In response, the UK government is introducing the Cyber Security and Resilience Bill. It’s a landmark piece of legislation to strengthen national cyber defences. First announced in the 2024 King’s Speech, it is expected to be introduced to parliament between September 2025 and mid-2026.
In this article, we explore what the Bill means for your organization and what actions you may need to take. We also look at how international standards like BS EN ISO/IEC 27001 can help you prepare and build long-term information security resilience.
The threat landscape is evolving rapidly, with the National Cyber Security Centre (NCSC) describing it as “diffuse and dangerous.” Emerging technologies such as AI are increasingly being weaponized by attackers, driving new forms of exploitation. In 2024, there was a 60% surge in phishing attacks. Many are powered by deep-fake audio, images and video, generated by AI.
Yet the laws designed to protect UK organizations have not kept pace. Existing regulations, such as the NIS Regulations 2018, were built on older EU frameworks. They no longer reflect the realities of modern threats or today’s technological capabilities.
The Cyber Security and Resilience Bill seeks to close this gap. By introducing new requirements for digital services suppliers and their partners, it aims to increase regulatory scrutiny and introduce tougher reporting obligations.
If you weren’t affected by earlier regulations, that may be about to change. This Bill expands the scope of who falls under regulation. If you’re a Managed Service Provider (MSP) or a ‘critical supplier’ to essential services, you will be brought within reach.
MSPs are third parties that offer core IT services to businesses. With access to their clients IT systems, networks, infrastructure, and data, they are tempting targets for cyber criminals. On the ‘critical suppliers’ side, it will be up to the regulator to determine who falls within scope. However, if you’re a supplier to ‘critical services’ like the NHS or energy suppliers, you are likely to be affected.
Firstly, your position in the supply chain will matter more than ever. Even if you’re not delivering frontline services, you may be expected to meet tougher security standards. Particularly if your systems or products support critical infrastructure or public services. This is because the digital landscape is increasingly complex, with cloud storage and interconnected supply chains creating many potential entry points.
Cyber attackers may target smaller suppliers to access larger, more critical organizations. A single vulnerability can then trigger cascading effects across essential services.
You’ll also need to prepare for stronger reporting requirements. A two-stage process will be introduced. An initial notification within 24 hours, followed by a detailed report within 72 hours. This faster pace is designed to improve transparency and ensure that incidents are contained quickly.
Regulators will also be stepping up. They’ll have more authority to investigate vulnerabilities and recover costs from organizations where necessary. They can also adjust requirements as new threats emerge, like those powered by AI.
You don’t need to wait for the Bill to become law before acting. Here are six steps you can take now to strengthen your cyber resilience and get ahead of the new requirements:
Work out if you’re likely to be affected: Are you a Managed Service Provider, a digital service provider, or part of a critical supply chain? If so, the chances are high that you’ll fall under the new rules.
Take a close look at your supply chain: Who are your key suppliers, and do they have the right security measures in place? Because third-party risk will be a major focus, your own compliance will depend heavily on theirs.
Update your incident response plans: With the Bill introducing stricter reporting timelines, you’ll need to be able to act quickly.
Don’t neglect the basics: Implement a robust security baseline with measures like multi-factor authentication, encryption, patching, and regular testing.
Strengthen governance: Cyber risk needs to be firmly on your leadership agenda, with clear records of decisions, risks, and controls. That way, you can show that security is taken seriously at every level of your organization.
Consider recognized standards: Standards such as BS EN ISO/IEC 27001 can help you meet requirements of the Bill and provide a way to build long-term resilience.
BS EN ISO/IEC 27001 is a global information security (ISMS) standard. It offers a practical and recognized way to respond to the new cyber landscape. It provides a proven framework for managing data security, identifying risks, and embedding information security resilience into business practices.
The benefits of the standard are wide-ranging:
Protects sensitive information and prevents breaches;
Enhances customer and stakeholder trust;
Aligns with both existing and upcoming legal requirements (including the Bill);
Streamlines compliance by clarifying responsibilities and controls;
Helps reduce internal threats through policies and training;
Supports digital transformation by embedding secure practices.
Ultimately, aligning with BS EN ISO/IEC 27001: 2023 helps build the trust and confidence that regulators, partners, and customers are looking for.
Alongside BS EN ISO/IEC 27001, you can add focused guidance where it matters most:
BS EN ISO/IEC 27002 gives you a practical catalogue of security controls, helping you choose the right measures and show clear evidence at audit.
BS EN ISO/IEC 27005 provides a step-by-step way to identify, assess, and treat information-security risks so decisions are recorded and defensible.
BS ISO/IEC 27035 -1 sets out how to prepare for, detect, and contain incidents, and how to report them within tight timelines.
BS ISO/IEC 27031 aligns technology recovery with business priorities so you can reduce downtime and prove readiness.
BS EN ISO 22301 formalises your business continuity system, clarifying roles, recovery objectives, and rehearsal.
BS ISO/IEC 27036-1 helps you set security requirements for suppliers, build them into contracts, and monitor performance.
Finally, where software development is in scope, ISO/IEC 27034-1 helps you build security into the development lifecycle from design through testing.
Rather than viewing the Cyber Security and Resilience Bill as a compliance burden, smart businesses will see it as an opportunity. By responding now, you will not only meet new obligations but also build stronger, more resilient foundations for growth.
By joining a BSI committee, you can help shape the UK position on the ISO/IEC 27000 series of standards. In exchange for your practical expertise, you’ll gain early sight of the drafts of standards that inform strategy, risk and procurement. Organisations of all sizes across industry, SMEs, government, academia and consumer groups can express interest, via this link.
Become a BSI member and you’ll be joining over 11,000 organizations committed to making positive changes through standards. You’ll get extra support in implementing standards via a team of research professionals and stay up to date with relevant changes to standards with a monthly spreadsheet. Your personalized Membership certificate and digital Membership badge will help your organization stand out from the competition too. And every member enjoys a 50% saving on British Standards and 50% off subscriptions to BSI Knowledge and BSI Compliance Navigator. Members also get 10% off ISO and other foreign standards. Find out more about BSI Membership here.