Cyber Security and Resilience Bill (CSRB) - UK 2025 Guide
What it means. Who it affects. How to stay compliant.
Read the Released Bill
The UK Government released the Cyber Security and Resilience (Network and Information Systems) Bill on 12th November 2025 as Bill 329. The legislation is now before Parliament and sets out comprehensive new requirements across 5 Parts and 61 sections for cybersecurity across essential services, digital services, managed service providers, and critical suppliers.
What is the Cyber Security and Resilience Bill?
The Cyber Security and Resilience (Network and Information Systems) Bill (CSRB) was introduced to Parliament on 12th November 2025 as Bill 329. This legislation marks the UK's most comprehensive update to cyber legislation in over a decade, significantly expanding the scope of existing NIS Regulations 2018 to include managed service providers (MSPs), cloud platforms, data centres, and critical suppliers. The Bill is structured in 5 Parts with 61 sections, creating new regulatory frameworks and enforcement powers.
Mandatory incident reporting
Stronger regulatory oversight
Tougher compliance standards
Under Part 2 of the Bill, organisations delivering essential or digital services will be expected to proactively manage cyber risk, including throughout their supply chains. The Bill introduces mandatory incident reporting within 24 hours (Section 15), with full reports due within 72 hours. Failing to comply may result in financial penalties of up to £17,000,000 or 10% of global turnover(Section 21), plus daily penalties of up to £100,000 for continuing violations (Section 49).
Part 4 grants the Secretary of State new powers to issue national security directions to regulated entities, while Part 3 establishes strategic priorities and codes of practice. Now is the time to assess your readiness. CSRB will reshape how UK businesses approach resilience, compliance, and security - and inaction is no longer an option.
Who's Affected
CSRB significantly expands the scope of organisations required to comply with cybersecurity regulations. Is your organisation on this list?
Managed Service Providers (MSPs)
If you provide ongoing IT management, support, or monitoring services, you're now regulated. Must register within 3 months and comply with security duties. Small businesses (micro/small enterprises) are exempt.
Cloud Service Providers
Cloud computing, online marketplaces, and search engines are now 'relevant digital services' under CSRB. Must register, implement security measures, and report incidents within 24-72 hours.
Data Centres
Data centres with 1MW+ capacity (or 10MW+ for enterprise-only) are now essential services. Must register within 3 months, report incidents, and notify customers of security breaches.
Public Services
Local authorities, councils, and government departments providing essential services are directly in scope. Enhanced cybersecurity and resilience requirements apply, even if you generate commercial income.
NHS Organisations
Hospitals and NHS trusts are critical infrastructure providers. Must implement comprehensive security measures, report incidents within 24-72 hours, and notify patients of data breaches.
Critical Suppliers
Suppliers to regulated organisations can be designated as 'critical suppliers' if your failure would disrupt national infrastructure. Even small businesses can be designated and face the same regulatory duties.
Key Changes
CSRB introduces several major reforms to the UK's cybersecurity landscape. Here's what you need to know:
Bringing More Organisations Into the Frame
Part 2, Chapter 1 of the Bill significantly expands who must comply with cyber regulations. Section 9 brings Managed Service Providers (MSPs) into scope as 'Relevant Managed Service Providers' (RMSPs), subject to security duties under Section 10. Section 4 designates data centres as essential services with thresholds of 1MW (general) or 10MW (enterprise-only). Section 6 brings large load controllers (300MW+) into scope. Section 12 allows designation of critical suppliers. These changes close major gaps in the UK's cyber defence chain, bringing hundreds of previously unregulated entities under oversight.
Need help preparing?
Our compliance team can guide you through the new requirements
Talk to our compliance teamBringing More Organisations Into the Frame
Part 2, Chapter 1 of the Bill significantly expands who must comply with cyber regulations. Section 9 brings Managed Service Providers (MSPs) into scope as 'Relevant Managed Service Providers' (RMSPs), subject to security duties under Section 10. Section 4 designates data centres as essential services with thresholds of 1MW (general) or 10MW (enterprise-only). Section 6 brings large load controllers (300MW+) into scope. Section 12 allows designation of critical suppliers. These changes close major gaps in the UK's cyber defence chain, bringing hundreds of previously unregulated entities under oversight.
Need help preparing for these changes?
Our compliance team can guide you through the new requirements
Compliance Challenges
What It Takes to Stay Secure - and Within the Law
The Cyber Security and Resilience (Network and Information Systems) Bill (Bill 329) introduces ambitious new standards for digital resilience across the UK. With 5 Parts and 61 sections, the legislation creates comprehensive regulatory frameworks covering incident reporting (Part 2, Chapter 2), enforcement powers (Part 2, Chapter 3), strategic priorities (Part 3, Chapter 2), and national security directions (Part 4). Compliance isn't just ticking a box - it's a fundamental shift in how organisations govern, secure, and audit their digital infrastructure. Meeting these standards will demand clear governance, technical maturity, and operational discipline.
Key Requirements
24/72 Hour Incident Reporting
Section 15 mandates initial notification within 24 hours and full report within 72 hours of becoming aware of an incident. Must notify both the competent authority and CSIRT. Customer notification required 'as soon as reasonably practicable' (Section 16).
Registration & Information Duties
Section 13-14 require registration within 3 months of becoming regulated. Must provide company details, directors, and contact information. Updates must be notified within 7 days. Non-UK entities must nominate UK representative.
Supply Chain & Critical Suppliers
Section 12 allows designation of critical suppliers. Section 30(3) enables requirements on 'activity-critical supplies'. Organisations must actively manage cyber risks throughout supply chains.
Regulatory Inspections & Information Requests
Section 20 grants powers to require information/documents. Schedule 1 strengthens inspection powers (Regulation 16) allowing on-site inspections, document examination, and system testing. Must cooperate and pay reasonable costs.
Financial Penalties Up to £17M
Section 21 sets maximum penalties: £17,000,000 or 10% of global turnover for serious failures; £10,000,000 or 2% for standard failures. Section 49 allows daily penalties: £100,000/day for national security violations, £50,000/day for information/inspection failures.
Ready for CSRB?
Many organisations will need to overhaul their cyber policies, documentation, and infrastructure to comply. Can you demonstrate secure supply chains, respond to threats in real-time, and pass regulatory scrutiny?
Get a Readiness Assessment →
How Precursor Security Can Help
Our tailored solutions ensure your organisation stays compliant with the Cyber Security and Resilience Bill while strengthening your overall security posture.
24/7 Threat Detection & Response
Security Operations Centre
Our UK-based CREST-accredited SOC provides always-on monitoring and rapid incident response, helping you meet CSRB's 24-hour notification requirements for cyber incidents.
Learn MoreIdentify Weaknesses Before Attackers Do
Penetration Testing
Our certified ethical hackers simulate sophisticated attacks to uncover vulnerabilities across your digital estate, satisfying CSRB's independent validation requirements.
Learn MoreAudit-Ready Cyber Assurance
Compliance
Stay ahead of CSRB with our compliance assessments, including NIS audits, Cyber Essentials & Plus certifications, and NCSC CAF implementation support.
Learn MoreLatest Insights
Stay updated with the latest developments, compliance guidance, and expert analysis on the Cyber Security and Resilience Bill.
What is the UK Cyber Security and Resilience Bill (CSRB) and Why Should You Care?
The UK Cyber Security and Resilience Bill (CSRB) is the biggest shake-up of UK cyber legislation in years - expanding scope, tightening reporting rules, and making resilience a legal obligation for organisations.
Stay Informed About CSRB Updates
Be the first to hear about updates on the Cyber Security and Resilience Bill. Get notified about compliance requirements, key changes, and important announcements.
Implementation Timeline
Key milestones in the Cyber Security Resilience Bill's journey from announcement to enforcement.
17 July 2024
CSRB announced during the State Opening of Parliament
The Labour government commits to strengthening UK cyber security through new legislation in the King's Speech.
17 July 2024
CSRB announced during the State Opening of Parliament
The Labour government commits to strengthening UK cyber security through new legislation in the King's Speech.
1 April 2025
CSRB Policy Statement published
Government outlines planned measures and legislative intent, including MSPs, data centres, and reporting mandates.
1 April 2025
CSRB Policy Statement published
Government outlines planned measures and legislative intent, including MSPs, data centres, and reporting mandates.
12 November 2025
Bill 329 Introduced to Parliament
The Cyber Security and Resilience (Network and Information Systems) Bill is formally introduced as Bill 329. The Bill contains 5 Parts, 61 sections, and 2 Schedules.
12 November 2025
Bill 329 Introduced to Parliament
The Cyber Security and Resilience (Network and Information Systems) Bill is formally introduced as Bill 329. The Bill contains 5 Parts, 61 sections, and 2 Schedules.
2025-2026
Parliamentary Process
The Bill proceeds through First Reading, Committee Stage, Report Stage, and Third Reading in both Houses of Parliament.
2025-2026
Parliamentary Process
The Bill proceeds through First Reading, Committee Stage, Report Stage, and Third Reading in both Houses of Parliament.
Late 2025 / 2026
Royal Assent & Commencement
Once Royal Assent is granted, provisions come into force as specified in Section 60. Some provisions are immediate, others require regulations. Organisations must begin complying with new requirements.
Late 2025 / 2026
Royal Assent & Commencement
Once Royal Assent is granted, provisions come into force as specified in Section 60. Some provisions are immediate, others require regulations. Organisations must begin complying with new requirements.
17 July 2024
CSRB announced during the State Opening of Parliament
The Labour government commits to strengthening UK cyber security through new legislation in the King's Speech.
17 July 2024
CSRB announced during the State Opening of Parliament
The Labour government commits to strengthening UK cyber security through new legislation in the King's Speech.
1 April 2025
CSRB Policy Statement published
Government outlines planned measures and legislative intent, including MSPs, data centres, and reporting mandates.
1 April 2025
CSRB Policy Statement published
Government outlines planned measures and legislative intent, including MSPs, data centres, and reporting mandates.
12 November 2025
Bill 329 Introduced to Parliament
The Cyber Security and Resilience (Network and Information Systems) Bill is formally introduced as Bill 329. The Bill contains 5 Parts, 61 sections, and 2 Schedules.
12 November 2025
Bill 329 Introduced to Parliament
The Cyber Security and Resilience (Network and Information Systems) Bill is formally introduced as Bill 329. The Bill contains 5 Parts, 61 sections, and 2 Schedules.
2025-2026
Parliamentary Process
The Bill proceeds through First Reading, Committee Stage, Report Stage, and Third Reading in both Houses of Parliament.
2025-2026
Parliamentary Process
The Bill proceeds through First Reading, Committee Stage, Report Stage, and Third Reading in both Houses of Parliament.
Late 2025 / 2026
Royal Assent & Commencement
Once Royal Assent is granted, provisions come into force as specified in Section 60. Some provisions are immediate, others require regulations. Organisations must begin complying with new requirements.
Late 2025 / 2026
Royal Assent & Commencement
Once Royal Assent is granted, provisions come into force as specified in Section 60. Some provisions are immediate, others require regulations. Organisations must begin complying with new requirements.
Ready to Secure Your Future?
Book a free consultation with our CSRB experts and discover how we can help your organisation achieve compliance while strengthening your cyber resilience.
What You'll Get
Personalised CSRB Assessment
Understand exactly how CSRB affects your organisation
Compliance Roadmap
Clear next steps to achieve and maintain compliance
Expert Guidance
Direct access to our cybersecurity compliance specialists