Back to News

UK Cyber Security & Resilience Bill Clears Commons — Enters Lords 25 June 2026: The 10-Step MSP & SME Compliance Plan Every UK Business Must Start Now

UK Cyber Security & Resilience Bill Clears Commons — Enters Lords 25 June 2026: The 10-Step MSP & SME Compliance Plan Every UK Business Must Start Now

On 25 June 2026, the UK Cyber Security and Resilience (Network and Information Systems) Bill completed all of its stages in the House of Commons and formally entered the House of Lords. It is the most significant reform of British cyber security law since the NIS Regulations of 2018 — and for the first time it pulls managed service providers, data centres and designated critical suppliers directly into a statutory regime, with fines of up to £17 million or 4 per cent of global turnover and an incident-reporting clock that starts ticking within 24 hours. For the great majority of UK SMEs, whose IT is delivered or co-managed by an outside provider, this is not distant Westminster procedure. It is a change that will arrive through your next contract renewal.

The Bill’s progress has been swift by parliamentary standards. It was introduced on 12 November 2025, received its second reading in the Commons on 6 January 2026, cleared committee stage without material dilution, and reached the Lords on 25 June 2026 — the week before today, 2 July 2026. Royal Assent is expected in late 2026, with phased implementation running through to 2028. This article decodes exactly what the Bill changes, who falls into scope, what the fines and reporting duties mean in practice, and sets out the 10-step compliance programme every UK MSP and SME should begin now — anchored, as ever, on the Cyber Essentials pathway that maps the government’s own baseline onto five achievable controls.

£17m / 4%
Maximum fine for a serious or repeated breach — whichever is greater
24 hours
Early-warning window to notify the regulator and NCSC after an incident
25 Jun 2026
Bill cleared the Commons and entered the House of Lords
2028
Target date for full implementation of the new regime

What the Cyber Security and Resilience Bill Actually Changes

The Bill is a deliberate modernisation and expansion of the Network and Information Systems Regulations 2018, which the government has repeatedly described as no longer fit for the threat environment. Where the old NIS regime covered a relatively narrow set of essential-service operators and a handful of large digital service providers, the new Bill widens the net substantially, hands regulators sharper enforcement powers, and puts the National Cyber Security Centre’s Cyber Assessment Framework (CAF) on a statutory footing as the baseline standard against which in-scope organisations will be measured.

Three structural changes matter most for UK businesses. First, the scope expands to capture managed service providers directly — a category the government now labels Relevant Managed Service Providers (RMSPs) — alongside new categories for designated critical suppliers, large data centres and large load controllers. Second, the enforcement ceiling rises sharply: the previous NIS maximum fine was a flat £17 million cap, whereas the new regime allows the greater of £17 million or 4 per cent of global annual turnover for the most serious contraventions, mirroring the structure of UK GDPR penalties. Third, incident reporting becomes faster and more onerous, with a two-stage duty: a 24-hour early-warning notification followed by a full incident report within 72 hours.

Crucially for smaller organisations, the Bill formalises a supply-chain cascade. A regulated entity remains accountable for incidents that originate with its suppliers, and must report them — while the supplier itself may be separately designated and brought under direct oversight. This is the mechanism by which the Bill will reach far beyond the organisations named on the face of the legislation and into the SME base that supplies, supports and connects to them.

Why this reaches almost every UK SME — even if you are not named in the Bill

Two routes bring ordinary UK SMEs into contact with this regime. First, if your IT is delivered or co-managed by a managed service provider, that MSP is now directly regulated as an RMSP — and will push security obligations, contractual warranties and audit rights down to you to protect its own compliance position. Second, if you supply goods or services to any organisation in energy, transport, health, water or digital infrastructure, you could be designated a “critical supplier” and face direct regulatory oversight in your own right. The Information Commissioner’s Office (ICO) is the designated regulator for RMSPs, and regulators will be able to levy periodic cost-recovery fees on in-scope organisations. In practical terms, the safe assumption for any UK SME today is that these obligations will arrive — the only open question is by which route and how soon.

The Timeline: How the Bill Reached the Lords

June 2024 — NHS Synnovis ransomware attack
A ransomware attack on pathology provider Synnovis disrupted NHS services across south-east London, forcing the cancellation or postponement of roughly 11,000 appointments and procedures at an estimated cost of £32.7 million. It became a defining case study for the argument that supply-chain cyber risk in essential services was under-regulated.
2024 — NCSC records 204 nationally significant incidents
The National Cyber Security Centre recorded 204 nationally significant cyber incidents during 2024 — more than double the number of the previous year. The figure was cited repeatedly during the Bill’s passage as evidence that the threat volume had outgrown the 2018 framework.
2025 — M&S and JLR attacks concentrate minds
The Marks & Spencer cyberattack of 2025 was reported to have cost the retailer in the region of £300 million. The Jaguar Land Rover attack, attributed to Russian-linked actors, was estimated at around £2 billion in impact and prompted a £1.5 billion UK government support package. Both underlined the systemic economic exposure the Bill seeks to address.
12 November 2025 — Bill introduced to Parliament
The Cyber Security and Resilience Bill was formally introduced, setting out the expanded scope, the statutory footing for the NCSC Cyber Assessment Framework, and the revised enforcement and reporting regime.
6 January 2026 — Second reading, House of Commons
The Bill received its second reading in the Commons, securing cross-party support for the principle of widening the regime to managed service providers and critical suppliers.
30 April 2026 — Cyber Security Breaches Survey 2025/2026 published
The government’s annual survey confirmed that 43 per cent of UK businesses — approximately 612,000 organisations — identified a breach or attack in the last 12 months, with an estimated 5.19 million cyber crimes committed against UK businesses. The data provided the empirical backdrop for the committee stage debates.
Spring 2026 — Committee stage completed
The Bill passed through committee scrutiny in the Commons with its core architecture — RMSP designation, the greater-of-£17m-or-4% penalty structure, and the 24-hour reporting duty — intact.
25 June 2026 — Commons stages complete; Bill enters the Lords
The Bill cleared all remaining Commons stages and was carried to the House of Lords for scrutiny. Royal Assent is expected in late 2026, with phased implementation of the new duties running through to 2028.
2 July 2026 — Today’s position
The Bill is under Lords scrutiny. The direction of travel is settled; the detail of secondary legislation and CAF-based codes will follow. For UK MSPs and SMEs, the window to prepare before enforcement begins is open now and finite.

Who Falls Into Scope: The New Categories Explained

The Bill retains the two familiar NIS categories and adds four new ones. Operators of Essential Services (OES) — organisations in energy, transport, health, water and digital infrastructure — remain in scope, as do Relevant Digital Service Providers (RDSPs) such as online marketplaces, search engines and cloud computing services. The four additions are where the reach of the regime materially widens.

Relevant Managed Service Providers (RMSPs) are the headline addition. The Bill defines an RMSP by reference to the ongoing management of IT systems for customers, delivered by connecting to a customer’s network or information systems. That definition captures the classic outsourced-IT and managed-security model that a large share of UK SMEs rely on. Designated Critical Suppliers (DCS) are organisations whose goods or services are so important to an essential-service operator or digital provider that a compromise of the supplier would have a significant disruptive effect — and can be individually designated by regulators. The Bill also brings large data centres into scope (broadly, those with capacity at or above 1MW for non-enterprise facilities and 10MW for enterprise facilities) and large load controllers managing 300MW or more.

UK businesses breached or attacked in last 12 months
43%
Businesses with two-factor authentication deployed
47%
Large businesses holding Cyber Essentials
35% (up from 21%)
Board-level cyber responsibility (large businesses)
68%
Board-level cyber responsibility (all businesses)
31%
Small businesses holding Cyber Essentials
12% (up from 5%)
Businesses reviewing wider supply chain cyber risk
6%

The bar chart above exposes the fault line the Bill is designed to close. Board-level ownership of cyber risk sits at 68 per cent in large businesses but just 31 per cent across the business population as a whole, and only 6 per cent of businesses review the wider supply chain that the Bill’s cascade provisions are built around. Cyber Essentials holdings have risen — to 35 per cent of large businesses and 12 per cent of small businesses — but remain a minority everywhere. The regime arriving through this Bill assumes a level of governance, supplier assurance and demonstrable control that most UK organisations have not yet reached.

The Governance Gap the Bill Targets

31%
Share of UK businesses where the board takes explicit responsibility for cyber risk — the Bill assumes accountability the majority have not formalised

Placing the NCSC Cyber Assessment Framework on a statutory footing is more than a technical detail. The CAF is an outcomes-based framework: it does not simply ask whether a firewall exists, it asks whether the organisation understands its risk, governs it at the appropriate level, protects against it, detects incidents and can recover. That is a governance standard as much as a technical one — and the CSBS 2025/2026 data shows that only 31 per cent of UK businesses have explicit board-level responsibility for cyber risk. For in-scope organisations, the Bill effectively raises that from good practice to a compliance expectation.

For the SME base, the practical bridge between “we have some IT security” and “we can demonstrate outcomes-based assurance to a regulator or a regulated customer” is Cyber Essentials. The scheme certifies the five technical controls — boundary firewalls, secure configuration, user access control, malware protection and patch management — that underpin the CAF’s protective outcomes. It is the UK government’s own entry-level certification, administered through IASME as the sole certification body appointed by the NCSC, and it is the fastest route for a smaller organisation to evidence that it takes the baseline seriously. It will not, on its own, satisfy every RMSP or critical-supplier obligation — but it is the concrete first step, and the one most SMEs can complete this year.

Where UK SMEs and MSPs Stand Against the New Regime

Readiness scorecard against the Cyber Security and Resilience Bill
Board-level cyber governance and ownershipLow — only 31% of all businesses
Supply-chain cyber risk assessment (wider chain)Critical gap — only 6% review it
Two-factor / multi-factor authentication coverageLow — only 47% of businesses
Cyber Essentials certification (small businesses)Mid — 12%, up from 5%
Cyber Essentials certification (large businesses)Mid — 35%, up from 21%
24-hour incident detection and reporting capabilityHigh risk — few SMEs can meet the window today
Documented, tested incident response runbookHigh risk — largely absent in the SME base
Contractual security warranties with IT suppliersHigh risk — rarely formalised before renewal

The scorecard reflects a consistent theme in the CSBS 2025/2026 data: the technical fundamentals are patchily deployed and the governance and assurance layers are largely absent below the level of large enterprise. The areas marked as high risk — meeting a 24-hour reporting window, holding a tested incident response runbook, and having security warranties with IT suppliers — are precisely the areas the Bill will make non-negotiable for in-scope organisations, and precisely the areas an SME cannot fix in the days after a regulator comes knocking. They have to be built in advance.

The Enforcement Regime: Fines and Reporting Duties

ContraventionMaximum penaltyStructureComparison with old NIS regime
Standard breach of dutiesGreater of £10m or 2% of global turnoverTurnover-linked, GDPR-styleNo equivalent tiering under NIS
Serious or repeated breachGreater of £17m or 4% of global turnoverTurnover-linked, GDPR-styleNIS capped at a flat £17m maximum
Ongoing contraventionUp to £100,000 per dayDaily accruing penaltyNo comparable daily mechanism
Early-warning notificationEnforcement exposure if missedWithin 24 hours to regulator and NCSCTighter and dual-addressed vs NIS 72h
Full incident reportEnforcement exposure if missedWithin 72 hours of the incidentFormalised two-stage duty

The single most important change in this table is the shift from a flat cap to a turnover-linked ceiling. Under the NIS Regulations, the £17 million maximum was an absolute figure regardless of an organisation’s size, which meant that for the largest operators the penalty was, in relative terms, modest. The new regime allows the greater of a fixed sum or a percentage of global turnover — 2 per cent for standard breaches and 4 per cent for serious or repeated ones — which brings cyber enforcement into line with UK GDPR and materially raises the stakes for large in-scope organisations. For SMEs that become suppliers or RMSPs, the fixed floors (£10 million and £17 million) are the figures that will focus the mind, because a small business is unlikely to have a turnover percentage that exceeds them.

The reporting duties are equally consequential. A 24-hour early-warning notification, addressed to both the sector regulator and the NCSC, followed by a full incident report within 72 hours, demands a level of detection and coordination that most SMEs do not currently possess. It is not enough to know that something has gone wrong; an organisation must be able to recognise a reportable incident, gather the initial facts, and notify two bodies within a single working day. For RMSPs, data centres and RDSPs, the Bill additionally requires customer notification after significant incidents — so the duty is not only upward to regulators but outward to affected clients.

Reactive vs Proactive: Two Ways to Meet the Bill

Reactive posture

Waiting for the contract or the regulator to force the issue

  • No estate or scope audit; unclear which duties apply
  • Supplier and customer contracts silent on cyber obligations
  • No incident response runbook; 24-hour window unmeetable
  • MFA and patching partial; outside the CE baseline
  • No board-level owner for cyber risk or CAF alignment
  • Supply-chain risk unreviewed — cascade exposure unknown
  • No Cyber Essentials certificate to evidence baseline
  • Compliance handled as a panic project after designation

Proactive posture

Where a managed Cyber Essentials programme takes you

  • Documented scope map: OES, RDSP, RMSP, DCS exposure known
  • Security warranties and audit rights in supplier contracts
  • Tested incident runbook with 24-hour notification path
  • MFA enforced and 14-day patch cycle for internet-facing systems
  • Named board owner; posture aligned to the NCSC CAF outcomes
  • Annual supply-chain assurance review with documented findings
  • Cyber Essentials Plus certificate demonstrating the baseline
  • Compliance treated as continuous assurance, not a one-off scramble

The 10-Step MSP & SME Compliance Plan — July to December 2026

Step 1 — Scope determination: establish whether you are an RMSP, a potential critical supplier, or a customer of a regulated MSP, and document which duties apply
Week 1–2
Step 2 — Estate audit: catalogue every device, user account, internet-facing service and third-party connection into and out of your systems
Week 2–3
Step 3 — Firewall and secure configuration: confirm boundary firewalls, close unnecessary ports, remove default accounts and disable unused services
Week 3–4
Step 4 — Access control and MFA: enforce least privilege and multi-factor authentication on all admin, cloud and remote-access accounts
Week 4–5
Step 5 — Patch and malware management: establish a documented 14-day patch cycle for internet-facing systems and managed endpoint protection on every device
Week 5–7
Step 6 — Supply-chain assurance: review your suppliers’ cyber posture and the customers who may cascade obligations down to you; capture findings
Week 6–8
Step 7 — Contract review: update supplier and customer contracts with security warranties, incident cooperation clauses and audit rights ahead of renewal
Week 8–10
Step 8 — Incident response and 24-hour reporting: build and tabletop-test a runbook with a defined notification path to the regulator and NCSC
Week 10–12
Step 9 — Governance and CAF alignment: assign a named board-level owner and map your controls to the NCSC Cyber Assessment Framework outcomes
Week 12–14
Step 10 — Cyber Essentials Plus certification: commission the gap assessment, remediate findings and complete the IASME-accredited technical audit
Week 14–16
6%
UK businesses that review wider supply-chain cyber risk today — the Bill’s cascade provisions assume far more
The 16-week programme is achievable — and the timing favours starting now

For a well-managed SME with an existing IT support relationship, the Cyber Essentials gap assessment and remediation phase typically takes 2–4 weeks, with basic certification following within days. Cyber Essentials Plus — adding a hands-on technical audit, external vulnerability scanning, internal configuration testing and a phishing simulation — adds a further 2–4 weeks. The full 10-step programme, including scope determination, supply-chain assurance, contract updates and incident-response testing, fits comfortably inside a 16-week window. With Royal Assent expected in late 2026 and implementation phased to 2028, a business starting in July 2026 can complete its baseline and evidence it well before the duties bite — and before the next contract-renewal cycle forces the conversation on someone else’s timetable.

At-a-Glance: Key Facts for UK Business Leaders

TopicKey figure or factSource / context
Bill introduced to Parliament12 November 2025Cyber Security and Resilience Bill
Second reading, House of Commons6 January 2026Cross-party support secured
Bill entered the House of Lords25 June 2026All Commons stages complete
Royal Assent expectedLate 2026Implementation phased to 2028
Maximum fine, standard breachGreater of £10m or 2% global turnoverNew turnover-linked structure
Maximum fine, serious/repeated breachGreater of £17m or 4% global turnoverNIS was a flat £17m cap
Daily fine for ongoing contraventionUp to £100,000 per dayNew accruing mechanism
Early-warning reporting window24 hours to regulator and NCSCFull report within 72 hours
New scope categoriesRMSP, Designated Critical Supplier, large data centres, large load controllersAdded to existing OES and RDSP
Regulator for RMSPsInformation Commissioner’s Office (ICO)Cost-recovery fees permitted
Statutory baseline standardNCSC Cyber Assessment Framework (CAF)Now on a statutory footing
UK businesses breached in 12 months43% (approx. 612,000)CSBS 2025/2026, 30 April 2026
Estimated cyber crimes against UK businesses5.19 million per yearCSBS 2025/2026
NHS Synnovis ransomware impact£32.7m cost; 11,000 appointments disruptedJune 2024
UK annual cost of cyberattacks£14.7 billionHM Government estimate
Nationally significant incidents in 2024204 — more than double the prior yearNCSC

What This Means for Your MSP Relationship

The most immediate consequence for the average UK SME is that its managed service provider is now a directly regulated entity. An RMSP that connects to your network to deliver ongoing IT management carries statutory duties of its own, and it will protect its compliance position by revising the contracts it holds with you. Expect to see new clauses covering security warranties, cooperation during incidents, notification obligations, and audit or evidence rights — and expect your MSP to ask you to demonstrate a baseline of your own, most naturally through Cyber Essentials. This is not a burden being invented by suppliers; it is the cascade the Bill deliberately creates, flowing from regulator to RMSP to customer.

The mirror image applies if your business supplies IT goods or services to organisations in essential-service sectors. A regulator can designate you a critical supplier if your compromise would significantly disrupt an operator of essential services, which brings you under direct oversight regardless of your size. In that scenario, being able to point to a current Cyber Essentials Plus certificate, a tested incident-response runbook and a documented supply-chain assurance process is the difference between a straightforward designation conversation and a scramble under enforcement pressure. The organisations that fare best will be those that treated the baseline as continuous assurance rather than a project triggered by a letter from a regulator.

This story sits within a run of 2026 developments that together define the UK SME cyber-and-resilience agenda. The Russian-linked Jaguar Land Rover attack and its estimated £2 billion impact is one of the incidents that motivated this legislation, while the Scattered Spider convictions over the Transport for London attack illustrate how social engineering breaches the baseline the Bill now mandates. The June 2026 Patch Tuesday release of 206 CVEs and the Oracle E-Business Suite payments exploit both underline why the 14-day patching discipline matters, and the Cisco Unified CM VoIP vulnerability shows how a single unpatched supplier component becomes a reportable incident under the new regime. Read together, they describe exactly the posture the Cyber Security and Resilience Bill is asking UK organisations to reach.

Get ahead of the Cyber Security and Resilience Bill

Cloudswitched’s end-to-end Cyber Essentials and Cyber Essentials Plus certification service handles the gap assessment, technical remediation, vulnerability testing, IASME registration and examination — the concrete first step towards the CAF-aligned baseline the Bill will require. One price, no hidden extras, first-time-pass focus.

Talk to us about Cyber Essentials Certification

Frequently Asked Questions

What is the Cyber Security and Resilience Bill, and where is it in the parliamentary process?
The Cyber Security and Resilience (Network and Information Systems) Bill is a modernisation and expansion of the UK’s NIS Regulations 2018. It was introduced to Parliament on 12 November 2025, received its second reading in the Commons on 6 January 2026, cleared committee stage, and completed all remaining Commons stages before entering the House of Lords on 25 June 2026. It is currently under Lords scrutiny. Royal Assent is expected in late 2026, with phased implementation of the new duties running through to 2028. The core architecture — expanded scope, statutory footing for the NCSC Cyber Assessment Framework, turnover-linked fines and a 24-hour reporting duty — is settled; the detail will follow in secondary legislation and CAF-based codes.
Does the Bill apply to my small business if we are not in energy, health or transport?
Possibly, through one of two indirect routes. First, if your IT is delivered or co-managed by a managed service provider, that provider is now a Relevant Managed Service Provider (RMSP) with direct duties, and will push contractual security obligations down to you. Second, if you supply goods or services to any organisation in an essential-service sector, a regulator can designate you a critical supplier and bring you under direct oversight. Even where neither applies today, the safe planning assumption for any UK SME is that these expectations will arrive through customers, suppliers or insurers. Holding Cyber Essentials is the most practical way to be ready regardless of which route reaches you.
How big are the fines, and how do they compare with the old regime?
For a standard breach of duties, the maximum penalty is the greater of £10 million or 2 per cent of global annual turnover. For a serious or repeated breach — including failures to report incidents — it rises to the greater of £17 million or 4 per cent of global turnover. Ongoing contraventions can attract a daily penalty of up to £100,000. The key change from the NIS Regulations is structural: NIS imposed a flat £17 million cap regardless of size, whereas the new regime links the ceiling to global turnover in the same way as UK GDPR. For large organisations this materially raises the stakes; for SMEs, the fixed floors of £10 million and £17 million are the figures most likely to apply.
What exactly is the 24-hour reporting requirement?
The Bill introduces a two-stage incident-reporting duty for in-scope organisations. An initial early-warning notification must be made within 24 hours of becoming aware of a significant incident, addressed to both the relevant sector regulator and the National Cyber Security Centre. A full incident report must then follow within 72 hours. For RMSPs, data centres and relevant digital service providers, there is an additional duty to notify affected customers after significant incidents. Meeting a 24-hour window requires the ability to detect and recognise a reportable incident quickly, gather initial facts, and notify multiple parties within a single working day — which is why a pre-built, tested incident-response runbook is essential rather than optional.
What is a Relevant Managed Service Provider (RMSP), and is my IT company one?
The Bill defines an RMSP by reference to the ongoing management of IT systems for customers, delivered by connecting to a customer’s network or information systems. That captures the standard outsourced-IT and managed-security model — the arrangement most UK SMEs use for their day-to-day IT. If your provider remotely manages your servers, endpoints, network or security by connecting into your systems, it is very likely an RMSP under the new definition. The Information Commissioner’s Office is the designated regulator for RMSPs. The practical effect is that your IT provider now has statutory duties, and will formalise the security relationship with you through revised contracts and requests for evidence of your own baseline.
How does the supply-chain cascade work, and why does it matter to a supplier?
The Bill makes a regulated organisation accountable for incidents that originate with its suppliers, and requires it to report them. At the same time, a supplier whose compromise would significantly disrupt an essential-service operator can be individually designated a critical supplier and brought under direct oversight. This dual mechanism is how the regime reaches beyond the organisations named on the face of the Bill and into the wider SME base. If you supply into a regulated customer, expect that customer to assess your cyber posture, require contractual assurances, and possibly ask you to hold Cyber Essentials or align to the NCSC Cyber Assessment Framework. Only 6 per cent of UK businesses currently review their wider supply-chain cyber risk, so this is a significant behavioural shift.
What is the NCSC Cyber Assessment Framework, and how does Cyber Essentials relate to it?
The Cyber Assessment Framework (CAF) is the NCSC’s outcomes-based framework for assessing cyber resilience, organised around understanding risk, defending against attack, detecting incidents and minimising impact. The Bill places it on a statutory footing as the baseline standard for in-scope organisations. It is a governance-and-outcomes standard, broader than a technical checklist. Cyber Essentials is narrower and more concrete: it certifies the five technical controls — boundary firewalls, secure configuration, user access control, malware protection and patch management — that underpin the CAF’s protective outcomes. For an SME, Cyber Essentials is the fastest, most affordable way to evidence the technical baseline the CAF assumes, and the natural first step towards fuller CAF alignment where that is required.
Why was this Bill introduced now?
The government has argued that the NIS Regulations 2018 no longer match the threat environment. A series of high-impact incidents concentrated political attention: the NHS Synnovis ransomware attack of June 2024, which disrupted around 11,000 appointments at an estimated £32.7 million cost; the Marks & Spencer attack of 2025, reported at around £300 million; and the Russian-linked Jaguar Land Rover attack, estimated at roughly £2 billion with a £1.5 billion government support package. The NCSC recorded 204 nationally significant incidents in 2024, more than double the prior year, and the UK’s annual cost of cyberattacks is estimated at £14.7 billion. The Office for Budget Responsibility has warned that a catastrophic attack on critical national infrastructure could raise temporary government borrowing by more than £30 billion. The Bill is the legislative response to that risk picture.
What should my business do this quarter to prepare?
Start with scope: determine whether you are an RMSP, a potential critical supplier, or a customer of a regulated MSP, and document which duties are likely to apply. Then run an estate audit covering every device, account, internet-facing service and third-party connection. Enforce multi-factor authentication and a 14-day patch cycle for internet-facing systems to reach the Cyber Essentials baseline. Review your supplier and customer contracts so security warranties and incident-cooperation clauses are in place before renewal. Build and tabletop-test an incident-response runbook with a clear 24-hour notification path. Finally, commission a Cyber Essentials gap assessment and work towards Cyber Essentials Plus. This 10-step programme fits inside roughly 16 weeks and puts you ahead of enforcement, which is phased through to 2028.
Will Cyber Essentials on its own make my business fully compliant with the Bill?
Not on its own — but it is the essential foundation. Cyber Essentials certifies the five technical controls that address the most common attack vectors and underpin the CAF’s protective outcomes, and it is the government’s own entry-level scheme, administered through IASME. Full compliance for an in-scope organisation will also require governance (a named board owner and CAF alignment), an incident-response capability that can meet the 24-hour reporting window, supply-chain assurance, and appropriate contractual arrangements. Cyber Essentials is the fastest way to demonstrate the technical baseline and the most credible thing an SME can point to when a regulated customer or the ICO asks what controls are in place. It is the first step in the programme, not the whole of it — but it is the step that unlocks the rest.

The Bill is in the Lords — the time to build your baseline is now

Whether you are a managed service provider preparing for direct regulation or an SME whose contracts are about to change, Cloudswitched handles the full Cyber Essentials journey: gap assessment, technical remediation, IASME registration, vulnerability testing and certification. Single price, no hidden extras, first-time-pass focus — the concrete first move towards the resilience the Cyber Security and Resilience Bill will require.

Talk to us about Cyber Essentials Certification
Tags:Cyber EssentialsCyber SecurityIT SupportNetwork Admin
CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

CloudSwitched Service

Cyber Essentials Certification

End-to-end Cyber Essentials Plus certification and ongoing security services for UK businesses

Learn More

Technology Stack

Powered by industry-leading technologies including SolarWinds, Cloudflare, BitDefender, AWS, Microsoft Azure, and Cisco Meraki to deliver secure, scalable, and reliable IT solutions.

SolarWinds
Cloudflare
BitDefender
AWS
Hono
Opus
Office 365
Microsoft
Cisco Meraki
Microsoft Azure

Latest Articles

12
  • Database Reporting

Database Search & Lookup Tool Development for UK Businesses

12 Apr, 2026

Read more
15
  • SEO

SEO for Accountancy Firms: A Practical Guide

15 Apr, 2026

Read more
20
  • Database Reporting

Real-Time Dashboards for Business

20 Mar, 2026

Read more

Enquiry Received!

Thank you for getting in touch. A member of our team will review your enquiry and get back to you within 24 hours.