for CSRB compliance with principles covering governance, risk management, asset control and resilience. Organisations in scope will need to demonstrate measurable outcomes, not just policy statements, to meet regulatory expectations.
While the CSRB introduces UK-specific choices in how duties and enforcement is implemented, it aligns in spirit with the EU’s NIS2 directive, particularly on its wider scope and accelerated incident notification, while preserving UK specific choices in how duties and enforcement are implemented.
Crucially, this is a national resilience bill as much as a cyber security bill. It adds ministerial powers (e.g. direction during incidents that present a national security risk) and updates regulatory levers so government can coordinate a timely, proportionate response across sectors and regulators.
In short: The CSRB modernises the UK’s NIS Regulations, setting CAF as the compliance standard, and introducing UK-specific measures to strengthen national resilience.
Who will be in scope (and why it's wider than you think)
Historically, NIS regulated operators of essential services (OES) in five sectors, energy, transport, water, health, and digital infrastructure, plus certain relevant digital service providers (RDSPs) such as cloud computing, online marketplaces, search engines.
The CSRB significantly broadens this:
- Managed Service Providers (MSPs): Medium and large providers of managed IT services (e.g. Security Operations Centres, Security Information and Event Management, remote admin and helpdesks) will face direct duties and registration with the Information Commissioner's Office (ICO).
- Data Centres: Operators above defined capacity thresholds (≥1 MW, or enterprise DCs ≥10 MW) are now classed as Operators of Essential Services.
- Energy Flexibility Providers: Entities orchestrating electrical loads (e.g. smart EV charging) come under scope to safeguard grid resilience.
- Critical Suppliers: Regulators can designate high-impact suppliers to regulated entities, even SMEs, so weak links don’t become systemic risks.
Even if your organisation isn’t named above, you may still feel the gravitational pull.
OES and RDSPs will flow requirements into their contracts and vendor assurance programmes, effectively extending the resilience baseline across their ecosystem (very similar to how the Digital Operational Resilience Act [DORA] and other sector regimes have cascaded supplier expectations).
In short: The CSRB widens the scope of UK cyber regulations, bringing MSPs, large data centres, energy flexibility providers, and even critical suppliers under direct obligations, with ripple effects across entire supply chains.
What should your organisation do next?
With the breadth of changes introduced by the bill, from expanded scope to stricter reporting and enforcement, it’s essential that internal cyber and resilience programmes align with the CAF. Familiarity with this framework will help organisations identify gaps and prioritise improvements before the bill comes into force.
Organisations that start now will be better prepared for implementation and far less likely to be caught out in a threat environment that is evolving just as quickly as the regulatory landscape.
If you need clarity on how these changes impact your business, or practical guidance on aligning your risk management and compliance programmes, our Risk Management and Compliance consultants are here to help.
In short: Early action matters, start by determining if your organisation is in scope and identifying the priorities that will help you achieve CAF alignment.
Conclusion
The Cyber Security and Resilience Bill marks a decisive shift from reactive compliance to proactive, threat-informed resilience. With new expectations around incident reporting, supply-chain assurance, and auditable controls, aligning with the framework is no longer optional for those operating in regulated sectors, and increasingly, for those connected to them.
By understanding these changes and acting early, organisations can not only meet the standard but build lasting resilience against evolving threats.
Get ahead of the Cyber Security and Resilience Bill
With proven experience supporting major UK airports in embedding secure-by-design principles and achieving CAF alignment, our ASSURE-accredited consultants are here to help. From assessing scope to building corrective action plans, you can rely on CSA Cyber for end-to-end support.
Book a free discovery consultation today to understand your obligations under the Cyber Security and Resilience Bill and start building a clear roadmap to compliance.
CSA Cyber
