Does the Cyber Security and Resilience Bill apply to my SME?

Most UK SMEs will not be directly regulated under the Bill. The NIS framework targets operators of essential services, certain digital services, managed service providers above a size threshold, and designated critical suppliers. However, if you supply into regulated sectors or rely on an MSP that falls in scope, you will feel indirect effects through tighter contractual demands, evidence requirements, and incident reporting expectations from your customers and partners.

Is the Cyber Security and Resilience Bill law yet?

No. As of February 2026, the Bill has been introduced to Parliament (12 November 2025) and is in Committee stage in the House of Commons. It is not yet enacted. Many practical details will also depend on secondary legislation and regulator guidance published after Royal Assent.

What is a relevant managed service provider (RMSP) under the Bill?

The Bill defines a managed service as a contract for ongoing management of IT systems where the provider connects to or has access to the customer's network and information systems, including remotely. Micro and small enterprises are excluded from the RMSP definition. Medium and large MSPs meeting the criteria would be brought into scope of the NIS Regulations.

What are the penalties under the Cyber Security and Resilience Bill?

The Bill proposes maximum penalties of up to £17 million or 4 percent of worldwide turnover (whichever is higher) for more serious breaches, and up to £10 million or 2 percent for less serious breaches. The detail on how turnover is calculated will be set out in secondary legislation.

What should my business do now to prepare for the Bill?

Start with board-level clarity: identify your top 5 to 10 critical business services and map the IT systems and suppliers each depends on. Then do a supplier reality check with your MSP and key providers - confirm incident escalation routes, recovery responsibilities, and access controls in writing. You do not need to buy new frameworks or certifications. Focus on ownership, visibility, and evidence of resilience.

Does outsourcing IT to an MSP transfer my cyber risk?

No. Outsourcing IT changes how you deliver technology services, not whether the business owns its operational risk. Under NIS-style regimes, responsibility for resilience outcomes stays with the organisation delivering the regulated service, even when suppliers are involved. The Bill may also regulate certain MSPs directly, but that does not remove the customer's governance obligations.

How is the Cyber Security and Resilience Bill different from Cyber Essentials or ISO 27001?

Cyber Essentials and ISO 27001 are voluntary certifications. The Cyber Security and Resilience Bill is primary legislation that creates statutory duties for organisations in scope of the NIS framework. The legal duty is framed as 'appropriate and proportionate' risk management - it does not mandate any specific certification or framework. Certifications can support compliance but are not substitutes for demonstrable resilience.

What incident reporting changes does the Bill introduce?

For regulated entities, the Bill introduces a two-stage reporting structure: an initial notification within 24 hours of becoming aware that a significant incident has occurred, followed by a fuller report within 72 hours. Even if your organisation is not directly regulated, your customers may push faster notification requirements down contractually to meet their own duties.

Cyber Security Bill: Guide for UK Businesses | Assurix

The Cyber Resilience Bill raises supply chain and IT provider expectations for UK businesses. Here's what it means and what questions to ask your MSP.

What the Bill means for UK businesses

The Cyber Security and Resilience Bill primarily targets operators of essential services and digital service providers. For most SMEs, the direct compliance obligations are limited. However, the indirect effects matter significantly.

Supply chain obligations flow downstream

If your business provides services to a regulated sector, or your MSP does, you may be affected through supply chain obligations. Regulated organisations will increasingly demand evidence of security practices from all their suppliers and service providers.

What this means for how you choose your MSP

Your MSP will need to demonstrate security practices, not just claim them
Point-in-time certifications like Cyber Essentials may not be sufficient
Continuous verification will become the expected standard
Insurance and contractual requirements will tighten

Questions to ask your current MSP

Ask your IT provider how they are preparing for the Bill. Ask to see evidence of their security controls, not just their policies. A provider that cannot demonstrate their practices is a risk to your business.

Visit https://assurix.com/blog/cyber-security-resilience-bill-uk-businesses to view the full interactive page.