Critical Supply Chain Security Rules

Supply chain security assessment services for the UK Cyber Resilience Bill are priced by supplier volume and programme scope: Supply chain inventory and risk classification (10-25 critical suppliers): £6,000-£10,000. Comprehensive TPRM programme with questionnaires and contractual review (25-50 suppliers): £12,000-£20,000. Full enterprise supply chain security programme with continuous monitoring (50+ suppliers): £25,000-£35,000+. Ongoing per-supplier monitoring: from £500/supplier/year. DCS readiness assessment (for suppliers who have received designation from a client): from £4,500. All engagements are fixed-price. We provide a confirmed scope and price within 24 hours of receiving your supplier count and sector.

Annual questionnaires satisfy the spirit of supplier oversight but rarely survive regulatory scrutiny. The specific gaps we find consistently in existing programmes: (1) no written classification methodology distinguishing critical from important suppliers using the Bill's criteria, (2) questionnaire responses accepted at face value with no verification, (3) contracts that mention security obligations but do not specify notification timelines, audit rights, or subcontractor requirements, and (4) no documented process for what happens when a supplier's posture deteriorates between reviews. We build those missing components into your existing programme rather than replacing it.

The UK Cyber Security and Resilience Bill requires operators of essential services (OES) and relevant digital service providers (RDSP) to: identify which suppliers qualify as designated critical suppliers (DCS) under the Bill's classification criteria; conduct documented security assessments of those suppliers aligned to the NCSC 12 Supply Chain Security Principles and ISO 27001:2022 Annex A.5.19-A.5.23; impose contractual incident notification obligations (24-hour initial notification, 72-hour full incident report); establish right-to-audit clauses and cascading obligations to subcontractors; and monitor supplier security posture on an ongoing basis. Penalties for non-compliance reach up to £10 million or 2% of global annual turnover for most violations, with higher tiers for the most serious failures.

The Bill uses the term designated critical supplier (DCS) for third parties whose compromise or failure would have a significant impact on your ability to deliver essential services. Classification depends on four criteria: (1) service criticality to your operations, (2) sensitivity of data the supplier processes, (3) potential impact of supplier failure or breach, and (4) the degree of operational dependency. Managed service providers (MSPs) with administrative access, cloud infrastructure providers, critical SaaS platforms, payment processors, and suppliers with access to sensitive customer or operational data are typically in scope. Crucially, the Bill includes a provision that the small and micro enterprise exemption does not apply where the supplier's service is genuinely critical, regardless of the supplier's headcount or turnover.

A Bill-compliant vendor security questionnaire should cover eleven control domains: (1) information security governance and accountability, (2) access control and privileged access management, (3) network security and segmentation, (4) data handling and encryption, (5) incident detection and response capabilities, (6) incident notification procedures and 24/72-hour reporting capability, (7) vulnerability management and patch timelines, (8) business continuity and disaster recovery, (9) physical and environmental security, (10) subcontractor and supply chain management (cascading obligations), and (11) security certifications held (ISO 27001, Cyber Essentials Plus, SOC 2 Type II). Questionnaires should also ask suppliers to provide their Statement of Applicability if ISO 27001 certified, and to identify subcontractors who have access to your data or systems.

The Bill does not prescribe a single assessment methodology, but the NCSC's 12 Supply Chain Security Principles provide the closest thing to an official framework. A defensible third-party risk assessment under the Bill requires four components: (1) a written classification methodology identifying which suppliers qualify as designated critical suppliers under the Bill's definitions; (2) a security assessment conducted through questionnaires aligned to ISO 27001:2022 controls (Annex A.5.19-A.5.23) and verified where possible through documentation review or on-site audit; (3) contractual review to confirm mandatory incident notification timelines (24-hour initial, 72-hour full report) and right-to-audit clauses are in place; and (4) a documented process for ongoing monitoring and reassessment. The assessment must produce evidence-grade documentation capable of withstanding scrutiny from your competent authority.

Directly, the Bill's primary obligations apply to operators of essential services (OES) and relevant digital service providers (RDSP), not to their suppliers. However, the Bill creates cascading obligations: OES and RDSP organisations must impose contractual security requirements on their designated critical suppliers, including incident notification timelines, audit rights, and minimum security standards. If a client has notified you that you are classified as one of their designated critical suppliers, those obligations are contractual rather than directly regulatory. You are complying with your client's contractual requirements (which the Bill mandates they impose), not with the Bill itself. The distinction matters when you receive a questionnaire that appears to go beyond the Bill's actual requirements, which is common. Our DCS readiness assessment helps you understand exactly what you are required to do, and what your client may be adding on top of the statutory baseline.

Both frameworks extend security obligations through the supply chain, but they differ in scope and mechanism. EU NIS2 directly brings certain categories of suppliers in scope as important or essential entities in their own right, making them directly regulated. The UK Bill primarily creates cascading contractual obligations: the OES or RDSP organisation is responsible for ensuring its critical suppliers meet required standards, rather than regulators directly supervising those suppliers. The UK Bill also uses the designated critical supplier designation mechanism, which NIS2 does not. Organisations operating in both UK and EU jurisdictions should map requirements separately. Compliance with NIS2 does not automatically satisfy the UK Bill, and vice versa, because the classification criteria and documentation requirements differ.

ISO 27001:2022 Annex A.5.19-A.5.23 covers supplier relationships and is a good foundation. The Bill adds requirements that sit outside the standard: mandatory 24-hour incident notification clauses (ISO 27001 does not specify timeframes), cascading obligations to your suppliers' subcontractors (not standard ISO scope), and regulator-facing evidence documentation in specific formats. In practice, most ISO 27001 certified organisations need to close around four to six specific gaps to meet the Bill's supply chain provisions. We identify those gaps in a half-day workshop and give you a prioritised remediation roadmap, without re-doing your entire ISO programme.

The Bill requires ongoing monitoring, not annual point-in-time assessments. For designated critical suppliers, we recommend: quarterly scorecard reviews tracking control maturity and certification status; immediate reassessment triggered by any supplier security incident (data breach, ransomware, regulatory action, key personnel change); and annual full reassessment with updated risk register and classification review. For important but non-critical suppliers, annual questionnaire refresh with certification verification. The monitoring programme must produce a quarterly evidence log suitable for presentation to your competent authority.