Getting ready for the CSRB

The Cyber Security and Resilience Bill (CSRB) is set to become the most significant piece of UK cyber-security legislation since the introduction of the Network and Information Systems (NIS) Regulations in 2018. Often described as the UK’s answer to NIS 2, the comparison is helpful but incomplete. While there are clear similarities in scope expansion and regulatory intent, the Bill also signals a more flexible, and potentially more interventionist, approach to cyber-security regulation in the UK.

 

For organisations likely to fall within scope, the key message is clear that preparation cannot wait until the Bill receives Royal Assent, expected in early 2027. The changes it introduces will require adjustments not only to technical controls, but also to governance, incident response, supplier management and regulatory engagement.

 

A fundamental shift in regulatory scope

At its core, the Bill is divided into two parts. The first amends the existing NIS Regulations, significantly expanding the range of organisations subject to UK cyber-security regulation. Most notably, managed service providers (MSPs) and data centre operators of a certain size will be brought into scope for the first time. Regulators will also gain the power to designate additional “critical suppliers” whose services are essential to the operation of UK critical infrastructure, even where those suppliers are based outside the UK.

 

This marks an important shift in how cyber-risk is viewed at a national level. The original NIS regime largely focused on traditional critical national infrastructure such as energy, transport and water. The CSRB recognises that these operators rely on complex and often opaque supply chains, and that systemic cyber-risk increasingly resides within those dependencies rather than the core operators themselves.

 

Government estimates suggest that around 1,100 additional organisations could be brought into scope, potentially doubling the number of regulated entities. While this expansion is less dramatic than that seen under NIS 2 in the EU, it represents a material change for service providers that may not previously have viewed themselves as part of the UK’s critical national infrastructure. Inclusion in the regime has important practical consequences, including potential fines of up to 4% of global turnover for noncompliance.

 

However, given the economic significance of recent attacks on retailers and manufacturers, including Marks & Spencer and Jaguar Land Rover, it remains to be seen whether Parliament will try to make further changes to bring these sectors into scope too.

 

Incident reporting: faster, broader, more visible

For all in-scope organisations, one of the most immediate and challenging changes will be the incident reporting regime. Under the Bill, regulated organisations will be required to report not only incidents that have disrupted operations, but also those capable of causing disruption. Crucially, an initial notification will need to be made within 24 hours, with reports submitted to both the relevant regulator and the National Cyber Security Centre (NCSC).

 

Regulators will also gain new powers to compel organisations to make information about incidents public, and to share that information with other bodies.

 

This has significant implications for legal teams, communications functions and executive leadership, particularly in organisations where incident response planning has historically been driven by technical considerations alone.

 

Rapidly determining whether an incident is capable of causing disruption to the delivery of an essential service will sometimes be challenging, particularly for organisations with small in-house cyber-security teams. Preparation here involves a combination of effective tooling and wider process maturity. Organisations should be stress-testing their incident management workflows now, ensuring that decision-making, evidence collection, escalation and external communications can operate at the pace the new regime will demand.

 

The overlooked but transformative second half of the Bill

While much of the early commentary has focused on scope expansion, the second part of the Bill may ultimately prove more consequential. It grants government a broad set of powers to introduce additional security regulations for in-scope organisations, covering the identification, management and mitigation of cyber-risks, as well as the handling of incidents. Organisations will need to adapt to a legal framework that evolves much more rapidly and comprehensively than the NIS Regulations.

 

Notably, the Bill does not itself introduce new technical security requirements. Instead, it creates a mechanism for government to define these requirements in the future, without needing to return to primary legislation. One likely early use of these powers will be to place the NCSC’s Cyber Assessment Framework on a firmer statutory footing.

 

The Bill also enables government to issue directions to individual regulators or regulated organisations. While these powers are described as being for exceptional circumstances, such as responding to heightened geopolitical threats, the criteria for their use are broad. This raises important questions, particularly for multinational organisations, about how such directions would be applied in practice and how conflicts with other regulatory regimes might be managed.

 

It is also an area where parliamentary scrutiny is likely to intensify, and amendments may yet be introduced as the Bill passes through the Lords and Commons.

 

What “good preparation” looks like now

For CISOs and security leaders, the CSRB should be treated less as a compliance exercise and more as a prompt to reassess cyber-resilience as a business risk.

 

Organisations already regulated under NIS should prioritise readiness for the new incident notification requirements and maintain close, proactive relationships with their regulators. Understanding regulatory expectations, demonstrating transparency and intent, has historically been as important as technical maturity when it comes to enforcement outcomes.

 

For MSPs, data centre operators and other organisations likely to be brought into scope for the first time, the message is not to panic. Regulators have generally taken a pragmatic and proportionate approach to NIS enforcement. However, being regulated does introduce new obligations and potential liabilities. Organisations will need to be able to evidence that they understand their cyber- and resilience risks and are taking appropriate, risk-based steps to manage them.

 

Suppliers more broadly should also assess whether they could be designated as critical suppliers, particularly if they support multiple UK critical infrastructure sectors. Waiting for formal designation is unlikely to be the best strategy. Early alignment with NIS principles can significantly reduce disruption if and when regulation follows.

 

The role of specialist support

One consistent lesson from the original NIS regime is that organisations which navigated it most effectively were those that treated compliance, resilience and operational security as interconnected challenges. For many, this involved drawing on external expertise – not simply to “pass an audit”, but to help interpret regulatory expectations, benchmark maturity and build sustainable security practices.

 

As the CSRB expands the regulated population and introduces greater regulatory flexibility, that need is likely to grow. Organisations that invest early in understanding the intent of the Bill, rather than reacting to its enforcement, will be best placed to adapt as the regulatory landscape continues to evolve. 

 

---

 

Scott Hudson is a principal consultant at Bridewell

 

Main image courtesy of iStockPhoto.com and posteriori