UK Cyber Security & Resilience Bill 2025 Compliance
The Bill is progressing through Parliament and expected to receive Royal Assent in 2025. When enacted, penalties will reach £10 million for organisations that fail to implement mandatory incident reporting, security governance, and supply chain due diligence. We determine whether you are in scope, identify exactly what you are missing, and fix it ahead of enforcement. From £8,000.
Three types of organisation. One regulatory deadline.
The Bill applies differently depending on your sector and role. Find your situation below.
Critical Infrastructure Operators
Energy, Water, Health, Transport
You are in scope. The question is how far behind you are. If you operate essential services under Ofgem, Ofwat, NHS Digital, or the Civil Aviation Authority's remit, the Bill applies to you. Your sector regulator now has enhanced enforcement powers including on-site inspections, improvement notices, and financial penalties up to £10 million.
Start with a regulatory scoping callManaged Service Providers and MSSPs
MSPs, MSSPs, IT Managed Services
MSPs are now regulated entities. This is not like being a customer of the regulation. The Bill places MSPs and MSSPs supporting critical infrastructure directly in regulatory scope for the first time. You are not just required to advise your clients on compliance; you are required to be compliant yourself.
Read our MSP compliance guideCompliance and Risk Teams
GRC, IT Directors, CISOs
Already have ISO 27001? You have a head start, not a free pass. ISO 27001 does not satisfy the Bill's mandatory incident reporting timelines, supply chain due diligence requirements, or sector-specific OT controls. We map your existing certification against the Bill's requirements and produce a gap register with a prioritised remediation roadmap.
Request a gap analysis quoteAnticipated timeline to full enforcement.
Phased implementation means different obligations apply at different dates. Know where you are in the cycle.
Royal Assent (Expected)
Bill expected to receive Royal Assent. Incident reporting obligations anticipated to take effect. Organisations should have reporting procedures in place.
Governance Requirements
Board accountability and risk management framework obligations anticipated to come into force within 12 months of Royal Assent.
Security Controls
Enhanced security control implementation expected: SIEM, network segmentation, and continuous monitoring requirements.
Full Enforcement
Full compliance regime anticipated: supply chain risk management mandatory. Full penalty regime active.
What happens if you do nothing?
The Bill creates concrete, named consequences. These are not theoretical risks.
What if you miss the incident reporting deadline?
You must notify your sector regulator within 24 hours of a major incident. If you fail to report in time, or your notification is incomplete, the regulator can issue an improvement notice requiring remediation within a specified period. Failure to comply escalates to financial penalties of up to £10 million or 2% of global annual turnover. The incident is also subject to public censure.
What if your supply chain causes the breach?
If a third-party supplier is the source of a breach affecting your critical services, you remain liable. The Bill requires you to have assessed that supplier's security posture before engagement. Absence of vendor due diligence records will be treated as a failure of your supply chain obligations.
What if a regulator conducts an on-site inspection?
Regulators now have powers to conduct on-site inspections and require production of documents. If your security governance documentation, incident response procedures, or supply chain records are absent or inadequate, the regulator can issue an enforcement notice. Directors who knowingly fail to comply face criminal sanctions.
What if you are an MSP and one of your clients is breached?
You bear direct regulatory liability for your own security controls, regardless of the breach originating with the client or another third party. If the breach was facilitated by inadequate security at your MSP infrastructure, you face enforcement action independently of your client. A single incident may trigger reporting obligations across multiple regulated clients.
What We Assess,
and What We Fix
The Bill has five primary obligation areas. Most organisations are non-compliant in two or three. Here is how we find the gaps and close them.
Regulatory Scoping and Applicability Assessment
We begin where the Bill begins: with scope. Before spending a pound on compliance, you need to know whether you are regulated and what exactly you are required to do. We assess your sector classification against the Bill's entity categories (OES, DSP, MSP, supply chain entities), apply size and criticality thresholds, and issue a written Regulatory Scope Opinion within three working days. If you are in scope, we quantify your obligations. If you are not, we tell you why.
Gap Analysis Against Enhanced Requirements
We map your existing controls against the NCSC CAF objectives: Governance and Risk Management (CAF A), Protection (CAF B), Detection (CAF C), and Minimising Impact (CAF D). Where you have ISO 27001 controls, we cross-reference against the Bill's specific requirements. Output: a Gap Register, a Remediation Roadmap ranked by regulatory risk, and a Board-ready executive summary.
Incident Response and Reporting Procedures
Implementation of mandatory incident reporting workflows meeting 24-72 hour notification timelines. Outputs include: an Incident Classification Matrix distinguishing significant incidents (72-hour threshold) from major incidents (24-hour threshold), NCSC and sector regulator notification templates, a 24-hour reporting runbook, and a 30-day full incident report template with root cause analysis structure. We conduct a tabletop exercise simulating a major incident to validate your timeline.
Supply Chain Due Diligence
Assessment and management of cybersecurity risks in supply chains and third-party service providers. We evaluate vendor security postures, implement contractual security requirements, establish vendor security assessment questionnaires, and ensure compliance obligations cascade to subcontractors supporting critical services. For critical suppliers, enhanced due diligence includes on-site security audits and penetration testing of vendor systems processing your data.
Security Control Implementation and Monitoring
Deployment of enhanced security controls aligned with ISO 27001 and sector-specific standards: SIEM for 24/7 threat detection, network segmentation protecting OT from IT networks, privileged access management, continuous vulnerability scanning with defined remediation SLAs, and security-by-design review processes. Continuous compliance monitoring through automated control validation and quarterly regulatory reporting.
NIS Regulations vs. The Bill
The Bill is not a minor update to NIS Regulations. Here is what has materially changed.
| Requirement | NIS Regulations 2018 | Cyber Security and Resilience Bill |
|---|---|---|
| Incident reporting (major) | 72 hours | 24 hours |
| Incident reporting (significant) | Not defined | 72 hours |
| MSP coverage | No | Yes, directly regulated |
| Financial penalties (max) | Lower cap | £10M or 2% global turnover |
| Supply chain obligations | Limited | Mandatory due diligence |
| Board accountability | Advisory | Mandatory governance framework |
| Security standards | Cyber Essentials baseline | ISO 27001-aligned, sector-specific |
| Enforcement powers | Restricted | On-site inspection, criminal sanctions |
Know the cost before you commit.
All engagements are fixed-price after an initial scoping call. No retainer required to start.
Regulatory Scoping
Any organisation
From £3,500
Gap Analysis and Roadmap
Up to 250 staff
From £8,000
Full Compliance Programme
250-1,000 staff
From £18,000
Enterprise / CNI
1,000+ staff
Contact us
Fixed pricing after scoping call. No retainer required.
Book a Scoping CallEngagement Workflow
Structured to minimise operational friction and maximise the value of the testing window.
Regulatory Scoping
We determine whether you are in scope and what you owe. We assess your sector (energy, water, health, transport, digital infrastructure, managed services), apply the Bill's size and criticality thresholds, map your cross-border operations, and document every obligation that applies to your organisation. Output: a written Regulatory Scope Opinion with a compliance obligation register. Delivered in three working days.
Gap Analysis and Remediation Planning
We map your current security controls against the Bill's requirements using the NCSC Cyber Assessment Framework (CAF) as the reference standard. We test your incident detection capabilities, review your governance documentation, assess your supply chain due diligence records, and evaluate your incident response procedures against the 24/72-hour reporting timelines. Output: a Gap Register, a Remediation Roadmap ranked by regulatory risk, and a Board-ready executive summary.
Security Control Implementation
We implement the controls the Bill requires and your gap analysis identified. This is not a document exercise. We deploy or configure: SIEM for 24/7 threat detection, network segmentation protecting OT from IT, privileged access management, continuous vulnerability scanning with defined SLAs, and security-by-design review processes. We also implement your supply chain security programme: vendor assessment questionnaires, contractual security clauses, and ongoing monitoring.
Incident Reporting and Ongoing Compliance
We make your incident reporting obligations operational. We build the Incident Classification Matrix, draft notification templates for NCSC and your sector regulator (Ofgem, Ofcom, NHS Digital, as applicable), and conduct a tabletop exercise simulating a major incident testing your 24-hour timeline. After implementation, we provide quarterly compliance monitoring with regulatory update briefings as new NCSC guidance is published.
The Bill mandates these services. We deliver them.
The Cyber Security and Resilience Bill creates direct obligations that Precursor Security services satisfy. From 24/7 monitoring to annual penetration testing.
Book a Compliance CallDeep-Dive Guidance
24/7 Security Monitoring
SOC and MDR covering your Bill-mandated detection and response requirements.
Penetration Testing
Annual validation of security controls to meet Bill assessment obligations.
Incident Response
24-hour reporting support aligned with mandatory notification timelines.
ISO 27001 Consultancy
Foundation compliance framework that maps directly to Bill requirements.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
Enforcement is active. Where does your organisation stand?
The gap between Cyber Essentials and full Bill compliance is significant for most organisations. We quantify that gap in five working days and tell you what it will cost to close it. Fixed-price engagement. No retainer required.
Book a Regulatory Scoping CallCyber Security and Resilience Bill: Common Questions
Penalties, scope, timelines, and how the Bill compares to NIS Regulations, NIS2, and the EU Cyber Resilience Act.
Financial penalties reach up to £10 million or 2% of global annual turnover, whichever is higher, for serious violations including: failure to implement appropriate security measures, failure to report significant incidents within required timelines, providing false or misleading information to regulators, or failing to cooperate with regulatory investigations. Additional enforcement powers include improvement notices requiring specific remediation actions within set timeframes, public censure damaging organisational reputation, and in extreme cases, criminal sanctions for directors who knowingly fail to comply. Regulators have broad investigatory powers including on-site inspections and document production orders.
UK Cyber Security and Resilience Bill compliance services range from £3,500 for an initial regulatory scoping assessment to £50,000+ depending on organisation size, sector, and current security maturity. Regulatory scoping (any size, 2-3 days) starts from £3,500. Gap analysis and remediation roadmap for organisations up to 250 staff runs from £8,000. Full compliance programme for 250-1,000 staff organisations typically requires £18,000-£30,000. Enterprise and critical national infrastructure (CNI) engagements are scoped individually. We provide fixed pricing after assessing your regulatory scope and current security posture. No retainer is required to start.
ISO 27001 provides a foundation but does not fully satisfy the Bill's requirements. The Bill introduces mandatory 24-hour incident reporting timelines to regulators that ISO 27001 does not require. Supply chain due diligence obligations under the Bill are more prescriptive than ISO 27001's supplier relationship controls. Sector-specific requirements for critical infrastructure, essential services, and MSPs go beyond generic ISO standards. Board accountability and governance requirements differ from ISO 27001's management review expectations. The Bill mandates specific security controls for operational technology (OT) environments not covered by standard ISO implementations. We help ISO 27001 certified organisations map existing controls to Bill requirements and close the gaps efficiently, typically reducing implementation time by 30-40%.
The Bill significantly expands the NIS Regulations scope to cover: operators of essential services (OES) in energy, transport, health, water, and digital infrastructure; digital service providers (cloud computing, online marketplaces, search engines); managed service providers (MSPs) and managed security service providers (MSSPs) supporting critical infrastructure; and supply chain entities providing critical components or services to in-scope organisations. Size thresholds apply: medium and large entities with 50 or more employees or £10 million or more in turnover in critical sectors. Small entities providing critical services may also be captured. The Bill introduces new regulated categories absent from NIS Regulations including managed services, AI infrastructure, and expanded digital supply chains.
Incident reporting follows a tiered approach based on severity. Significant incidents (services degraded but operational) must be reported within 72 hours of detection. Major incidents (service outage, data breach, or imminent threat to critical operations) require a preliminary notification within 24 hours. The 24-hour preliminary notification can contain limited information; the full incident report including impact assessment, affected users, technical root cause, and remediation plans is due within 30 days. Failure to report within mandated timelines or providing false or misleading information can result in an improvement notice and financial penalties.
The Bill significantly strengthens and expands the NIS Regulations. Broader sector coverage adds managed services, AI infrastructure, and expanded digital supply chains to the regulated entity list. Security requirements exceed the basic Cyber Essentials baseline and approach ISO 27001 standards with continuous monitoring. Incident reporting timelines are faster: 24 hours for major incidents versus the previous 72-hour NIS requirement. Supply chain due diligence obligations are now mandatory, whereas NIS Regulations had limited requirements. Penalties increase to up to £10 million or 2% of global annual turnover, exceeding previous caps. Enforcement powers are stronger, including on-site inspection, improvement notices, and criminal sanctions. Board accountability and governance requirements are now mandatory rather than advisory. MSPs are now directly regulated entities for the first time.
No. The UK Cyber Security and Resilience Bill and the EU's NIS2 Directive are separate pieces of legislation with independent jurisdiction. The Bill applies to organisations operating in the UK; NIS2 applies to organisations operating within the EU. They share common objectives (expanding the scope of regulated entities, strengthening incident reporting, increasing penalties) but have distinct legal requirements, notification timelines, and regulatory bodies. Organisations with operations in both jurisdictions must achieve compliance under both frameworks independently. The Bill does not incorporate NIS2 by reference, and NIS2 compliance does not satisfy UK regulatory requirements. We advise organisations with dual UK and EU operations on managing both compliance programmes simultaneously.
These are entirely separate regulations targeting different risks. The UK Cyber Security and Resilience Bill regulates how organisations operating essential services and digital infrastructure manage their cybersecurity obligations. It is an operational security standard for service operators. The EU Cyber Resilience Act (CRA) regulates the cybersecurity properties of products with digital elements: hardware and software sold in the EU market must meet baseline security requirements built in at the design stage. UK manufacturers selling into the EU market must comply with the CRA regardless of the UK Bill. A UK critical infrastructure operator may need to comply with the UK Bill (as an operator) and the EU CRA (as a manufacturer of connected products). These are not interchangeable frameworks.
Yes. The Bill explicitly includes managed service providers (MSPs) and managed security service providers (MSSPs) that support critical infrastructure within its regulatory scope. This is a significant departure from NIS Regulations, which did not regulate MSPs directly. Under the Bill, MSPs must implement the same enhanced security controls, mandatory incident reporting, and supply chain due diligence obligations as their critical infrastructure clients. MSPs face additional complexity: a security incident at their infrastructure may simultaneously trigger reporting obligations across multiple regulated clients. We have prepared a dedicated guide to MSP obligations under the Bill, including incident classification when multiple clients are affected. See our MSP Requirements page for full detail.
No. While Cyber Essentials Plus covers baseline security controls (firewalls, secure configuration, access control, malware protection, patch management), the Bill requires significantly enhanced measures: risk management frameworks documenting threat scenarios and mitigation strategies, security governance structures with Board-level accountability, incident detection and response capabilities including 24/7 monitoring, supply chain risk management programmes, business continuity and disaster recovery plans, and security testing including penetration testing and resilience exercises. Cyber Essentials Plus can serve as a foundation, but organisations must implement additional ISO 27001-aligned controls and sector-specific security standards to achieve full compliance.
Organisations must implement comprehensive supply chain cybersecurity risk management: conducting security assessments of third-party providers before onboarding, incorporating contractual security requirements including incident notification obligations, continuously monitoring vendor security postures through questionnaires and audits, ensuring compliance requirements cascade to subcontractors, and reporting supply chain incidents affecting service delivery. For critical suppliers (single points of failure or access to sensitive systems), enhanced due diligence is required including on-site security audits, penetration testing of vendor systems processing your data, and multi-source contingency planning. MSPs and MSSPs face heightened scrutiny given their access to multiple critical infrastructure customers.
The UK Cyber Security and Resilience Bill is currently progressing through Parliament and has not yet received Royal Assent. When enacted, implementation is expected to be phased: incident reporting obligations are anticipated to take effect on Royal Assent, with a 12-month transition for governance requirements and an 18-month deadline for enhanced security controls. Full compliance including supply chain risk management is expected within 24 months of Royal Assent. Organisations should begin gap analysis now to avoid being under time pressure once the Bill passes.