As cyber threats evolve, governments across Europe are overhauling regulations. The UK’s new Cyber Security and Resilience Bill (CSRB), expected to be finalized in 2025/2026, aims to modernize the UK’s approach to critical infrastructure and digital service security. While the EU’s high-profile Cyber Resilience Act and NIS 2 Directive are also driving big changes, the UK bill follows a separate but broadly aligned path.
What Does the UK CSRB Actually Do?
The CSRB seeks to update the country’s main cyber law—the Network and Information Systems (NIS) Regulations 2018—expanding their scope and strengthening obligations. It will broaden the range of businesses under UK cyber regulations, including managed service providers (MSPs) and, likely, large data centers. In contrast to the EU, the CSRB updates rather than replaces the UK NIS regime.
Its features include:
-
Wider Scope: More organizations will be directly regulated, with MSPs, some critical SaaS/cloud/data center providers, and high-impact suppliers brought into scope—potentially an additional 900–1,100 UK businesses by some estimates.
-
Greater Supply Chain Focus: The CSRB will require regulated organizations to manage cyber risk in their supply chains and empower regulators to designate certain suppliers as “critical,” even if they wouldn’t otherwise qualify.
-
Incident Reporting: The bill proposes strengthened and tiered incident notification requirements, including a new obligation to notify authorities of major cyber incidents within 24 hours, paralleling the EU’s NIS 2.
Retained and New Obligations
-
Operators of essential services (OESs) and Relevant Digital Service Providers (RDSPs) remain a focus, and the current distinction between the two will likely be retained (unlike in NIS 2, which merges them).
-
Technical standards and sector-specific codes (e.g., the NCSC Cyber Assessment Framework) will continue to underpin compliance, with the government able to update these post-bill via secondary legislation.
-
Size Thresholds: It is expected that most in-scope businesses will still need to meet existing size (50+ staff/€10 million+ turnover) and capacity thresholds, though some new types (like certain data centers—1MW/10MW cutoffs) are being specified.
How Does the UK’s Bill Compare to NIS 2 and the EU Cyber Resilience Act?
-
The CSRB aligns with the EU’s NIS 2 in many areas, such as supplier security, incident reporting, and extending obligations beyond core utilities to wider digital infrastructure.
-
However, unlike the EU Cyber Resilience Act (CRA)—which introduces security requirements for connected products in the EU—the CSRB is focused on critical service providers, not on the full landscape of digital products for the mass market.
-
Unlike NIS 2, which applies blanket requirements to many more sectors, the UK bill is more selective and will continue to allow sector tailoring of compliance obligations.
What Should Businesses Do Now?
While the final text is not yet published, UK businesses—especially MSPs, SaaS/cloud/data center providers, and suppliers to critical infrastructure sectors—should:
-
Map out current compliance with NIS regulations and review exposure under the CSRB’s expanded supply chain and incident reporting requirements.
-
Conduct a gap analysis comparing best practices under NIS 2 and drafts of the CSRB, especially in supply chain risk, rapid reporting, and supplier management.
-
Engage with sector guidance: Monitor for sector-specific codes of practice and stay alert for updates from NCSC and government authorities.
Why This Matters
The CSRB marks a significant step in UK cyber regulation, increasing expectations across more entities and seeking to future-proof the UK’s critical sectors against evolving cyber risk. While differences from the EU’s approach remain, the broad direction is harmonized—emphasizing resilience, supply chain security, and proactive incident management.
