204 nationally significant cyber attacks hit the UK in the year to August 2025. That is a 130% increase on the previous year. Tough new laws are now on their way that will change expectations for suppliers and board governance.
What the Bill Actually Does
The Cyber Security and Resilience Bill, introduced to Parliament in November 2025, represents the largest overhaul of UK cyber law in a decade. It accomplishes four key objectives:
1. Expands regulated entities: Medium and large Managed Service Providers — the outsourced IT companies that run your servers, manage your helpdesk, handle your backups — are now in scope. Data centres, cloud providers, and critical suppliers also fall under new obligations.
2. Tightens incident reporting: Organisations must notify regulators within 24 hours of significant incidents and provide fuller reports within 72 hours. This includes "near misses" that could cause serious disruption.
3. Creates supply-chain accountability: Regulators may designate critical suppliers and impose security duties on them, increasing scrutiny of outsourced IT and cloud contracts.
4. Strengthens enforcement: Regulators will gain modernised powers to inspect, investigate and enforce cyber resilience standards, backed by tougher, turnover-based penalties.
Why This Matters to Non-Regulated Entities
Three impacts affect mid-market businesses:
- Your MSP now faces legal duties around security and incident reporting
- Existing contracts likely lack 24-hour notification clauses and supply-chain visibility requirements
- Board-level cyber governance scrutiny is increasing, with expectations that directors formally address this risk
Personal Accountability Considerations
While the Bill itself doesn't create explicit personal director liability, two related developments signal direction:
- UK Corporate Governance Code 2024 (Provision 29) requires premium-listed company boards to monitor and report on effectiveness of material controls from 2026
- The trend toward individual director accountability for cyber oversight is evident in emerging regulatory frameworks
The practical implication: boards should document their cyber risk oversight decisions, as regulators, auditors, insurers, and potential acquirers will ask "What did the board do to manage this risk?"
Five Recommended Actions
1. Ask Your MSP Three Questions
- Awareness of the Bill and compliance plans
- Incident notification timeframes
- Evidence of security certifications (Cyber Essentials minimum)
2. Review MSP Contracts
- Incident notification clauses with defined timeframes
- Data portability provisions
- Right to audit security controls
- Liability caps appropriate to risk exposure
- Sub-contractor transparency
3. Establish Quarterly Board Cyber Agenda
- Critical digital assets identification
- Incidents and near-misses since last meeting
- Status of key controls (patching, backups, access management, training)
- Decisions required
4. Review Cyber Insurance
- Regulatory investigation coverage
- Supplier/MSP incident coverage
- Security condition requirements
- Insurer notification windows
5. Conduct Simple Risk Assessment
Create a one-page table listing critical assets, compromise scenarios, likelihood, existing controls, and gaps.
Investment and Timeline
These five steps require less than 90 days and minimal financial investment. The Bill expects Royal Assent in 2026 with implementation following via secondary regulations. Acting now positions organisations ahead of the compliance rush, securing better terms and clearer risk visibility before regulatory implementation accelerates.