UK Cyber Security and Resilience Bill will force critical suppliers to "beef up" their defences
New rules set to impose strict new security requirements on a growing range and number of businesses.
The UK has proposed "tough new laws" to bolster the nation's cybersecurity defences and protect national infrastructure from the growing risk posed by criminals and nation-state threat actors.
Under the Cyber Security and Resilience Bill, regulators will have the ability to designate a wider range of organisations as "critical suppliers", as well as increased freedom to issue orders demanding they "beef up" security measures.
The scope of the rules will be wide and ever-growing, covering everything from IT management and help desk providers to businesses that supply healthcare diagnostics to the NHS or chemicals to a water firm.
Suppliers will also be required to meet strict security standards and have "robust plans" in place to deal with the consequences of an attack. Then, when the worst happens, they will need to report "harmful cyber incidents" to their regulator and the National Cyber Security Centre (NCSC) within 24 hours, followed by a full briefing within 72 hours.
It is hoped that the sharpened regulatory regime will help shield hospitals, energy grids, water supplies, and transport networks from threat actors bent on fighting a cyberwar against Britain, as well as financially or politically motivated hackers.
In a tough-talking statement, Liz Kendall, Science, Innovation, and Technology Secretary, said: "Cybersecurity is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target.
"We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge."
A grim threat landscape
The UK is now facing roughly four "nationally significant" cyber attacks every week with "the potential to have a serious impact on essential services", according to the NCSC.
For example, in 2024, hackers accessed the Ministry of Defence’s payroll system via a managed service provider, resulting in over 11,000 disrupted medical appointments and procedures with an estimated cost of £32.7 million.
A particularly nasty attack on critical infrastructure could cost Britain more than £30 billion in increased borrowing, according to the Office for Budget Responsibility. That's the equivalent of 1.1% of GDP.
Independent research also published today shows the average cost of a significant cyber-attack in the UK is now more than £190,000. This amounts to around £14.7 billion per year across the economy, equivalent to 0.5% of the UK’s GDP.
Carla Baker, Sr Policy Director, UK&I at Palo Alto Networks, said the Bill comes at an important time for the nation's security.
"There has never been a more crucial moment for cybersecurity in the UK," Baker told Machine.
"Threats are increasingly widespread and must be addressed head-on. This Cyber Security & Resilience Bill is an important step towards making the UK’s digital and critical infrastructure more resilient."
READ MORE: Why identity security is a critical component of effective NIS2 compliance
The bill will help tackle the worsening security threat by bringing managed service providers (MSPs) under its scope.
"A supply chain is only as strong as its weakest link," Baker warned. "That's why the Bill will empower regulators to categorise those businesses whose disruption would have a significant impact on the provision of essential services as 'critical dependencies' to help address systemic supply chain risk."
For Dray Agha, senior manager of security operations at Huntress, the rules show the UK is "finally catching up" to the scale of modern cyber threats.
"This Bill signals that resilience is now a matter of national security, not a box-ticking exercise," Agha said. "By pulling managed service providers into scope, the government is targeting one of the most exploited weak links in the digital supply chain; a move long overdue after years of attackers abusing trusted IT partners.
"The 24-hour reporting window raises the bar for transparency, forcing organisations to treat cyber incidents like any other public safety emergency, which requires rapid response and clear communication.
"Stronger penalties and proactive oversight mean complacency is no longer affordable: companies that invest early in security visibility, threat detection, and tested response plans will be the ones still standing when the dust settles."
Securing the supply chain
Marc Jones, Regional Director of UK & Ireland at Armis, welcomed the Bill but questioned whether it would deter the bad guys on its own.
"Essential services rely on sprawling supplier networks, and attackers know it," he said.
"Designating these providers as critical and enforcing security standards is a strong start, but compliance and penalties alone won’t stop advanced threats."
“True resilience demands a proactive cybersecurity strategy that provides the contextual awareness to see, protect and manage the entire attack surface in real-time - from every single connected asset in an environment to every dependency within the supply chain."
READ MORE: British justice engages Microsoft's Copilot, prompts "legal Russian roulette" warnings
Ric Derbyshire, Principal Security Researcher at Orange Cyberdefense, described the Bill as a "welcome step" towards addressing the metastasising danger of supply chain attacks.
"It’s easy for organisations to fall into the trap of thinking of their ‘supply chains’ in the narrow terms of those immediately connected to them," he warned. "By bringing new classes of service providers into scope, from managed service providers and data centre operators to suppliers whose goods and services support critical systems, the CSRB broadens the reach of national cyber regulation.
“This shift encourages organisations involved in CNI to recognise that security and resilience rely on an interdependent ecosystem, rather than a simple chain."
Too little, too late?
Unfortunately, the public sector is wide open to cyberattack right now, and it's far from clear that one big bill will protect it.
Trevor Dearing, Director of Critical Infrastructure at Illumio, said: "Security across the public sector is too fragmented, and a move towards a more centralised plan will be beneficial for establishing a unified security posture that is better suited to defending against cyber threats.
"Third-party providers form the lifeblood of government departments. Cybercriminals will always target the weakest link in the chain to gain access to more valuable systems. A risk-based approach to security is key to achieving this, ensuring that the most threatened services receive the most resources.
"The shift from reporting only successful breaches to reporting all cyber incidents is long overdue and will drive rapid improvements in how organisations protect their most critical assets and respond to attacks.
"Granting the Technology Secretary new powers to ensure that regulators and organisations monitor or isolate high-risk systems is a smart move. The goal must be to reach a point where organisations can contain and limit the impact of attacks before they cripple essential services, isolating critical systems helps to achieve this."
READ MORE: The UK is facing "two terrible tragedies" in the AI age, Baroness warns
Part of the problem with security in Britain's crusty old public sector is that many cyber-physical systems in critical infrastructure rely on outdated technology that cannot be modernised quickly.
Nick Haan, Field CTO at Claroty, warned: "For years, operators of essential services have sought clearer direction on how to strengthen their defences, and this Bill provides much-needed guidance and accountability.
"Securing cyber-physical systems is inherently complex with many critical entities relying on decades-old operational technology that cannot be modernised overnight. Meeting new requirements will take time and sustained investment, but it’s encouraging to see the government acknowledging these realities while driving progress."
Implications for enterprises
The rules come as industries move towards a new model in which security is not just the sole responsibility of the CISO, but a shared board-level priority. Charlotte Wilson, head of enterprise at Check Point Software, advised.
"These reforms not only strengthen our collective resilience but also enable organisations to focus on maintaining business continuity, rather than treating security as an isolated function," she said.
"However, for the proposals to be truly effective, we need to see stronger powers for the ICO and NCSC to compel boards to take action when risks are identified, alongside stricter governance around the procurement and oversight of outsourced third parties handling data.
"While nation-state threats remain a key concern in critical national infrastructure, many high-profile breaches have originated from weaknesses within outsourced supply chains; an area that must be governed with the same rigour as internal operations."
Tim Pfaelzer, GM & SVP EMEA at Veeam, told us the new rules reflect "the urgency of the threats" facing Britain and should not be seen as yet another round of onerous regulations.
"Attacks aren’t just becoming more frequent and sophisticated, they are also becoming more targeted, going straight to critical national infrastructure and their supporting supply chains to maximise damage," he said.
"I’d encourage organisations to see this for what it is; not just a new compliance hoop to jump through in an already saturated regulatory landscape, but a call to work more collaboratively within their supply chains, and to embrace greater accountability.
"Ultimately, introducing regulation is only half the battle. Ensuring that organisations buy into the new mandate, hold themselves accountable, and embrace new requirements on third-party risk management and incident reporting, is the next major hurdle."
