On 25 June 2026, the UK Cyber Security and Resilience (Network and Information Systems) Bill completed all of its stages in the House of Commons and formally entered the House of Lords. It is the most significant reform of British cyber security law since the NIS Regulations of 2018 — and for the first time it pulls managed service providers, data centres and designated critical suppliers directly into a statutory regime, with fines of up to £17 million or 4 per cent of global turnover and an incident-reporting clock that starts ticking within 24 hours. For the great majority of UK SMEs, whose IT is delivered or co-managed by an outside provider, this is not distant Westminster procedure. It is a change that will arrive through your next contract renewal.
The Bill’s progress has been swift by parliamentary standards. It was introduced on 12 November 2025, received its second reading in the Commons on 6 January 2026, cleared committee stage without material dilution, and reached the Lords on 25 June 2026 — the week before today, 2 July 2026. Royal Assent is expected in late 2026, with phased implementation running through to 2028. This article decodes exactly what the Bill changes, who falls into scope, what the fines and reporting duties mean in practice, and sets out the 10-step compliance programme every UK MSP and SME should begin now — anchored, as ever, on the Cyber Essentials pathway that maps the government’s own baseline onto five achievable controls.
What the Cyber Security and Resilience Bill Actually Changes
The Bill is a deliberate modernisation and expansion of the Network and Information Systems Regulations 2018, which the government has repeatedly described as no longer fit for the threat environment. Where the old NIS regime covered a relatively narrow set of essential-service operators and a handful of large digital service providers, the new Bill widens the net substantially, hands regulators sharper enforcement powers, and puts the National Cyber Security Centre’s Cyber Assessment Framework (CAF) on a statutory footing as the baseline standard against which in-scope organisations will be measured.
Three structural changes matter most for UK businesses. First, the scope expands to capture managed service providers directly — a category the government now labels Relevant Managed Service Providers (RMSPs) — alongside new categories for designated critical suppliers, large data centres and large load controllers. Second, the enforcement ceiling rises sharply: the previous NIS maximum fine was a flat £17 million cap, whereas the new regime allows the greater of £17 million or 4 per cent of global annual turnover for the most serious contraventions, mirroring the structure of UK GDPR penalties. Third, incident reporting becomes faster and more onerous, with a two-stage duty: a 24-hour early-warning notification followed by a full incident report within 72 hours.
Crucially for smaller organisations, the Bill formalises a supply-chain cascade. A regulated entity remains accountable for incidents that originate with its suppliers, and must report them — while the supplier itself may be separately designated and brought under direct oversight. This is the mechanism by which the Bill will reach far beyond the organisations named on the face of the legislation and into the SME base that supplies, supports and connects to them.
Two routes bring ordinary UK SMEs into contact with this regime. First, if your IT is delivered or co-managed by a managed service provider, that MSP is now directly regulated as an RMSP — and will push security obligations, contractual warranties and audit rights down to you to protect its own compliance position. Second, if you supply goods or services to any organisation in energy, transport, health, water or digital infrastructure, you could be designated a “critical supplier” and face direct regulatory oversight in your own right. The Information Commissioner’s Office (ICO) is the designated regulator for RMSPs, and regulators will be able to levy periodic cost-recovery fees on in-scope organisations. In practical terms, the safe assumption for any UK SME today is that these obligations will arrive — the only open question is by which route and how soon.
The Timeline: How the Bill Reached the Lords
Who Falls Into Scope: The New Categories Explained
The Bill retains the two familiar NIS categories and adds four new ones. Operators of Essential Services (OES) — organisations in energy, transport, health, water and digital infrastructure — remain in scope, as do Relevant Digital Service Providers (RDSPs) such as online marketplaces, search engines and cloud computing services. The four additions are where the reach of the regime materially widens.
Relevant Managed Service Providers (RMSPs) are the headline addition. The Bill defines an RMSP by reference to the ongoing management of IT systems for customers, delivered by connecting to a customer’s network or information systems. That definition captures the classic outsourced-IT and managed-security model that a large share of UK SMEs rely on. Designated Critical Suppliers (DCS) are organisations whose goods or services are so important to an essential-service operator or digital provider that a compromise of the supplier would have a significant disruptive effect — and can be individually designated by regulators. The Bill also brings large data centres into scope (broadly, those with capacity at or above 1MW for non-enterprise facilities and 10MW for enterprise facilities) and large load controllers managing 300MW or more.
The bar chart above exposes the fault line the Bill is designed to close. Board-level ownership of cyber risk sits at 68 per cent in large businesses but just 31 per cent across the business population as a whole, and only 6 per cent of businesses review the wider supply chain that the Bill’s cascade provisions are built around. Cyber Essentials holdings have risen — to 35 per cent of large businesses and 12 per cent of small businesses — but remain a minority everywhere. The regime arriving through this Bill assumes a level of governance, supplier assurance and demonstrable control that most UK organisations have not yet reached.
The Governance Gap the Bill Targets
Placing the NCSC Cyber Assessment Framework on a statutory footing is more than a technical detail. The CAF is an outcomes-based framework: it does not simply ask whether a firewall exists, it asks whether the organisation understands its risk, governs it at the appropriate level, protects against it, detects incidents and can recover. That is a governance standard as much as a technical one — and the CSBS 2025/2026 data shows that only 31 per cent of UK businesses have explicit board-level responsibility for cyber risk. For in-scope organisations, the Bill effectively raises that from good practice to a compliance expectation.
For the SME base, the practical bridge between “we have some IT security” and “we can demonstrate outcomes-based assurance to a regulator or a regulated customer” is Cyber Essentials. The scheme certifies the five technical controls — boundary firewalls, secure configuration, user access control, malware protection and patch management — that underpin the CAF’s protective outcomes. It is the UK government’s own entry-level certification, administered through IASME as the sole certification body appointed by the NCSC, and it is the fastest route for a smaller organisation to evidence that it takes the baseline seriously. It will not, on its own, satisfy every RMSP or critical-supplier obligation — but it is the concrete first step, and the one most SMEs can complete this year.
Where UK SMEs and MSPs Stand Against the New Regime
The scorecard reflects a consistent theme in the CSBS 2025/2026 data: the technical fundamentals are patchily deployed and the governance and assurance layers are largely absent below the level of large enterprise. The areas marked as high risk — meeting a 24-hour reporting window, holding a tested incident response runbook, and having security warranties with IT suppliers — are precisely the areas the Bill will make non-negotiable for in-scope organisations, and precisely the areas an SME cannot fix in the days after a regulator comes knocking. They have to be built in advance.
The Enforcement Regime: Fines and Reporting Duties
| Contravention | Maximum penalty | Structure | Comparison with old NIS regime |
|---|---|---|---|
| Standard breach of duties | Greater of £10m or 2% of global turnover | Turnover-linked, GDPR-style | No equivalent tiering under NIS |
| Serious or repeated breach | Greater of £17m or 4% of global turnover | Turnover-linked, GDPR-style | NIS capped at a flat £17m maximum |
| Ongoing contravention | Up to £100,000 per day | Daily accruing penalty | No comparable daily mechanism |
| Early-warning notification | Enforcement exposure if missed | Within 24 hours to regulator and NCSC | Tighter and dual-addressed vs NIS 72h |
| Full incident report | Enforcement exposure if missed | Within 72 hours of the incident | Formalised two-stage duty |
The single most important change in this table is the shift from a flat cap to a turnover-linked ceiling. Under the NIS Regulations, the £17 million maximum was an absolute figure regardless of an organisation’s size, which meant that for the largest operators the penalty was, in relative terms, modest. The new regime allows the greater of a fixed sum or a percentage of global turnover — 2 per cent for standard breaches and 4 per cent for serious or repeated ones — which brings cyber enforcement into line with UK GDPR and materially raises the stakes for large in-scope organisations. For SMEs that become suppliers or RMSPs, the fixed floors (£10 million and £17 million) are the figures that will focus the mind, because a small business is unlikely to have a turnover percentage that exceeds them.
The reporting duties are equally consequential. A 24-hour early-warning notification, addressed to both the sector regulator and the NCSC, followed by a full incident report within 72 hours, demands a level of detection and coordination that most SMEs do not currently possess. It is not enough to know that something has gone wrong; an organisation must be able to recognise a reportable incident, gather the initial facts, and notify two bodies within a single working day. For RMSPs, data centres and RDSPs, the Bill additionally requires customer notification after significant incidents — so the duty is not only upward to regulators but outward to affected clients.
Reactive vs Proactive: Two Ways to Meet the Bill
Reactive posture
Waiting for the contract or the regulator to force the issue
- No estate or scope audit; unclear which duties apply
- Supplier and customer contracts silent on cyber obligations
- No incident response runbook; 24-hour window unmeetable
- MFA and patching partial; outside the CE baseline
- No board-level owner for cyber risk or CAF alignment
- Supply-chain risk unreviewed — cascade exposure unknown
- No Cyber Essentials certificate to evidence baseline
- Compliance handled as a panic project after designation
Proactive posture
Where a managed Cyber Essentials programme takes you
- Documented scope map: OES, RDSP, RMSP, DCS exposure known
- Security warranties and audit rights in supplier contracts
- Tested incident runbook with 24-hour notification path
- MFA enforced and 14-day patch cycle for internet-facing systems
- Named board owner; posture aligned to the NCSC CAF outcomes
- Annual supply-chain assurance review with documented findings
- Cyber Essentials Plus certificate demonstrating the baseline
- Compliance treated as continuous assurance, not a one-off scramble
The 10-Step MSP & SME Compliance Plan — July to December 2026
For a well-managed SME with an existing IT support relationship, the Cyber Essentials gap assessment and remediation phase typically takes 2–4 weeks, with basic certification following within days. Cyber Essentials Plus — adding a hands-on technical audit, external vulnerability scanning, internal configuration testing and a phishing simulation — adds a further 2–4 weeks. The full 10-step programme, including scope determination, supply-chain assurance, contract updates and incident-response testing, fits comfortably inside a 16-week window. With Royal Assent expected in late 2026 and implementation phased to 2028, a business starting in July 2026 can complete its baseline and evidence it well before the duties bite — and before the next contract-renewal cycle forces the conversation on someone else’s timetable.
At-a-Glance: Key Facts for UK Business Leaders
| Topic | Key figure or fact | Source / context |
|---|---|---|
| Bill introduced to Parliament | 12 November 2025 | Cyber Security and Resilience Bill |
| Second reading, House of Commons | 6 January 2026 | Cross-party support secured |
| Bill entered the House of Lords | 25 June 2026 | All Commons stages complete |
| Royal Assent expected | Late 2026 | Implementation phased to 2028 |
| Maximum fine, standard breach | Greater of £10m or 2% global turnover | New turnover-linked structure |
| Maximum fine, serious/repeated breach | Greater of £17m or 4% global turnover | NIS was a flat £17m cap |
| Daily fine for ongoing contravention | Up to £100,000 per day | New accruing mechanism |
| Early-warning reporting window | 24 hours to regulator and NCSC | Full report within 72 hours |
| New scope categories | RMSP, Designated Critical Supplier, large data centres, large load controllers | Added to existing OES and RDSP |
| Regulator for RMSPs | Information Commissioner’s Office (ICO) | Cost-recovery fees permitted |
| Statutory baseline standard | NCSC Cyber Assessment Framework (CAF) | Now on a statutory footing |
| UK businesses breached in 12 months | 43% (approx. 612,000) | CSBS 2025/2026, 30 April 2026 |
| Estimated cyber crimes against UK businesses | 5.19 million per year | CSBS 2025/2026 |
| NHS Synnovis ransomware impact | £32.7m cost; 11,000 appointments disrupted | June 2024 |
| UK annual cost of cyberattacks | £14.7 billion | HM Government estimate |
| Nationally significant incidents in 2024 | 204 — more than double the prior year | NCSC |
What This Means for Your MSP Relationship
The most immediate consequence for the average UK SME is that its managed service provider is now a directly regulated entity. An RMSP that connects to your network to deliver ongoing IT management carries statutory duties of its own, and it will protect its compliance position by revising the contracts it holds with you. Expect to see new clauses covering security warranties, cooperation during incidents, notification obligations, and audit or evidence rights — and expect your MSP to ask you to demonstrate a baseline of your own, most naturally through Cyber Essentials. This is not a burden being invented by suppliers; it is the cascade the Bill deliberately creates, flowing from regulator to RMSP to customer.
The mirror image applies if your business supplies IT goods or services to organisations in essential-service sectors. A regulator can designate you a critical supplier if your compromise would significantly disrupt an operator of essential services, which brings you under direct oversight regardless of your size. In that scenario, being able to point to a current Cyber Essentials Plus certificate, a tested incident-response runbook and a documented supply-chain assurance process is the difference between a straightforward designation conversation and a scramble under enforcement pressure. The organisations that fare best will be those that treated the baseline as continuous assurance rather than a project triggered by a letter from a regulator.
This story sits within a run of 2026 developments that together define the UK SME cyber-and-resilience agenda. The Russian-linked Jaguar Land Rover attack and its estimated £2 billion impact is one of the incidents that motivated this legislation, while the Scattered Spider convictions over the Transport for London attack illustrate how social engineering breaches the baseline the Bill now mandates. The June 2026 Patch Tuesday release of 206 CVEs and the Oracle E-Business Suite payments exploit both underline why the 14-day patching discipline matters, and the Cisco Unified CM VoIP vulnerability shows how a single unpatched supplier component becomes a reportable incident under the new regime. Read together, they describe exactly the posture the Cyber Security and Resilience Bill is asking UK organisations to reach.
Get ahead of the Cyber Security and Resilience Bill
Cloudswitched’s end-to-end Cyber Essentials and Cyber Essentials Plus certification service handles the gap assessment, technical remediation, vulnerability testing, IASME registration and examination — the concrete first step towards the CAF-aligned baseline the Bill will require. One price, no hidden extras, first-time-pass focus.
Talk to us about Cyber Essentials CertificationFrequently Asked Questions
The Bill is in the Lords — the time to build your baseline is now
Whether you are a managed service provider preparing for direct regulation or an SME whose contracts are about to change, Cloudswitched handles the full Cyber Essentials journey: gap assessment, technical remediation, IASME registration, vulnerability testing and certification. Single price, no hidden extras, first-time-pass focus — the concrete first move towards the resilience the Cyber Security and Resilience Bill will require.
Talk to us about Cyber Essentials Certification


