The Cyber Security and Resilience Bill (CSRB): a guide for UK SMEs
New UK cyber legislation is coming. Here is what is real, what is still being decided, and what a business your size should actually do.
60 minutes · No prep · No obligation
There has been a lot of noise about new cyber security law, and a fair amount of it is confused. Some of the confusion is about NIS2, the EU directive, which does not apply in the UK. Some is about a genuinely relevant piece of UK legislation: the Cyber Security and Resilience Bill. If you have been told your business needs to comply with NIS2, or you simply want to know whether any of this reaches a company your size, this page explains the legislation, its timeline, and the practical steps an SME should take.
NIS2, the NIS Regulations, and the CSRB
Three things tend to get mixed up here, so it helps to separate them.
NIS2 is an EU directive. It updates the EU's network and information security rules, and it applies to organisations in EU member states. Since the UK is no longer in the EU, NIS2 does not apply to UK businesses. If a UK supplier has told you that you must comply with NIS2, they are almost certainly mistaken, or they mean the UK equivalent.
The UK has its own regime: the Network and Information Systems Regulations 2018, usually called the NIS Regulations. These have been in force for years, but they cover a fairly narrow set of operators and digital service providers.
The Cyber Security and Resilience Bill is the law that updates and widens those NIS Regulations. It is the UK's own response to the same problems NIS2 addresses, and it is the relevant legislation for UK SMEs.
Where the Bill stands right now
The Cyber Security and Resilience Bill was introduced to the House of Commons in November 2025 and is making its way through Parliament. It had its second reading in January 2026 and has since moved through the committee and report stages, with the most recent activity in May 2026. It is expected to receive Royal Assent during 2026. You can monitor its progress on the GOV.UK Cyber Security and Resilience Bill collection.
Two things follow from that. First, this is still a Bill, so specific obligations can shift as it is debated and amended. Second, even once it becomes law, it is expected to come into force in phases, with full implementation likely running into 2027 and 2028. There is no single cliff-edge date. That is good news, because it means there is time to prepare properly rather than scramble.
Who the Bill brings into scope
The headline change is breadth. The current NIS Regulations cover a fairly small group of operators. The Bill widens that considerably.
Newly regulated
900–1,100
UK managed service providers brought under direct regulatory oversight for the first time.
Plus data centres and digital services
Medium and large MSPs are the largest group, but certain data centres and a wider set of digital services are also pulled in. Each will need to meet defined security standards and report incidents within set timeframes.
And one provision affects small businesses too
The blanket exemption for small and micro-enterprises is being amended, so a regulator can designate an individual SME a critical supplier where that is needed to protect an essential service. Most SMEs will never be designated. But the door is no longer firmly shut.
What this means if you are an SME
For the large majority of SMEs, the Bill will not regulate you directly.
It does not mean the Bill is irrelevant to you, though. It reaches smaller businesses in two practical ways.
The first is the supply chain. Regulated organisations will be required to manage the cyber risk in their own supply chains. In practice that pushes obligations downward: new security clauses in contracts, supplier questionnaires to complete, certifications expected as a condition of doing business, and in some cases audit rights. If you sell to anyone who falls in scope, you will feel the Bill through them, well before any regulator looks at you directly.
The second is your own IT provider. If a managed service provider runs your systems, and that MSP is now regulated, its obligations will shape how it works with you. That is mostly a good thing, but it is worth understanding.
How we help
Our first step is to clarify your scope. An SME does not need to invest in a compliance programme for a law that does not apply to them. We will determine whether the Bill affects you directly, through a customer, or not at all.
If it does reach you, the work is practical and familiar. Tightening the governance and incident response the Bill expects of regulated firms and their suppliers. Getting your supplier risk management into a state where a customer questionnaire is straightforward to answer. Putting in place the technical controls those questionnaires and contracts ask for. That is advisory and hands-on in equal measure: we help you decide what is needed, then do the work alongside you. Much of it overlaps with Cyber Essentials, a security assessment, and, where you want ongoing oversight, a vCISO retainer.
Free · 60 minutes · No commitment
Are you in scope?
Three routes into CSRB scope: sector and size, a supply relationship with a regulated entity, or direct identification by the Secretary of State. Answer three questions. Get a clear verdict.
What sector do you operate in?
Select the option that best describes your primary business activity.
Cyber Security and Resilience Bill FAQs
Supply chain pressure is already building
If you are unsure whether the new cyber legislation affects you, book a free 60-minute call. We will clarify your scope and outline the practical steps to take next.
Free · 60 minutes · No obligation