Cyber Security and Resilience Bill UK: An SME Guide

Picture this. A client just sent you a security questionnaire. Or you read that fines could reach £17 million. The Cyber Security and Resilience Bill UK is the reason behind both. This new law reshapes how UK organisations handle cyber risk in their supply chains.

You may not be named directly in the Bill. Your regulated clients will still expect you to comply. This guide covers who it affects, what you must do, and the deadlines that matter.

What is the Cyber Security and Resilience Bill?

The Cyber Security and Resilience Bill is UK legislation that reforms the Network and Information Systems Regulations 2018. It widens the rules to cover more organisations, including managed service providers and data centres. It also tightens incident reporting and raises penalties for serious failures.

Rising attacks on essential services drove the reform. According to the NCSC, the UK recorded 204 nationally significant incidents last year. That total is more than double the previous year’s figure of 89.

Two recent attacks show why the law is changing. The Synnovis ransomware attack in 2024 cost the NHS an estimated £32.7 million. It delayed more than 11,000 patient appointments across five trusts. The Marks & Spencer attack in 2025 caused reported losses of up to £300 million.

GR.IT

When does the Cyber Security and Resilience Bill come into force?

Parliament passed the Bill through its House of Commons stages in June 2026. It is now moving through the House of Lords. Royal Assent is expected in late 2026, with rules phased in to around 2028.

Do not wait for full commencement to act. Some duties, like incident reporting, are likely to apply earlier. Your clients will also demand readiness well before the final deadlines.

Who does the Cyber Security and Resilience Bill apply to?

Direct regulation now reaches beyond traditional infrastructure operators. The Bill covers medium and large managed service providers for the first time. It also covers data centres above set sizes and large electricity load controllers. A new group, designated critical suppliers, is included too.

Organisation type Directly in scope? Why it matters
Operators of essential services (energy, health, water, transport) Yes The core focus of the original NIS rules
Medium and large managed service providers Yes Brought into scope for the first time
Data centres above size thresholds Yes A new category under the Bill
Large electricity load controllers (around 300MW or more) Yes A new category under the Bill
Designated critical suppliers Yes, if named Regulators can designate high impact suppliers
Small IT providers and most SMEs Often not directly Supply chain pressure still applies

A designated critical supplier is a supplier whose failure could seriously disrupt an essential service. Regulators gain new powers to name these suppliers. Once named, a supplier must meet duties similar to essential service operators.

Does the Cyber Security and Resilience Bill apply to SMEs?

Not always directly, but the Bill still reaches most SMEs. If you supply a regulated client, that client must manage its supplier risk. So it will push security requirements down to you through contracts. This is where the real impact on smaller businesses begins.

Regulated firms in finance, legal, healthcare and professional services face new duties. To meet them, they will check suppliers more closely than before. Expect security questionnaires, audit rights and proof of certification in your contracts. Fail those checks and you risk losing the work.

We are seeing this shift with our own clients already. As a managed IT provider, we receive these supplier questionnaires first-hand. The businesses that prepare early keep their contracts. Those that wait end up scrambling against a client’s deadline.

Incident reporting: the 24 and 72 hour rules

Speed is the hardest part of the new rules. Reporting starts on reasonable suspicion, not confirmed proof. So you need to spot and judge incidents quickly. Here is the sequence the Bill sets out.

  1. Within 24 hours, send an initial notification to your regulator and the NCSC.
  2. Within 72 hours, submit a full incident report.
  3. After the full report, notify any UK customers who are materially affected.

Most small teams cannot hit these timings without a plan. You need monitoring that flags incidents fast. You also need a clear process for who reports, and when.

Penalties for getting it wrong

Fines under the Bill are severe and tiered. The most serious failures can reach £17 million or 4% of worldwide turnover, whichever is higher. Regulators can also set daily penalties for ongoing breaches. They can recover the cost of their enforcement from you too.

Doing nothing is now the costly option. The fine is only part of the damage. Lost contracts and reputational harm often cost far more.

Comparing the Bill with the EU’s NIS2

Both the UK Bill and the EU’s NIS2 chase the same goals. They expand scope, tighten reporting and strengthen enforcement. The UK route updates existing rules rather than replacing them.

Feature UK Cyber Security and Resilience Bill EU NIS2 Directive
Approach Updates the existing NIS 2018 rules Replaced the original NIS Directive
Scope Adds MSPs, data centres and critical suppliers Broad list of essential and important entities
Reporting 24 hour alert, then 72 hour full report Similar phased reporting duties
Top penalty Up to £17m or 4% of worldwide turnover Up to €10m or 2% of turnover (essential entities)

Why your IT provider’s compliance is now your risk

Few directors realise their IT provider is now part of their risk. If your MSP is regulated, a failure on their side becomes your problem. A weak provider can expose you to breaches, reporting delays and lost contracts.

Ask your provider these questions now:

  • Which security certifications do you hold, such as Cyber Essentials Plus?
  • Can you meet the 24 and 72 hour reporting deadlines?
  • What are your incident response times under our agreement?
  • How do you manage your own suppliers and sub-processors?

One accountable partner makes this simpler than juggling vendors. GR.IT holds Cyber Essentials Plus and combines managed IT support, cyber security and cloud hosting under one team. That gives you a single point of contact for certification, monitoring and reporting.

How to prepare for the Cyber Security and Resilience Bill UK

Start now, before your clients force the pace. Follow these steps to get ready.

  1. Map your essential services, data and critical suppliers.
  2. Get Cyber Essentials certified, ideally Cyber Essentials Plus.
  3. Build and rehearse a 24 and 72 hour incident response plan.
  4. Review supplier and IT contracts for security obligations.
  5. Give one board member clear ownership of cyber resilience.
  6. Align your controls to the NCSC Cyber Assessment Framework.
  7. Book an independent gap assessment to find weak spots.

Where this leaves your business

Readiness is now a commercial advantage, not just a legal box to tick. Your regulated clients are already asking harder questions. Acting now protects your contracts and your reputation.

Want to know where you stand? Book a free IT and security audit with the GR.IT team. We will map your exposure and show you the gaps to fix first.

Is your supply chain ready for the new rules?

Share This :

Ask us anything, we’re here to make IT Simple