Regulatory

The Cyber Security and Resilience Bill: What UK Businesses Need to Know in 2026

> regulatory.update —— legislation: Cyber Security and Resilience Bill —— status: PROGRESSING —— scope: EXPANDED —— preparation: START_NOW<span class="cursor-blink">_</span>_

Hedgehog Security 7 April 2026 10 min read
cyber-security-resilience-bill nis-regulations compliance uk-regulation critical-infrastructure incident-reporting regulatory-change
What Is It

The law that's about to change UK cyber security.

The Cyber Security and Resilience (Network and Information Systems) Bill was introduced to the House of Commons on the 12th of November 2025 and is currently progressing through Parliament. When enacted — expected later in 2026 — it will represent the most significant update to the UK's cyber security legislation since the original Network and Information Systems (NIS) Regulations came into force in 2018.

The Bill is the Government's response to the NCSC's warning of a 'widening gap between the increasingly complex cyber threats and the UK's defensive capabilities.' It expands the scope of regulated sectors, introduces enhanced incident reporting requirements, and gives regulators greater enforcement powers. If your business operates in or supports critical sectors, this Bill affects you — and preparation should begin now.

Who Is Affected
Recommended

Free: Cyber Essentials Pre-Audit Checklist

Prepare for your Cyber Essentials certification with our practical checklist covering all five technical controls.

The expanded scope brings more businesses in.

The original NIS Regulations covered operators of essential services in six sectors — energy, transport, health, drinking water, digital infrastructure, and certain digital services. The new Bill expands this scope significantly.

Existing Regulated Sectors
Organisations already regulated under the NIS Regulations — energy, transport, health, drinking water, digital infrastructure, and digital services (online marketplaces, search engines, cloud computing) — will face enhanced requirements under the new Bill, including stricter incident reporting and expanded regulatory powers.
Newly In-Scope Sectors
The Bill is expected to bring additional sectors and supply chain organisations within scope. Managed service providers (MSPs) and other technology suppliers to critical infrastructure are likely to face new obligations — recognising that supply chain compromise has become the primary attack vector for critical sector breaches.
Supply Chain Organisations
If your business provides IT services, managed security, cloud hosting, or other technology services to organisations in regulated sectors, you may be brought within scope of the new regulations — even if your own business is not in a regulated sector.
Key Changes

What the Bill changes in practice.

Change What It Means for Your Business
Enhanced Incident Reporting The Bill introduces stricter and faster incident reporting requirements. Organisations will be required to report significant cyber incidents to their sector regulator within defined timeframes. The reporting threshold is expected to be lower than the current NIS requirements, meaning more incidents will need to be reported.
Expanded Regulatory Powers Sector regulators will gain enhanced enforcement powers, including the ability to issue directions, conduct audits, and impose penalties for non-compliance. The days of cyber security being a voluntary best-practice exercise for regulated sectors are ending.
Supply Chain Security Requirements Regulated organisations will face obligations to assess and manage the cyber security risks in their supply chains. This means that if you supply services to a regulated organisation, you can expect to face contractual security requirements backed by regulatory obligation — not merely procurement preference.
Technical Standards The Bill enables the Government to set minimum technical standards for cyber security in regulated sectors, potentially going beyond the current framework of voluntary guidance and certification. These standards may draw on existing frameworks such as the NCSC's Cyber Assessment Framework.
Prepare Now

Five steps to take before the Bill becomes law.

Step Action
1. Assess your scope Determine whether your business is in a currently regulated sector, is likely to be brought within scope by the expanded definitions, or supplies services to organisations in regulated sectors. If any of these apply, the Bill affects you.
2. Gap analysis against NCSC CAF Conduct a gap analysis against the NCSC's Cyber Assessment Framework (CAF), which is likely to inform the technical standards set under the Bill. Identify where your current security posture falls short and prioritise remediation.
3. Review your incident response plan Ensure you have a documented, tested incident response plan that includes regulatory notification procedures. When the Bill's reporting requirements come into force, you will need to be able to report significant incidents quickly and accurately.
4. Audit your supply chain Assess the cyber security posture of your critical suppliers. Identify single points of failure. Incorporate security requirements into contracts. The Bill will make supply chain security a regulatory obligation, not merely a good practice.
5. Achieve Cyber Essentials Plus CE+ certification provides a verified baseline of security controls that aligns with the Bill's objectives. Achieving certification now positions your organisation favourably for compliance and demonstrates proactive security management to regulators, clients, and insurers.
Get Ahead of the Regulation

The Cyber Security and Resilience Bill is coming. Are you ready?

Our compliance readiness assessments evaluate your current security posture against the frameworks that will underpin the new legislation. From NCSC CAF gap analysis to Cyber Essentials Plus certification to incident response planning, we help you prepare for the regulatory landscape of 2026 and beyond.

Commission a Readiness Assessment Cyber Essentials Plus Certification
Next Step

Free: Cyber Essentials Pre-Audit Checklist

Prepare for your Cyber Essentials certification with our practical checklist covering all five technical controls.

Keep Reading

Related Articles

Compliance 10 September 2024

Annual Penetration Testing Requirements Under UK GDPR

A compliance-focused guide to penetration testing requirements under UK GDPR, PCI DSS, ISO 27001, Cyber Essentials, and FCA regulations. Explains what the law requires, what regulators expect, how frequently you should test, and how penetration testing supports your compliance posture.

penetration-testing gdpr
11 min read
Tools & Techniques 17 March 2026

OpenVAS: A Deep Dive into Open-Source Vulnerability Scanning

An in-depth technical examination of OpenVAS and the Greenbone Vulnerability Management framework. Covers architecture, scan configuration, credential-based scanning, compliance auditing, feed management, result interpretation, and how professional penetration testers integrate OpenVAS into real engagement workflows.

openvas vulnerability-scanning
18 min read
Cyber Essentials 5 February 2026

What Is Cyber Essentials? Everything a Business Owner Needs to Know

Part 1 of our Cyber Essentials Demystified series. A comprehensive introduction to the UK Government's Cyber Essentials scheme — what it is, why it exists, who needs it, what it covers, and how certification works. Written for business owners and decision-makers considering certification for the first time or approaching renewal under the new Danzell question set.

cyber-essentials certification
12 min read
All Posts Get in Touch