16 February 2026

UK Cyber Security and Resilience Bill proposes new laws to improve UK cyber defences and protect our essential public services

The UK Cyber Security and Resilience Bill will have serious implications for organisations in the UK. If passed without major delays, the Bill is expected to receive Royal Assent and become law in mid-to-late 2026. Read on to find out what has changed, why you should care, what you should do, and what Claranet’s view is.

The UK Cyber Security and Resilience Bill builds on the existing NIS Regulations (2018) and represents a major upgrade in how UK businesses should defend themselves against cyber threats. Its key goals are to:

  • Strengthen the resilience of essential services — such as energy, water, healthcare, and digital infrastructure — against increasingly sophisticated cyber-attacks.
  • Protect everyday public utilities (like turning on the lights or getting water) and vital institutions (including the NHS) from disruption.
  • Support long-term economic stability by reducing business costs and disruption caused by cyber incidents, while encouraging greater investment.

Many organisations will inevitably see new or changing legislation as a burden; it takes time, manpower, and therefore money, to upgrade your processes and technology and establish a stronger security posture. Look on the bright side; the Bill could also provide the impetus to help your company raise the bar for its cybersecurity posture.

Comparing the Bill to similar legislations and frameworks (such as NIS2, for example), shows that in some cases, it may not go far enough. Some commentators have even noted that the Bill’s focus on Critical National Infrastructure could leave organisations in many sectors seeing that the change is not aimed at them.  

Why the Bill applies to everyone

If the Bill is so heavily focused on protections applying to Critical National Infrastructure, why should everyone else care?

  • The Bill broadens the scope beyond traditional sectors like energy and healthcare to include managed service providers, data centres, and other digital service suppliers.
  • The CSRB makes you accountable for the security of your critical suppliers. Supply chain risk management is now a regulatory requirement, not just a best practice.
  • Even if your organisation isn’t directly regulated, you may be part of a regulated supply chain, meaning your security posture will be scrutinised by customers and partners.
  • Under the Cyber Security and Resilience Bill, organisations will need to report significant cyber incidents within just 24 hours. For many businesses, this will require a complete overhaul of incident response processes and rapid access to forensic data.

Claranet’s view on the UK Cyber Security and Resilience Bill

We welcome the Cyber Security and Resilience Bill as a vital step towards strengthening the UK’s digital resilience and safeguarding essential services. However, the requirements will apply to a broad range of UK businesses, and organisations must not underestimate the effort needed to meet its stringent reporting, governance, and supply chain security obligations.

Ben Thornhill, Senior Cyber Product Manager

The CSRB is a clear step forward in strengthening the UK’s cyber resilience, but, compared to the EU’s NIS2 Directive, the Bill’s scope remains narrower. It leaves out strategically important sectors that are increasingly dependent on digital infrastructure. To truly protect the UK economy, we need broader coverage and explicit board-level accountability, because resilience must be embedded into strategy and leadership, not treated as a simple tick-box compliance exercise.

The proposed scope of this Bill expands upon existing regulations. But, if passed in its current form, its scope will be narrower than the NIS2 regulation in the EU. Legislation may not be the most positive way to drive business change. But, at Claranet we've seen really positive steps being taken by many companies across Europe in response to NIS2, and I worry that the potentially narrower scope of the UK Bill may limit its effectiveness.

Neil Thomas, Group Security Services Director

What you should be considering (if you aren’t already)

If you haven’t already begun preparing, here are a few important steps to consider now:

  1. Review current cybersecurity controls
    Take a fresh look at your cybersecurity posture, especially in relation to your risk exposure in essential or digital-critical services. Make sure you have monitoring tools in place to detect a cyber-attack in your IT estate.
  2. Assess risk from suppliers and third-party vendors 
    The Bill could create new or stronger obligations around the security of external vendors, so ensure your supply chain is secure.
  3. Strengthen identity and access controls
    Verify that only necessary access is granted, that you’re using least-privilege principles, and that you have good visibility over who (and what) is accessing your systems.
  4. Prepare incident response plans 
    Make sure your response and recovery procedures are up to date: test them, and ensure roles and responsibilities are clearly defined.
  5. Monitor for regulatory changes 
    As the Bill advances through Parliament, more detailed obligations will likely be clarified. Keeping on top of these changes will give you more time to adapt.

How we can help:

We’re well-positioned to support you on this journey. Here’s how we can assist:

  • Managed XDR: We can unify threat detection and response across endpoints, cloud services, and identities, helping you rapidly detect, investigate, and contain cyber-attacks, with support from expert SOC analysts and the latest AI-powered tooling.    
  • Security gap analysis and advisory: We can perform a tailored review of your current security posture in light of the new Bill’s likely requirements.
  • Third-party / supply chain risk assessment: We help assess and mitigate risks across your vendor landscape to ensure strong, compliant practices.
  • Penetration testing and threat simulation: Our expert penetration testers can simulate real-world attacks to test your defences and identify any weak points.
  • Cloud Configuration Reviews: We will examine and optimise your cloud configuration setup — making sure it aligns with the most stringent security models.
  • Incident response planning and tabletop exercises: We can run incident-response simulations to validate and improve your current plans and readiness.
  • Ongoing compliance support: As the Bill evolves, we can help translate legislative changes into operational security tasks, keeping you ahead of the curve.

To strengthen your security posture, talk to one of Claranet’s cybersecurity experts today.