Discover how the upcoming UK Cyber Security and Resilience Bill will introduce robust new duties on critical suppliers, expand regulatory oversight, and future-proof the UK's critical national infrastructure.
Cyber threats, particularly those targeting supply chains, are an ever-increasing problem for critical services in the United Kingdom and beyond. Between 2021 and 2023, supply chain attacks surged by 431%, with projections indicating continued growth through 2025, underscoring the urgency of robust third-party risk management and stepped up efforts by organisations to harden their supply chain security, especially with regard to our Critical National Infrastructure (CNI).
Given this concerning increase in attacks, governments are striving to enhance their national cyber security regulatory frameworks, with the UK set to introduce a new Cyber Security and Resilience Bill this year.
Here, we examine the Bill’s objectives, its evolution from existing legislation, and some of the targeted measures that are being discussed to specifically address the challenge of securing the often vast supply chains of our CNI, offering a comprehensive analysis of its likely implications for operators of UK critical infrastructure.
The Department for Science, Innovation and Technology (DSIT), on 1 April 2025, published a policy paper statement, setting out some of the details and proposed measures of the upcoming Bill.
The Bill’s overall aim is simple: to improve the UK’s readiness to protect key sectors and the critical digital services they rely on against escalating cyber threats. The Bill is said to update the Network and Information Systems (NIS) Regulations 2018, which is no longer considered adequate to effectively address the scale of the threat. The 2025 Bill is being introduced to expand the remit of current regulations to cover a broader range of digital services and supply chains, particularly those supporting critical national infrastructure (CNI) such as energy, water, transport, healthcare, and digital infrastructure. It is widely regarded as the UK’s response to the EU’s introduction of NIS2, which also focused on:
The UK Cyber Security and Resilience Bill, however, also takes into consideration UK-specific cyber security challenges (such as state-sponsored attacks and legacy infrastructure in sectors such as water and energy) and will be designed to allow for delegated powers, enabling the regulatory framework to be updated swiftly in response to new technologies and threats without the need for lengthy primary legislation processes.
The Bill also proposes that the Information Commissioner’s Office (ICO) serves as a key competent authority. This means they will oversee compliance for relevant digital service providers (RDSPs) and managed service providers, most likely including data centres.
Currently responsible for upholding information rights and ensuring cyber security compliance, this extended role of the ICO goes towards ensuring that entities involved in providing essential systems and services also meet the new standards that will be set out by the Bill.
The Cyber Security and Resilience Bill significantly expands the scope and rigor of the NIS Regulations 2018.
While the NIS Regulations focused on operators of essential services (OES) in sectors like energy, transport, and health, and RDSPs such as cloud providers, the new Bill expands its coverage to include data centres, MSPs, and other critical suppliers.
A further development of the Bill is its emphasis on far stricter incident reporting requirements, mandating a two-stage process:
Incident focus is another key difference. Unlike the NIS Regulations, which focused on incidents disrupting service continuity, the Bill will also cover incidents affecting system and data confidentiality, integrity, or availability.
Furthermore, regulators will gain enhanced powers, including cost recovery mechanisms through fees on regulated entities and the ability to proactively investigate vulnerabilities and designate certain suppliers as ‘designated critical suppliers’, with obligations similar to those of operators of essential services. These measures contrast with the NIS Regulations’ approach, enabling a more dynamic response to emerging threats.
The Bill also empowers the Secretary of State to update regulations via secondary legislation, ensuring adaptability without requiring new Acts of Parliament - an essential step towards the flexibility required for the government to keep up with the evolving threat landscape.
In the past 2 years alone, there have been several key examples in the UK of how vulnerable critical entities’ supply chains are to modern cyber threats:
In an effort to prevent future attacks of this nature, the Bill plans the following:
The Bill is set to establish the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as the benchmark for expected security standards. Its Basic and Enhanced Profiles will serve as guidance for OES, RDSPs, and DCS suppliers, covering governance, risk management, and incident recovery. With CAF as a cyber security blueprint, tools like the Cyber Resilience Audit scheme and Cyber Essentials will provide additional verification.
The Bill introduces strict supply chain responsibilities for operators of essential services (OES) and relevant digital service providers (RDSPs). These obligations will be codified in secondary legislation, informed by stakeholder consultations. The goal is to prevent incidents at suppliers disrupting vital services (such as the NHS outages caused by the Synnovis ransomware attack).
A key feature of the Bill is the power to designate high-impact vendors as Designated Critical Suppliers (DCS), placing them under the same stringent obligations as OES and RDSPs. Regulators will target suppliers whose disruption could cripple essential services or digital infrastructure—for instance, the payroll breach that impacted the Ministry of Defence. To be designated as a DCS, a supplier must:
Once designated, DCS entities must meet strict security requirements and report incidents, ensuring even smaller vendors uphold high standards. The designation will remain selective to maintain a focused, high-impact approach.
To improve threat response, the Bill enforces a two-stage incident reporting process. Critical suppliers must alert regulators and the NCSC within 24 hours of a major issue, followed by a comprehensive report within 72 hours. This system, prompted by delays during the Synnovis attack, increases visibility and accelerates containment. Digital service providers and data centres must also notify affected customers, building transparency and trust across the board.
The Bill is expected to be introduced to Parliament in 2025, but the implementation of the Bill will also depend on secondary legislation to define the specifics—such as supply chain duties and criteria for designating critical suppliers.
According to the DSIT policy statement, the legislation will go through consultation, allowing input from regulators, cyber security experts, and industry stakeholders. While no exact dates have been confirmed, consultations are expected to begin after the Bill is introduced in 2025, with drafts likely developed and refined throughout 2026.
The government has committed to further engagement, building on prior consultations from 2022 and 2023. DSIT has already received inquiries from organisations eager to contribute, showing strong industry interest. As part of the rollout, the Secretary of State will publish a Statement of Strategic Priorities—updated every three to five years—to steer regulators and sectors. The first version is expected to be released during the Bill’s progression through Parliament.
Public sector bodies and businesses, especially OES should begin assessing their supply chain security posture, aligning their systems with NCSC’s Cyber Assessment Framework (CAF), and updating incident response plans to meet upcoming reporting obligations. Regulators will publish additional guidance as the secondary legislation takes shape, clarifying what compliance will look like in practice.
The Cyber Security and Resilience Bill represents a significant legislative update aimed at strengthening the nation’s cyber defences and increasing resilience across the UK’s critical infrastructure.
The increased oversight of the Bill - to include data centres, managed service providers, and other high-risk suppliers - complements stronger incident reporting rules and tighter control over supply chains.
The new regime will create strong incentives for both regulators and regulated entities to maintain effective oversight of supply chain risk, aiming to reduce the likelihood and impact of supply chain attacks on CNI.
In summary, the Bill can be expected to fundamentally strengthen supply chain cyber security for UK CNI by imposing clear, enforceable duties on both operators and their most critical suppliers, expanding regulatory oversight, and enabling rapid adaptation to new threats. This marks a shift from reactive to proactive risk management, with a focus on the interconnected digital landscape and the importance of supply chain resilience.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
