The Cyber Security and Resilience Bill (CSRB), announced in the King’s Speech in July 2024, is expected to be introduced this month.
The Bill is designed to build upon the existing Network and Information Systems Regulations to mitigate against increasingly dangerous cyber threats. Through expanded and strengthened regulations and compliance mechanisms, the bill will mark a significant moment of change in UK policy. With that in mind, here is your go-to guide to understanding the upcoming changes and challenges for UK businesses.
Why is the Cyber Security and Resilience Bill necessary?
In recent years, UK businesses and organisations have experienced a number of severe cyber-attacks and security breaches, exposing the flaws in the NIS Regulations from 2018. The need for better preparedness in the face of evolving cyber threats has never been clearer.
In April 2025, Marks and Spencer, the major British retailer, fell victim to a sophisticated ransomware attack, which brought online and in-app ordering, click-and-collect, contactless payments, and warehouse operations to a standstill. Customer details were also stolen. The attack took Marks and Spencer months to recover from and cost them an estimated £300 million in profits.
Another serious case came in June 2024, when cybercrime gang Qilin targeted NHS pathology provider Synnovis with a ransomware attack. The breach exposed 400GB of patient data, causing the cancellation of over 3,000 appointments. Investigations later linked it to 170 cases of compromised patient care and one associated death after testing services were disrupted.
These extremely damaging breaches exposed flaws in corporate and organisational cyber-security and have prompted a revision of UK cyber-security regulation.
What changes will the Cyber Security and Resilience Bill bring?
In brief, the Cyber Security and Resilience Bill will improve upon NIS 2018 by widening the scope of regulations and granting the government and regulators greater powers.
NIS 2018 currently covers five sectors (transport, energy, drinking water, health, and digital infrastructure) and some digital services (online marketplaces, online search engines, and cloud computing services). The CSRB will extend regulation to Managed Service Providers, Data Centres and Designated Critical Suppliers. In practice, the supply chain services and data systems, like those relied on by the NHS and M&S, would be safeguarded, protecting customer and patient data as well as operations.
The CSRB also proposes aligning the National Cybersecurity Centre’s Cyber Assessment Framework (CAF) with the European Union Agency for Cybersecurity’s guidance under NIS2 to be more specific and binding.
Strengthened incident reporting requirements are also planned, which will give the NCSC a better picture of the emerging and shifting threats to UK cybersecurity, enabling timely assistance where necessary and improved resilience.
The reporting is mainly required by the national authority, enhancing transparency requirements, providing regulators and NCSC with a better view of the evolving threat landscape, enabling timely assistance where necessary and improved resilience. In some cases, such as firms that provide digital services and data centres that experience a significant incident, they will also be required to alert customers who may be affected.
Finally, the Bill grants greater powers to the government and regulators, including proactive supervision of critical digital service providers and the ability for regulators to recover investigation and enforcement costs from compromised entities.
Leaders of Change
These newly proposed measures stand to revolutionise UK cybersecurity regulations, so it is advisable to be proactive in advance of the Bill’s discussion in Parliament. Here are some companies looking ahead.
One sector that increasingly suffers cyber threats is banking. An EY study suggests that in 2025, banks will have to allocate 11% of their IT budget to cybersecurity, so efficient mitigation is key. Pioneering cybersecurity in this sector is Lloyds Banking Group, which has recently patented a cybersecurity tool called the Global Correlation Engine that leverages AI and ‘intelligent algorithms’ to identify genuine cybersecurity threats, rather than false positives. This forward-thinking technology will stand them in good stead for when the CSRB arrives.
Sharp UK and Dahua Technology are also proactively positioning themselves for when the CSRB comes into force. Sharp UK supports organisations with their technology requirements, and Dahua Technology provides world-leading video-centric AIoT solutions and services. For both Sharp UK and Dahua, reliability and resilience of their systems are paramount, and therefore, both corporations have acquired ISO27001:2022, the latest internationally recognised standard for information security management systems. This places both companies in a strong position, one which regulators and clients will hold in high regard when CSRB is implemented.
It is clear that cybersecurity is more important than ever before, and businesses that strengthen their systems now will be better prepared for the advent of the CSRB. Taking a proactive approach not only reduces risk but also builds long-term resilience.
