On 10 June 2026, the Cyber Security and Resilience Bill completed its final stages in the House of Commons. A week later it moved to the House of Lords. Royal Assent is expected later this year.
Most UK businesses will never be named in this legislation. Almost all of them will feel it anyway, because the Bill regulates the companies they hand their IT to.
This post explains what the Bill actually does, who is in scope, who is not, and what a business that outsources its IT should be doing about it now. In plain English, because the coverage so far has mostly been written for lawyers and large enterprises.
What the Bill is
The Bill updates the Network and Information Systems Regulations 2018, the framework that has governed the cyber resilience of essential services (energy, water, transport, health, digital infrastructure) since before most businesses had heard of ransomware.
The 2018 rules had a gap you could drive a lorry through. They regulated the essential services themselves, but not the third parties those services depend on. The last few years of supply chain attacks made the problem obvious: compromise one IT provider and you reach every client environment it manages. The attacker doesn’t need to breach a hundred businesses. They need to breach the one company that holds administrator access to all of them.
The Bill closes that gap. It was introduced to Parliament on 12 November 2025, had its second reading on 6 January 2026, and cleared the Commons on 10 June.
What it actually does
Three changes matter most.
1. Managed service providers come under regulation for the first time
Medium and large providers of managed IT services in the UK will have statutory duties: appropriate and proportionate security measures across the services they deliver, including the systems they use to manage client environments. The Information Commissioner’s Office will regulate them.
Read that again if you outsource your IT. The company that holds your administrator credentials, manages your Microsoft 365 tenant, and remotes into your machines will, for the first time, answer to a regulator for how securely it does so.
2. Incident reporting gets fast and broad
The Bill introduces a two-stage reporting regime for regulated entities: an initial notification to the regulator within 24 hours of becoming aware of a significant incident, and a full report within 72 hours. The National Cyber Security Centre is informed at the same time as the regulator.
The definition of a reportable incident is also wider than before. It includes successful ransomware attacks and pre-positioning, where an attacker has established access but not yet done anything with it. Under the old rules, an intrusion that hadn’t yet disrupted service often went unreported. Under the new ones, it must be declared.
Providers in scope will also have duties to notify affected customers. If your provider suffers a significant incident that touches your systems or data, you are supposed to hear about it, not find out months later from a journalist.
3. Government can designate critical suppliers
Regulators gain the power to designate individual companies as critical suppliers, based on whether their goods or services are essential and whether their compromise could cause serious economic or social consequences. Designated suppliers face similar security and reporting duties. This is the mechanism that lets the regime grow to cover whoever the threat landscape says it should cover, without new legislation each time.
Why this was never really optional
The context is not subtle. Speaking at the RUSI Annual Security Lecture on 17 June, the Chief Executive of the National Cyber Security Centre said the NCSC had managed more than 200 incidents affecting UK critical infrastructure in the year to May 2026, with around three quarters believed linked to state actors. His argument was that cyber security should be treated as an active contest, not a risk to be managed on a register.
We made a related point when we wrote about the 2025/26 breaches survey: the gap between how seriously UK boards say they take cyber security and what they actually do about it remains wide. Legislation like this exists because voluntary improvement was too slow.
Who is not in scope, and why that matters more than you think
Here is the part most of the coverage skips.
Small and micro IT providers are not directly regulated. The Bill applies to medium and large managed service providers. A significant share of UK small businesses buy their IT support from companies that fall below that threshold. Those providers hold exactly the same kind of privileged access as the big ones. They will face no statutory security duties, no mandatory reporting deadlines, and no regulator.
Ordinary businesses are not regulated either. If you run a manufacturing firm, an accountancy practice, or a charity, this Bill places no direct obligations on you.
So the two most likely positions for a typical UK SME are: your provider is in scope and you should understand what that means for you, or your provider is out of scope and you should understand what that means too.
"Our provider will be regulated, so security is handled." Regulation sets a floor for the provider's own resilience. It does not configure your Conditional Access policies, test your backups, or verify that what you're paying for is what you're getting. Accountability for your business's security stays with your business. The Bill does not change that. If anything, it sharpens it.
What to do if you outsource your IT
None of this requires waiting for Royal Assent. The Bill’s direction is settled; only the timetable is not. Phased implementation means some duties may not fully bite until 2028, which is precisely why the businesses that benefit earliest will be the ones that start asking questions now.
- Establish whether your provider will be in scope. Ask them directly: are you a medium or large managed service provider under the Bill's definitions, and what are you doing to prepare?
- Ask how they would meet a 24-hour notification deadline. A provider that cannot tell you what was accessed, when, and by whom during an incident cannot report accurately in 24 hours, and cannot tell you what happened to your data either.
- Check your contract for security obligations and incident notification terms. Most managed service contracts predate this Bill. Renewal is the moment to fix that.
- If your provider is below the size threshold, recognise that no regulator is checking their homework. The due diligence is yours to do, or to commission.
- Verify independently that the controls you are paying for actually exist. A service agreement is a promise. Configuration is a fact. The two disagree more often than anyone likes to admit.
That last point is the one we see fail most often. It is the reason our Independent Security Audit exists: a vendor-neutral check of what is actually in place, whoever manages it. When the provider is about to become regulated, having your own evidence of what they are and aren’t doing stops being a nice-to-have.
What to do if you are a small provider
If you deliver managed IT services and fall below the size threshold, direct regulation is not coming for you yet. Market expectation is. Your clients’ larger customers, insurers, and advisers will increasingly ask why the security standards Parliament thinks are necessary for your bigger competitors don’t apply to you. “We’re too small to be regulated” is not an answer that wins contracts.
The practical response is to demonstrate the same discipline voluntarily: certification, evidenced controls, a written incident response process with realistic timelines. Cyber Essentials is the obvious floor, and increasingly the minimum your clients’ supply chain questionnaires will accept.
The bottom line
The Cyber Security and Resilience Bill is the most significant expansion of UK cyber regulation since 2018, and it regulates the supply chain rather than you. That is good news, but it is not a transfer of responsibility. The businesses that come out of this well will be the ones that treat it as a prompt to look hard at their own arrangements, starting with the question that has always mattered most: do we actually know what our provider is doing?
If you want help answering that question before your provider’s regulator does, get in touch. We will tell you what we see and what to do next.
Sources: Cyber Security and Resilience (Network and Information Systems) Bill: incident reporting factsheet, Department for Science, Innovation and Technology. Parliamentary progress: report stage and third reading 10 June 2026, first reading in the House of Lords 17 June 2026. NCSC incident figures: Dr Richard Horne, RUSI Annual Security Lecture, 17 June 2026.