204 nationally significant cyber attacks hit the UK in the year to August 2025. That is a 130% increase on the previous year. Tough new laws are now on their way that will change expectations for suppliers and board governance.
What the Bill Actually Does
The Cyber Security and Resilience Bill was introduced to Parliament in November 2025. It's the biggest overhaul of UK cyber law in a decade, and it does four things that matter:
1. Expands regulated entities: Medium and large Managed Service Providers — the outsourced IT companies that run your servers, manage your helpdesk, handle your backups — are now in scope. Data centres, cloud providers, and critical suppliers also fall under new obligations.
2. Tightens incident reporting: Organisations must notify regulators within 24 hours of significant incidents and provide fuller reports within 72 hours. This includes "near misses" that could cause serious disruption.
3. Creates supply-chain accountability: Regulators may designate critical suppliers and impose security duties on them, which means more scrutiny of your outsourced IT and cloud contracts.
4. Strengthens enforcement: Regulators will gain modernised powers to inspect, investigate and enforce cyber resilience standards, backed by tougher, turnover-based penalties.
Why This Matters to Non-Regulated Entities
For mid-market businesses, three things change:
- Your MSP now faces legal duties around security and incident reporting
- Existing contracts likely lack 24-hour notification clauses and supply-chain visibility requirements
- There's a growing expectation that directors formally address cyber risk at board level
Personal Accountability Considerations
The Bill doesn't create personal liability for directors directly. But two related developments suggest that's where things are heading:
- UK Corporate Governance Code 2024 (Provision 29) requires premium-listed company boards to monitor and report on effectiveness of material controls from 2026
- The direction of travel across regulation is clearly toward holding individual directors accountable for cyber oversight
What this means in practice: document your cyber risk decisions. Regulators, auditors, insurers, and anyone looking to acquire you will ask the same question — 'What did the board actually do about this?'
Five Recommended Actions
1. Ask Your MSP Three Questions
- Awareness of the Bill and compliance plans
- Incident notification timeframes
- Evidence of security certifications (Cyber Essentials minimum)
2. Review MSP Contracts
- Incident notification clauses with defined timeframes
- Data portability provisions
- Right to audit security controls
- Liability caps appropriate to risk exposure
- Sub-contractor transparency
3. Establish Quarterly Board Cyber Agenda
- Critical digital assets identification
- Incidents and near-misses since last meeting
- Status of key controls (patching, backups, access management, training)
- Decisions required
4. Review Cyber Insurance
- Regulatory investigation coverage
- Supplier/MSP incident coverage
- Security condition requirements
- Insurer notification windows
5. Conduct Simple Risk Assessment
Create a one-page table listing critical assets, compromise scenarios, likelihood, existing controls, and gaps.
Investment and Timeline
None of this requires significant investment, and all five steps can be done within 90 days. The Bill is expected to receive Royal Assent in 2026, with the detail following in secondary regulations. Getting ahead of this now means better terms, clearer visibility, and fewer surprises when the rules take effect.