The Cyber Security and Resilience Bill moved through its final Commons stages this month and is on track to become law later in 2026. It is the most significant update to the UK’s cyber security rules since the Network and Information Systems Regulations came into force back in 2018, and plenty of businesses that think it has nothing to do with them are about to find out otherwise.
What is actually changing
The Bill updates and widens the existing framework rather than replacing it. The headline shift is scope. It pulls more organisations into regulation, including managed service providers and data centres, and it puts supply chains firmly in the spotlight. Incident reporting tightens too, with faster mandatory reporting timeframes for affected organisations.
The detail most businesses miss is this: a company can be drawn into scope not because of what it does, but because of who it supplies. If a business provides services to organisations in regulated sectors, new obligations can apply even if its own sector is not regulated. Supply chain compromise has become the primary route attackers use to reach larger targets, and the legislation is built to close that gap.
Why this matters even for smaller businesses
It is tempting to assume cyber regulation is a problem for big infrastructure operators. The numbers say otherwise. Around 43% of UK businesses reported a breach or attack in the past year, and the majority of victims are small and medium-sized firms, often because attackers see them as the easier way in to someone larger.
Full enforcement is expected to be phased, with some elements not landing until later. That sounds like breathing room, but it is really a window. The businesses that come out of this well are the ones treating the next few months as preparation time rather than waiting for a deadline.
What to do now
A few practical steps put any business in a stronger position, regardless of whether it ends up formally in scope:
- Run a scoping exercise to understand whether the new rules could reach the business, directly or through the clients it supplies
- Review supplier security, since only a small fraction of UK firms currently check their suppliers and it is now a known weak point
- Work towards Cyber Essentials, which covers a large share of common attacks
- Put a tested incident response plan in place, so a breach does not turn into a reporting failure on top of a security failure
How Shoothill helps
This is the kind of moment where having the right technology partner makes the difference between scrambling and being ready. Shoothill provides managed IT and Cyber security support built for exactly this, from scoping whether a business is affected, to strengthening defences, to Cyber Essentials and incident response planning. The goal is simple: businesses that are protected, prepared, and not caught out when the rules change.
If the new legislation has raised more questions than answers, that conversation is worth having sooner rather than later.