Cyber Security and Resilience Bill: Raising the Bar for UK Resilience

Daryl, Flack, Partner at Avella 

November 2025

The UK’s cyber threat landscape is evolving rapidly. To keep pace, the government has now introduced the Cyber Security and Resilience Bill (CSRB).  This bill is a significant step towards strengthening national resilience as it expands regulatory scope, imposes stronger security requirements, and aligns the UK’s approach with the increasing scale and complexity of today’s threats. 

Why the Bill Matters 

The numbers speak for themselves: 43% of UK organisations experienced a cyber attack in the past year. The UK is now among the most attacked countries globally, and cyber crime costs our economy an estimated £14.7 billion, annually. Yet only around one in three UK businesses have carried out a cyber security risk assessment in the past 12 months, meaning fewer than half are proactively assessing their exposure.

In this context, the Bill isn’t just regulatory housekeeping - it is about protecting essential services, safeguarding the economy, and embedding resilience into critical supply chains.  

What’s Changing? 

The Bill sets out three main objectives that reshape the landscape for operators of essential services (OES), relevant digital service providers (RDSPs), and their supply chains. 

Objective 1: Expanding the Scope 

The Bill widens its reach to reflect the realities of today’s interconnected digital economy. For the first time, data centres and managed service providers (MSPs) will fall within scope, recognising their central role in the delivery of essential services. In addition, regulators will be given the power to designate critical suppliers, ensuring that systemic dependencies can be identified and brought under appropriate oversight. 

Objective 2: Strengthening Oversight 

To create greater coherence across the landscape, the Secretary of State will issue a new Statement of Strategic Priorities, setting out a unified framework for all twelve regulators involved. Oversight will also be strengthened through expanded incident reporting requirements, which will go beyond service outages to capture a broader set of risks. The Information Commissioner’s Office (ICO) will see its information-gathering powers improved, enabling a more proactive, risk-based approach. Alongside this, the Bill establishes better cost recovery regimes to ensure regulators are sustainably resourced to meet their obligations. 

Objective 3: Enabling Agility 

The third objective is focused on adaptability. Regulators will gain the ability to update requirements in line with emerging threats, ensuring the framework does not lag behind the evolving risk landscape. Supply chain security will be strengthened, with OES and RDSPs required to set and enforce higher standards across their providers. A new Code of Practice will be introduced to drive consistency in cyber assurance approaches, while emergency powers of direction will allow the Government to act quickly and decisively in response to national security threats.  

Reforming in a Post-Brexit Context 

This Bill also reflects a deliberate shift in policy direction following the UK’s exit from the EU. It seeks to replace and strengthen previous frameworks inherited from EU law with a UK-specific approach that better aligns with our national threat landscape. 

Next Steps for Leaders 

Although secondary legislation and transition periods are yet to be finalised, organisations should act now to prepare: 

Map your dependencies: Understand where you sit within the broader supply chain and identify critical providers. 

Review incident reporting processes: Be ready to meet shorter timescales and more detailed criteria. 

Engage leadership: Ensure boards treat resilience as a strategic issue, not just an operational one. 

Stay close to regulators: Sector-specific requirements will vary - proactive engagement is essential. 

The Cyber Security and Resilience Bill is more than legislative reform - it’s a call to raise the standard.  

Organisations that respond proactively will not only meet compliance requirements, but also build the resilience needed to operate with confidence in a more complex and contested cyber landscape. 

The message is clear: in a world of increasing threats and complexity, resilience is not optional. It is a national priority.