Safeguard
Regulation

UK Cyber Security and Resilience Bill: What Changed November 2025

The UK government published the draft Cyber Security and Resilience Bill on 12 November 2025, bringing over 900 managed service providers and data centres above 1MW into NIS scope.

Michael
Security Engineer
7 min read

On 12 November 2025, the UK government published the draft Cyber Security and Resilience (Network and Information Systems) Bill — the most significant amendment to the UK's NIS regime since the 2018 regulations. The Bill is expected to receive Royal Assent in 2026 and represents the post-Brexit answer to NIS2: a broader scope, stronger powers for sector regulators, explicit supply chain duties, and a new statutory category for managed service providers. For UK security teams and for any EU vendor that ships into the UK regulated economy, the Bill is the most important legislative event of the cycle.

What changed in the legal framework?

The 2018 Network and Information Systems Regulations (NIS Regulations) transposed the original NIS Directive into UK law and have remained largely untouched since Brexit. The new Bill amends — rather than replaces — the NIS Regulations, but the amendments are extensive enough to constitute a substantive new regime. Five structural changes matter:

  • Introduction of a new category, the Relevant Managed Service Provider (RMSP), bringing in medium and large MSPs that were not covered by the 2018 regime.
  • Inclusion of data centres above 1MW capacity (10MW for enterprise-only data centres) as relevant digital service providers, regulated jointly by the Secretary of State for Science, Innovation and Technology and Ofcom.
  • A new supply chain security duty across both operators of essential services (OES) and RMSPs, requiring contractual flow-down of security obligations to direct suppliers of network and information systems.
  • Strengthened information powers, including the ability for the Information Commissioner's Office (ICO) and sector regulators to demand information about incidents, vulnerabilities, and the security of customer-facing systems.
  • A new statutory power for the Secretary of State to designate "critical suppliers" who do not directly provide a service to end-customers but whose failure would materially affect essential services — a UK equivalent of DORA's CTPP designation.

Who is in scope?

The Bill adds roughly 1,100 entities to the regime by government estimate: 900+ MSPs as RMSPs plus data centres and a small number of newly designated critical suppliers. Existing OES — energy, transport, water, health, digital infrastructure, and digital service providers — remain in scope and pick up the new duties.

Coverage of MSPs is defined by activity rather than sector. An RMSP is, in summary, an entity that provides a managed service in the UK (regardless of where the entity is established) above the medium-enterprise threshold, where the managed service involves ongoing administration of customer ICT systems or data. The Bill enumerates several exclusions, including micro and small enterprises, providers serving only their own group, and providers that fall under other sector-specific cyber regimes (financial services under DORA's UK equivalent, telecoms under the Telecommunications (Security) Act).

The data centre threshold deserves attention. A "data centre service" provided to third parties at 1MW or more is in scope. A data centre operated for the data-centre operator's own undertaking only is in scope from 10MW. The thresholds were chosen to capture the colocation, hyperscale, and large enterprise tiers while sparing local server rooms and edge sites.

| Entity type | New / existing | Approx. count | Primary regulator | |---|---|---|---| | Operators of essential services | existing | ~600 | Sector regulators (Ofgem, Ofwat, DfT, NHS, CAA, etc.) | | Relevant digital service providers | existing, expanded | ~150 | ICO | | Relevant managed service providers | new | ~900 | ICO | | Data centres (third-party services >=1MW) | new | ~70 | DSIT + Ofcom | | Designated critical suppliers | new | discretionary | Secretary of State / sector regulators |

What does the supply chain duty actually require?

The Bill imposes a security duty on regulated entities to take appropriate and proportionate measures to manage cybersecurity risks to network and information systems, expressly including risks arising from supply chains and direct suppliers. The duty is calibrated by reference to NCSC guidance — including the Cyber Assessment Framework — and is operationalised through three concrete obligations.

First, regulated entities must conduct due diligence on direct suppliers of network and information systems. The standard expected is "appropriate and proportionate" given the criticality of the supply, the size of the supplier, and the cyber threat. Second, regulated entities must include security clauses in contracts with direct suppliers, including obligations to notify of incidents, to maintain agreed security measures, and to allow audit or testing. Third, regulated entities must keep their assessment of supply chain risk up to date and demonstrate to the regulator that it informs procurement and operational decisions.

The Bill does not require an exhaustive sub-supplier register equivalent to the DORA RoI, but it gives regulators the power to demand information about sub-suppliers where they are reasonably necessary to understand the entity's risk profile. In practice, regulated entities are likely to construct a tiered supplier inventory anyway.

What are the incident reporting obligations?

The Bill aligns more closely with NIS2 than with the 2018 NIS regime on incident reporting. Significant incidents must be notified to the relevant regulator (and, where applicable, the NCSC) without undue delay and in any event within 24 hours of becoming aware, with a follow-up incident report within 72 hours and a final report within one month. The Bill expressly captures "near misses" and significant cybersecurity threats, not just incidents that have caused actual disruption — a step beyond the EU NIS2 baseline.

Reporting flows through the appropriate regulator. For RMSPs, the ICO is the regulator and front-line recipient. For data centres, the DSIT and Ofcom act jointly. For OES, the sector regulator and the NCSC.

What are the penalties?

The Bill maintains the 2018 NIS Regulations' maximum civil penalty of £17 million but augments it with several enforcement powers more aligned with NIS2:

  • Information notices and inspection powers, with criminal sanctions for non-compliance.
  • The ability for regulators to publish enforcement notices, naming and shaming non-compliant entities.
  • A regulatory levy on RMSPs and data centres to fund the ICO's enforcement function.
  • Personal accountability for senior managers in a manner consistent with the existing Senior Managers Regime in financial services, although the Bill stops short of explicit personal liability of the kind enacted in Germany's NIS2 transposition.

The Secretary of State retains powers to amend penalty levels by secondary legislation, which is one of the Bill's more contested clauses in parliamentary scrutiny.

What should defenders do now?

For the 900+ entities newly captured as RMSPs, four steps are critical before commencement:

  • Determine RMSP status with documented reasoning, mapping the customer base and revenue against the medium-enterprise threshold.
  • Conduct a baseline cyber-assessment against the NCSC Cyber Assessment Framework (CAF) and close the gaps — the ICO will use CAF as its de facto audit standard.
  • Build a direct-supplier inventory with security-clause status against each contract, ready for inspection.
  • Update incident response runbooks to produce the 24/72/30-day artefacts in a structured form.

For existing OES, the action is narrower: revisit supply chain risk assessments and ensure security clauses flow down. The 2018 regime did not require this explicitly, and many sector regulators expect to demand evidence in their first post-commencement supervisory cycle.

How Safeguard Helps

Safeguard generates SBOMs for software products and services that RMSPs deliver to UK-regulated customers, satisfying the supply chain due-diligence duty with continuous evidence rather than questionnaire-based attestations. TPRM workflows track every direct supplier against the NCSC CAF and the Bill's specific supply chain criteria, producing the audit trail the ICO is expected to demand. Policy gates block deployment of components below baseline patch levels or missing required attestations, closing the gap between procurement contracts and engineering practice. Griffin AI reachability analysis informs incident triage so the 24-hour clock starts on real exploitation paths rather than alert noise, materially reducing the cost of the new reporting regime. Compliance automation produces NCSC CAF-aligned evidence packages and exports them in the structured form sector regulators are starting to request.

ukcsr-billnismanaged-service-providersdata-centres
Back to all articles

Related articles in Regulation

Regulation

ENISA's CRA Single Reporting Platform Goes Live September 2026

From 11 September 2026, every CRA manufacturer must file a 24-hour early warning of actively exploited vulnerabilities through one ENISA-operated portal — and the platform is being built right now.

March 4, 2026Read
Regulation

Germany's NIS2 Transposition: BSI Act in Force December 2025

Germany's NIS2 implementing law took effect 6 December 2025 with no transition period, expanding regulated entities from 4,500 to roughly 29,000 and giving the BSI direct sanction powers.

January 20, 2026Read
Regulation

CIRCIA Final Rule Slips to May 2026: What Changes

CISA pushed the CIRCIA final rule deadline from October 2025 to May 2026, citing 24,000 public comments and harmonization work with other federal cyber reporting frameworks.

October 2, 2025Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.