Understanding the Cyber Security and Resilience Bill 2025 - Key Changes, Timelines, and Action Steps

📰 TL;DR

The Cyber Security and Resilience (Network and Information Systems) Bill (CSRB) represents the most significant update to UK cyber law since 2018. It fundamentally expands regulatory scope, tightens incident response rules, and massively increases penalties.

• Introduced to Parliament: Formally placed before the UK Parliament on 12th November 2025 (Bill 329), starting the legislative process towards becoming law (expected mid-to-late 2026).
• Expanded Scope: Regulation now covers thousands of new organisations, notably Managed Service Providers (MSPs), Data Centres (1MW+ load), and Designated Critical Suppliers, extending duties deep into the supply chain.
• Mandatory Incident Reporting: Introduces strict two-stage reporting: an Initial Notification within 24 hours and a Full Report within 72 hours of becoming aware of a significant or potentially significant incident, with dual reporting to the regulator and CSIRT.
• Severe Penalties: Maximum financial penalties for serious security failures dramatically increase to £17,000,000 or 4% of global turnover (whichever is greater).
• Enhanced Enforcement: Regulators gain extensive new powers, including on-site inspection powers, requirements to generate new information, and the ability to impose Enforcement Notices and National Security Directions.

📘 Introduction

On 12th November 2025, the Cyber Security and Resilience (Network and Information Systems) Bill (Bill 329) was formally introduced to the UK Parliament, marking a significant milestone in the UK's approach to cyber security regulation. Presented by Secretary Liz Kendall and supported by the Prime Minister and senior ministers, this comprehensive legislation represents the most substantial update to UK cyber security law since the Network and Information Systems (NIS) Regulations 2018.

The Bill’s introduction follows its announcement in the 2024 King’s Speech and the publication of a formal policy paper in April 2025. With 61 sections across 5 Parts and 2 Schedules, the legislation will fundamentally reshape how organisations manage cyber security risks, respond to incidents, and maintain operational resilience.

For thousands of UK organisations - from managed service providers and data centres to critical infrastructure operators and their supply chains—the Bill's introduction signals that compliance preparation is no longer optional. It’s time to act.

📜 The Bill Has Been Introduced: What This Means

The formal introduction of the Cyber Security and Resilience Bill to Parliament on 12th November 2025 triggers the legislative process that will ultimately make these requirements law. While the Bill must still pass through both Houses of Parliament and receive Royal Assent, its introduction represents a clear statement of intent from the UK Government.

Phased Commencement (Section 60)

Section 60 of the Bill provides for phased commencement:

• Immediate effect on Royal Assent:
  Part 1 (Introduction), Chapters 1, 3 and 6 of Part 3, Section 40 (Reports), and Part 5 (General provisions)
• Two months after Royal Assent:
  Section 18(3) and (4) (Information sharing), Chapter 2 of Part 3 (Statement of Strategic Priorities), and certain Schedule 2 provisions
• Appointed day by regulations:
  All other provisions, with different days possible for different purposes

This phased approach means organisations have a window to prepare, but that window is closing. The most significant changes - expanded scope, mandatory incident reporting, and new enforcement powers - will come into effect once the Bill receives Royal Assent and the Secretary of State makes commencement regulations.

Key Changes in the Bill

The Cyber Security and Resilience Bill introduces sweeping changes that will affect organisations across multiple sectors. Below are the most significant updates.

1. Dramatically Expanded Scope of Regulation

New Sectors and Services Brought Under Regulation

• Managed Service Providers (MSPs)
  Section 9 introduces "Relevant Managed Service Providers" (RMSPs) as a new regulated category. Any MSP providing ongoing management of IT systems in the UK - on-premises or remotely- must comply with security duties under Regulation 14B and register under Regulation 14C.
• Data Centres
  Section 4 brings data centre services into scope as essential services. Data centres with a rated IT load of 1MW+ (or 10MW for enterprise data centres) must comply with operator of essential services (OES) duties, including mandatory information provision (Regulation 8ZA) and incident reporting (Regulation 11A).
• Large Load Controllers
  Section 6 designates controllers managing 300MW or more of potential electrical load as OES, bringing large-scale energy demand management systems under regulatory oversight.
• Critical Suppliers
  Section 12 introduces Regulation 14H, enabling competent authorities and the Information Commission to designate "critical suppliers" whose failure could disrupt essential services- significantly extending regulatory reach deep into supply chains.
• Cloud Computing Services Redefined
  Section 7 updates the definition of cloud computing services as "relevant digital services" (RDSPs), emphasising elasticity, scalability, and remote access.

2. Mandatory Incident Reporting with Strict Timelines

Section 15 introduces major changes to incident reporting expectations.

Expanded Definition of an Incident

• Section 15(2) broadens the definition to include incidents “capable of having” an impact - not only those with actual impacts - meaning more events must now be reported.

24-Hour Initial Notification

• Required for OES (Regulation 11), RDSP (Regulation 12A), and RMSP (Regulation 14E)
• Must include at minimum:
  • Organisation name
  • Affected service
  • Brief description

72-Hour Full Notification

Full reports must include:

• Time and duration
• Ongoing status
• Nature of incident
• Related incidents in other regulated organisations
• Cross-border impacts
• Any other information supporting regulator/CSIRT response

Dual Reporting

Notifications must be submitted simultaneously to:

• The competent authority (or Information Commission)
• The Computer Security Incident Response Team (CSIRT)

Customer Notification

Under Section 16 and Regulations 11C, 12C, and 14G, affected UK customers must be notified as soon as reasonably practicable after the full regulatory notification is submitted.
Notifications must explain why the customer is likely to be adversely affected.

3. Enhanced Enforcement and Penalty Powers

Section 21 and Schedule 1 significantly strengthen regulator enforcement capability.

Financial Penalties

Penalties are tiered:

• Serious failures (e.g., security duties, incident reporting):
  Up to £17,000,000 or 4% of global turnover
• Standard failures (e.g., registration errors, missed deadlines):
  Up to £10,000,000 or 2% of global turnover

Information-Gathering Powers

Section 20 introduces Regulation 15, giving regulators authority to require:

• Information and documentation
• Generation of new information
• Collection of data not otherwise retained

Enhanced Inspection Powers

Schedule 1 strengthens Regulation 16, permitting:

• On-site inspections
• Examination, copying, removal of documents
• System testing and interviews
• Requirements to preserve evidence without alteration

Enforcement Notices

Under Schedule 1 (Regulation 17), regulators may issue Enforcement Notices requiring immediate corrective action.
Failure to comply can result in civil proceedings.

4. National Security Directions (Part 4)

Part 4 introduces unprecedented powers for national security scenarios:

• Section 43 allows the Secretary of State to give directions to regulated persons when threats pose a risk to national security. These directions can:
  • Require specific security measures
  • Prohibit or restrict use of goods, services, or facilities
  • Require removal, disabling, or modification of systems
  • Require appointment of skilled persons
  • Apply to activities outside the UK
• Section 44 provides that compliance with national security directions takes priority over conflicting regulatory requirements.
• Section 49 sets maximum penalties for non-compliance with directions:
  • Up to £17,000,000 or 10% of global turnover for undertakings
  • Daily penalties of up to £100,000 per day for continuing violations
  • Up to £50,000 per day for information/inspection failures

5. Strategic Priorities and Codes of Practice (Part 3)

Part 3 introduces new governance frameworks:

• Statement of Strategic Priorities
  Section 25 allows the Secretary of State to designate a Statement of Strategic Priorities setting out government priorities for cyber security and resilience.
  Section 27 requires regulatory authorities to have regard to this statement and seek to achieve relevant objectives.
• Code of Practice
  Section 36 enables the Secretary of State to issue a Code of Practice describing recommended measures for compliance.
  Section 38 makes codes admissible in evidence and requires courts and regulators to take them into account when determining compliance questions.
• Regulatory Powers
  Section 29 allows the Secretary of State to make regulations relating to security and resilience of network and information systems, with powers to impose requirements on regulated persons under Section 30.

6. Cost Recovery Powers

Section 17 introduces Regulations 20A–20C, allowing NIS enforcement authorities to:

• Impose periodic charges on regulated persons through charging schemes
• Recover costs of enforcement activities
• Require payment of charges that need not relate to functions exercised in relation to the specific person charged

7. Information Sharing Enhancements

Section 18 significantly expands information sharing powers:

• Regulation 6 allows NIS enforcement authorities to share information with other authorities, law enforcement, CSIRT, and UK public authorities for various purposes including national security, crime prevention, and regulatory functions.
• Regulation 6A provides for onward disclosure with appropriate safeguards.
• Regulation 6B allows the Information Commission to use information obtained under NIS Regulations for other functions if necessary and proportionate.
• Regular sharing of registers and lists with GCHQ is mandated under Regulations 8ZA(6), 14(5), and 14C(6).

🏛️ What to Expect Next: The Legislative Process

With the Bill now introduced to Parliament, organisations should understand the timeline ahead.

Parliamentary Stages

1. First Reading
   Completed on 12th November 2025. The Bill was formally introduced and ordered to be printed.
2. Second Reading
   Expected in the coming weeks. This is the main debate on the Bill's principles, where MPs will discuss the overall approach and key provisions.
3. Committee Stage
   Detailed examination of each clause, with potential amendments. This is where technical details may be refined.
4. Report Stage
   Further opportunity for amendments based on committee work.
5. Third Reading
   Final debate in the House of Commons before the Bill moves to the House of Lords.
6. House of Lords
   The Bill will go through similar stages in the Lords, where peers may propose amendments.
7. Royal Assent
   Once both Houses agree on the final text, the Bill receives Royal Assent and becomes an Act of Parliament.

Expected Timeline

Based on typical parliamentary processes for significant legislation:

• Late 2025/Early 2026: Second Reading and Committee Stage
• Early to Mid 2026: Report Stage, Third Reading, and House of Lords consideration
• Mid to Late 2026: Royal Assent expected
• Late 2026/Early 2027: Commencement regulations likely to bring most provisions into force

However, given the Bill's significance and the government's stated priorities, the process may be accelerated. Organisations should prepare for the possibility of earlier implementation.

What Will Happen After Royal Assent?

Section 60 provides for phased commencement, meaning different parts of the Bill will come into force at different times:

1. Immediate (on Royal Assent):
   • Definitions and introductory provisions
   • Powers to make regulations
   • Reporting requirements framework
2. Two Months After Royal Assent:
   • Information sharing provisions
   • Statement of Strategic Priorities framework
3. Appointed Day (by regulations):
   • Expanded scope (MSPs, data centres, critical suppliers)
   • Mandatory incident reporting requirements
   • Enhanced enforcement powers
   • National security directions

The Secretary of State will make commencement regulations specifying exact dates. Organisations should expect guidance and consultation on implementation timelines.

✅ Critical Action Items for Organisations

With the Bill now before Parliament, preparation is no longer theoretical. Here’s what organisations should do immediately.

1. Determine Your Regulatory Status

Assess whether you fall into scope:

• Managed Service Providers:
  Do you provide ongoing IT management services? Review Section 9 and Regulation 14B to understand RMSP duties.
• Data Centres:
  Check your rated IT load. If 1MW+ (or 10MW+ for enterprise), you’ll be an OES under Section 4.
• Cloud/Digital Services:
  Review Section 7 to see if your services meet the "relevant digital service" definition.
• Critical Suppliers:
  Even if not directly regulated, you may be designated as a critical supplier under Section 12 if your failure could impact essential services.
• Existing OES/RDSP:
  Your duties are expanding. Review all new requirements.

2. Prepare for Mandatory Incident Reporting

The 24/72-hour timelines are strict. Prepare now:

• Review incident detection capabilities – Can you identify reportable incidents within 24 hours?
• Establish reporting workflows – Create clear processes for:
  • Initial notification (24 hours)
  • Full notification (72 hours)
  • Customer notification (as soon as reasonably practicable)
  • Dual reporting to regulator and CSIRT
• Update incident response plans – Ensure they align with new legal requirements.
• Train staff – Incident response teams must understand new thresholds and timelines.
• Test processes – Run tabletop exercises simulating the new reporting requirements.

3. Strengthen Security Posture

Enhanced enforcement means higher stakes:

• Conduct gap assessments – Identify where current security measures fall short of expected standards.
• Review security governance – Ensure board-level accountability and clear ownership.
• Assess supply chain risks – Understand dependencies and prepare for potential critical supplier designation.
• Review contracts – Ensure supplier agreements support compliance with new requirements.
• Consider certifications – Cyber Essentials, ISO 27001, and other frameworks can demonstrate due diligence.

4. Understand Information Gathering Powers

Regulators will have extensive information powers:

• Document your security measures – Be ready to demonstrate compliance through documentation.
• Review data retention policies – Regulators can require collection of data you wouldn't normally retain.
• Prepare for inspections – Understand what inspectors can access and require.
• Legal privilege considerations – Know what information is protected from disclosure.

5. Plan for Cost Recovery

Regulators can recover costs through charges:

• Budget for compliance costs – Periodic charges may be imposed regardless of whether functions are exercised in relation to your organisation.
• Monitor charging scheme consultations – Regulators must consult before making or revising schemes.
• Understand charge structures – Review how charges are calculated (may be based on turnover).

6. Monitor Parliamentary Progress

Stay informed as the Bill progresses:

• Track amendments that may affect your obligations.
• Participate in consultations on guidance and codes of practice.
• Review draft regulations as they're published.
• Engage with industry bodies and trade associations.

⚠️ The Bottom Line: Why This Matters Now

The introduction of the Cyber Security and Resilience Bill to Parliament is a clear signal that the UK is serious about raising cyber security standards across the economy.

For organisations in scope, the message is clear:

1. Compliance is becoming mandatory, not optional – More organisations will face legal duties.
2. The cost of non-compliance is high – Penalties up to £17 million or 10% of turnover.
3. Preparation takes time – Incident response and governance improvements cannot be rushed.
4. Supply chain risks are real – Critical supplier designation increases exposure.
5. The window for preparation is closing – Royal Assent could come as early as mid-2026.

🛡️ How Precursor Security Can Help

At Precursor Security, we are helping organisations prepare for the Cyber Security and Resilience Bill through:

• CSRB Compliance Gap Assessments
• Attack Surface Management
• Penetration Testing
• 24/7 CREST Accredited Security Operations Centre
• Certification Support (Cyber Essentials, ISO 27001, etc.)

Our team combines deep technical expertise with regulatory knowledge to help integrate compliance into your security strategy.

🚀 Conclusion: The Time to Act is Now

The Cyber Security and Resilience Bill's introduction to Parliament on 12 November 2025 marks a major shift in UK cyber regulation. Expanded scope, stricter requirements, and enhanced enforcement powers mean organisations cannot wait.

The most successful organisations will treat CSRB compliance as an opportunity to strengthen security and build trust.

Start preparing now. Assess your exposure, strengthen your capabilities, and build the governance structures needed to meet these requirements.

For organisations needing deeper guidance, we’ve published a comprehensive CSRB Readiness Assessment on the Cyber Security and Resilience Bill website, featuring detailed explanations, sector-specific implications, and practical preparation steps tailored to different types of organisations. Visit cybersecurityandresiliencebill.com to explore more.

For tailored support, explore the resources on this site or contact Precursor Security to discuss your specific needs.