After nearly two years of waiting, the UK government has finally introduced its Cyber Security and Resilience Bill to Parliament. For CISOs, this isn't just another regulatory update to file away — it's a fundamental shift in how the UK approaches critical infrastructure protection. Here's what you need to know, and more importantly, what you need to do about it.
The Bill still needs to pass through Parliament, and secondary legislation will define the specifics, but waiting is not a strategy.
The wake-up call: why now? #
Let's start with the elephant in the room: the UK has been operating under outdated regulations while the threat landscape has evolved dramatically. The current Network and Information Systems (NIS) Regulations 2018 were based on the EU's original NIS Directive, a framework that's since been superseded by NIS2 in the EU.
Meanwhile, the UK has suffered a series of high-profile breaches that exposed critical gaps in defenses. Cyber attacks have cost the UK economy £14.7bn per year, according to a recent government-commissioned study.
Cyber attacks cost the UK economy £14.7bn per year. Annual cost of cyber attacks to the UK economy (0.5% of GDP)
The ransomware attack on NHS supplier Synnovis and the state-sponsored cyber-espionage that compromised Ministry of Defence staff data are stark reminders that critical infrastructure remains vulnerable.
"As a nation, we must act at pace to improve our digital defenses and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services."
– Richard Horne, NCSC Chief
UK CSRB: 8 key provisions (and what’s actually changing) #
The Bill introduces eight major changes that impact how organizations approach cybersecurity. Let's take a look:
1. MSPs are now in scope (finally) #
For the first time, managed service providers will be regulated. This brings an additional 900–1100 firms into scope, a long-overdue recognition that MSPs are critical nodes in our digital supply chain. If you're an MSP serving essential services, you're now an operator of essential services yourself.
CISO Action: If you rely on MSPs, verify they're preparing for compliance. If you are an MSP, start your compliance program immediately — the transitional period will be shorter than you think.
2. Critical suppliers face mandatory standards #
Regulators now have the power to designate critical suppliers who must meet minimum security standards. This isn't a suggestion, it's enforceable, with real consequences for non-compliance.
CISO Action: Map your critical suppliers now. Understand which of your vendors could be designated as critical and what that means for your supply chain risk management.
3. Supply chain risk management becomes mandatory #
New duties (to be confirmed in secondary legislation) will require operators of essential services to actively manage supply chain risks. This moves beyond traditional vendor management into comprehensive third-party risk assessment.
What this means in practice
- Every supplier touching your critical infrastructure
- Their security posture and compliance status
- The software they're running (including EOL systems)
- Their incident response capabilities
- Their own supply chain dependencies
4. NCSC CAF becomes the baseline #
Operators of essential services must meet "proportionate and up-to-date security requirements" drawn from the NCSC Cyber Assessment Framework. CAF isn't a checkbox exercise, it’s a comprehensive framework covering 14 principles across four objectives.
CISO Action: If you haven't already, familiarize yourself with the CAF. Gap analysis against CAF principles should be your first priority.
5. Faster incident reporting: 24/72 hours #
Initial incident reporting must happen within 24 hours, followed by a full report within 72 hours. For digital and data center providers, customer notification is also mandatory.
The 24-hour challenge
Most organizations struggle to fully understand an incident within 24 hours, let alone report on it. This requirement demands:
- Real-time asset visibility
- Automated detection and alerting
- Pre-defined incident response procedures
- Complete asset context (what’s affected, criticality, dependencies)
- Rapid data collection and reporting capabilities
6. Expanded scope: data centers and smart infrastructure #
Data center providers and systems managing “the flow of electricity to smart appliances” are now in scope. Critical infrastructure extends far beyond traditional IT systems.
7. Enhanced ICO powers for digital services #
The Information Commissioner’s Office gains enhanced powers to identify critical digital service providers and proactively assess cyber risk. Expect more scrutiny.
8. Turnover-based penalties with real teeth #
Penalties shift to turnover-based fines for serious offenses. With a new fee regime allowing regulators to recover costs, the financial stakes just got higher.
The asset visibility gap: your biggest compliance challenge #
You can't comply with what you can't see. Every requirement in this Bill — supply chain risk management, incident reporting, CAF alignment — hinges on knowing what assets you have, where they are, and what state they’re in.
Yet asset visibility remains one of the most significant gaps across critical infrastructure.
- Shadow IT and IoT: Unknown devices on your network
- OT blindspots: Systems traditional scanning can’t touch
- Cloud sprawl: Assets spread across multiple cloud providers
- Vendor access: Third-party connections outside monitoring
- EOL systems: End-of-life software still in production
Organizations discover 30–40% more devices when implementing comprehensive asset discovery.
Why manual approaches won't scale #
Spreadsheet-based asset management and quarterly scans won’t cut it. The scale and pace of modern infrastructure require automated, continuous discovery.
You need platforms that can:
- Continuously discover assets across IT, OT, IoT, cloud, all without agents or credentials
- Safely scan OT environments without disrupting operations
- Integrate data from endpoints, cloud providers, scanners
- Identify EOL systems and misconfigurations
- Track third-party dependencies with ownership clarity
- Generate CAF-aligned compliance reports
- Support rapid incident response with complete asset context
The OT Challenge
Operational technology systems are fragile and proprietary; traditional scanning doesn’t work. Passive discovery and traffic sampling are essential for safe visibility.
What about NIS2 alignment? #
Should CISOs align with NIS2 or wait for UK-specific guidance? The answer: both.
The UK Bill diverges in some areas (notably CAF emphasis), but core requirements are similar. Organizations already preparing for NIS2 will find their work applicable.
Key similarities with NIS2
- Supply chain risk management
- Mandatory incident reporting
- Asset inventory and vulnerability management
- Business continuity and disaster recovery
- Turnover-based penalties
The multi-tenancy question for MSPs #
MSPs must demonstrate compliance not only for their own infrastructure but across all managed client environments.
- Multi-organization visibility with data isolation
- Centralized management plus client-level controls
- Per-client compliance reporting
- Scalable architecture for millions of assets
- Consistent security baselines
The bottom line: start now, always iterate #
Compliance isn’t a one-time project, it’s an ongoing operational discipline. Organizations that embrace it as an opportunity to strengthen security, rather than a burden, will be best prepared.
Much of what the Bill requires — asset visibility, vulnerability management, incident response — are essentials of good security practice. Compliance should be a byproduct, not the goal.
The fastest path to compliance starts with knowing exactly what you’re defending. runZero delivers continuous, automated attack surface discovery across IT, OT, IoT, cloud, and mobile. Learn how runZero can help you meet the Bill’s expectations for CAF alignment, reporting, and third-party risk.
