Cyber security has never been more important for UK businesses — and a landmark piece of legislation is about to make it a legal requirement. The Cyber Security and Resilience Bill, which featured prominently in the King’s Speech on 13 May 2026, is the most significant update to UK cyber security law since 2018. Whether you run a small business, rely on an IT provider, or supply services to larger organisations, this Bill will affect you. Here is what you need to know.
What Is the Cyber Security and Resilience Bill?
The Cyber Security and Resilience Bill updates the existing Network and Information Systems (NIS) Regulations 2018 — the framework that currently governs how essential services protect their digital infrastructure. The original legislation was introduced at a time when cyber threats looked very different. Since then, attacks have grown in sophistication, frequency, and scale.
The government has been clear about the urgency. According to the National Cyber Security Centre (NCSC), there is a widening gap between the increasingly complex cyber threats facing the UK and the country’s defensive capabilities. The Bill is designed to close that gap — and businesses of all sizes will feel its impact.
Who Does It Affect?
One of the most significant changes in this legislation is the expansion of who falls within its scope.
Previously, only operators of essential services — think energy, water, and healthcare — were directly regulated. The new Bill extends that reach to include data centres, digital service providers, and critically, managed service providers (MSPs). This is the first time that third-party IT companies have been brought under direct regulatory oversight.
If your business uses an external IT support provider, that relationship is now covered by law. Your provider will face the same obligations as essential service operators: formal security standards, mandatory incident reporting, and direct oversight from the Information Commissioner’s Office (ICO).
Key Requirements Under the New Law
The Bill introduces several obligations that businesses and their IT suppliers must prepare for:
Mandatory 24-hour incident reporting. When a cyber incident is detected, regulated organisations will be required to report it within 24 hours. This is a significant tightening from the current 72-hour window and reflects how quickly threats can escalate.
Tougher enforcement and fines. Regulators will gain stronger powers to investigate and act. Fines of up to £17 million or 4% of global annual turnover can be imposed on organisations that fail to meet their obligations — figures comparable to GDPR penalties.
Supply chain security obligations. Regulated organisations must now assess and manage cyber risk across their entire supply chain. This means that even if your business is not directly in scope, your larger clients may begin requiring you to demonstrate compliance before renewing contracts.
Mandatory Cyber Essentials certification. While not universally mandatory for all businesses, the expectation is clear: compliance with established frameworks such as the NCSC’s Cyber Essentials scheme will increasingly become a baseline requirement for doing business.
What Does This Mean for SMEs?
For small and medium-sized businesses, the Bill’s most immediate impact will come through the supply chain. Larger clients — particularly those in regulated sectors such as finance, healthcare, and legal services — will start asking questions they were not asking before.
Expect to see more cyber security clauses written into contracts. You may be asked to provide evidence of Cyber Essentials certification, confirm that you have a documented incident response plan, and demonstrate that your access controls — including multi-factor authentication — are in place.
Businesses that cannot answer these questions risk being excluded from tender processes or losing existing client relationships. The government has been clear that it does not expect SMEs to invest in enterprise-grade tools, but it does expect proportionate, demonstrable action.
The good news is that the steps required are practical and achievable. A straightforward cyber security review, combined with Cyber Essentials certification, puts most businesses in a strong position well before the Bill receives Royal Assent.
The AI Dimension: Why This Matters Now
The Bill arrives at a time when artificial intelligence is transforming the threat landscape. According to recent government research, a new generation of AI tools is dramatically lowering the barrier for cyber criminals — enabling them to scan for vulnerabilities and launch attacks at a speed and scale that was simply not possible a year ago.
The government’s own figures are sobering: 43% of UK businesses experienced a cyber breach or attack in the past year. For businesses that have not reviewed their security posture recently, that figure alone should prompt action.
Traditional defences — firewalls, antivirus software, basic password policies — are no longer sufficient on their own. The combination of AI-powered threats and incoming legislation means that cyber security now demands a proactive, layered approach.
You can read more about the UK’s evolving cyber threat landscape in the NCSC’s annual review: https://www.ncsc.gov.uk/annual-review
How to Prepare Before the Bill Becomes Law
The Bill is expected to receive Royal Assent later in 2026, with full implementation phased through to 2028. That timeline may feel distant, but the expectations are already filtering into commercial contracts and procurement processes.
Here are the steps every UK business should consider taking now:
Start with a cyber security review — understand what data your business holds, where it is stored, and how it is protected. Identify gaps in your access controls, backup processes, and incident response planning.
Pursue Cyber Essentials certification if you have not already. This government-backed scheme provides a clear, achievable framework and signals to clients and partners that your security posture meets a recognised standard.
If you use a managed IT provider, ask them directly how they are preparing for the new regulatory requirements. Under the Bill, MSPs will face formal obligations for the first time — a well-prepared provider will already have a clear answer.
Review your contracts with suppliers and clients. Cyber security clauses are becoming standard, and understanding your existing obligations is an essential first step before new ones arrive.
Working With the Right IT Partner
The Cyber Security and Resilience Bill raises the bar across the entire IT industry — and that is, ultimately, a good thing. It makes it harder for underqualified providers to operate without accountability, and it gives businesses a clearer framework for evaluating whether their IT supplier is genuinely equipped to protect them.
At Storm IT, we hold ISO 27001 certification and operate as an IASME-accredited Cyber Essentials certification body. Our STORMSecure platform continuously monitors devices and identifies vulnerabilities before they become incidents — and our team is already aligned with the standards this Bill is designed to enforce.
If you would like to understand how the Cyber Security and Resilience Bill affects your business, or want to review your current IT security arrangements, get in touch for a free infrastructure audit. We will help you identify any gaps and put a practical plan in place.
Contact us: https://storm-it.com/contact
Threat Monitoring: https://storm-it.com/threat-monitoring
Cyber Security services: https://storm-it.com/cyber-security
Conclusion
The Cyber Security and Resilience Bill is not just another piece of regulation to monitor from a distance. It represents a fundamental shift in how the UK treats cyber security — from voluntary best practice to enforceable law. For businesses that prepare now, it is an opportunity to strengthen client relationships and competitive positioning. For those who wait, it carries real commercial risk.
The time to act is before the legislation arrives, not after.