Skip to content
  • There are no suggestions because the search field is empty.

Understanding the UK Cyber Security & Resilience Bill

For SMEs operating in Northern Ireland and Ireland, particularly those providing IT services across borders, understanding this legislation is essential for future business operations and compliance.

 The UK Cyber Security & Resilience Bill, introduced to parliament in November 2025, when enacted, will introduce a notable change for SMEs: even micro-businesses can now be designated as "Critical Suppliers" if they form a vital link in critical infrastructure supply chains. 

The Cyber Security & Resilience Bill represents the UK's evolution of its Network and Information Systems (NIS) framework. The current regulations brought into scope the NHS, transport systems, and energy network. Building on the original NIS regulation, this bill significantly expands the scope and powers of UK regulators to secure critical national infrastructure. 

Why is the UK Cyber Security & Resilience Bill important for SMEs?

The government's case for reform is built on compelling evidence[1]:

  • Last year, the UK was the most targeted country in Europe for cyber attacks
  • Over 40% of UK businesses experienced cyber-attacks, over 600,000 organisations
  • Cyber-attacks cost UK businesses £14.7 billion each year
  • The National Cyber Security Centre managed 204 nationally significant incidents in the year to September 2025, more than double the previous year.

Recent incidents show the cascading impact[2]:

  • May 2024: Hackers accessed the Ministry of Defence's payroll system through a managed service provider
  • June 2024: A cyber-attack on an NHS supplier led to over 11,000 postponed medical appointments

Only 49% of businesses have identified their cyber risks in the last year, despite 72% recognizing the threat[3].

Who is in scope of the UK Cyber Security & Resilience Bill?

The Network and Information Systems (NIS) Regulations 2018 currently apply to operators of essential services and some digital services. The new legislation will significantly expand this scope to the following sectors[1]:

  • Managed service providers: If your business provides IT helpdesks, cyber security services, remote administration, or Security Operations Centres, you may be affected. Many companies now outsource their IT services to managed service providers so your business could become the new target access to your customers' systems.
    Medium and large managed service providers must register with the Information Commissioner's Office (ICO).        

    In the context of Irish managed services providers, the Bill under the “Designation of critical suppliers” articles will apply to an entity providing a managed service in the UK regardless of where that entity is established [4]. Based on this and IT company in Belfast or Dublin serving clients in Manchester or London will be regulated if it meets size thresholds.
  • Data centres: Medium and large data centres meeting specified power capacity thresholds will be classified as essential services. The exact thresholds will be defined in secondary legislation following consultation in 2026.
  • Designated critical suppliers: If you supply products or services critical to essential service providers, you could be designated as a critical supplier under regulatory oversight.
  • Large load controllers: Organisations controlling electrical load across smart appliances (e.g., EV charging systems) with 300MW or more aggregate capacity will be regulated to reduce grid disruption risks.

What are the new UK Cyber Security & Resilience Bill requirements?

Security standards

All regulated entities must take appropriate and proportionate security measures [1]. The National Cyber Security Centre's Cyber Assessment Framework 4.0 (CAF) provides a technical guidance, covering[6]:

  • Managing Security Risks: Governance, risk management, and supply chain security.

  • Protecting against Cyber Attack: Data/system security, identity control, and network resilience.

  • Detecting Cyber Security Events: Proactive threat hunting and security monitoring.

  • Minimising the impact of cyber security events: Incident response and recovery planning.

The 24/72 Hour Incident Reporting Rule

Within 24 hours of becoming aware of a significant incident, notify the NCSC and your regulator[1]. Include incident details, extent of disruption, duration, and affected users.

Within 72 hours, submit a full report with comprehensive details, including any cross-border impact[4].

You must report incidents that have the potential to cause significant impacts, not just those that already caused disruption. If you provide managed services, digital services, or operate a data centre, inform your customers if they are adversely affected[1].

Financial Penalties

The legislation introduces substantial penalties[5]:

  • Serious breaches: Up to £17 million or 4% of worldwide turnover (whichever is higher)
  • Less serious breaches: Up to £10 million or 2% of worldwide turnover (whichever is higher).

What are the cross-border implications of the UK Cyber Security & Resilience Bill?

The legislation explicitly applies to an entity providing a managed service in the UK regardless of where that entity is established[4].

So, a Belfast-based MSP serving Birmingham clients is within scope like a Dublin IT company supporting London businesses. In the same way, a Dublin IT company supporting a Belfast business is in scope.

Northern Ireland's Position

Northern Ireland is part of the UK and fully covered. The Department of Finance serves as competent authority for most sectors in Northern Ireland; the ICO regulates digital and managed services UK-wide[1].

Dual Regulatory Environments

While the UK is going to pass the regulations of the Cyber Security & Resilience Bill, it is expected that on 2026 Ireland will pass in the transposition in law of the EU's NIS2 Directive. If you serve clients in both UK and Ireland/EU, you can find your business in a dual regulatory scenario:

  • Separate Registration: Register with ICO for UK services; with Irish authorities for Irish/EU services
  • Different Reporting: Incidents affecting both jurisdictions require reporting to different authorities under different procedures
  • Parallel Compliance: Robust security practices satisfy both frameworks, but documentation may need alignment to different standards
  • Multiple Reports: The 24/72 hours windows apply in both jurisdictions to different authorities

Practical Steps for Cross-Border Providers

  • Client Contracts: Clarify which regulatory regime applies to each service
  • Incident Response Plans: Account for multiple authority reporting
  • Access Management: Both frameworks scrutinize administrative credentials management
  • Supply Chain Security: Ensure your suppliers meet appropriate standards.

How can I prepare my business for the UK Cyber Security & Resilience Bill?

Assess Your Exposure

Determine if you are in scope:

  • Do you provide managed IT services to UK-based clients?
  • What is your annual turnover and employee count?
  • Do you maintain privileged access to client systems?
  • Do your clients operate essential services?

Strengthen Governance

Establish senior management ownership of cyber risk. Clearly document:

  • Who is accountable for cyber security
  • How risks are assessed and managed
  • Your security policies
  • Incident response procedures.

The government's Cyber Governance Code of Practice provides specific guidance on this [1].

Build Incident Response Capability

With 24-hour notification requirements, ensure:

  • Quick incident detection and assessment
  • Clear decision-making processes
  • Contact details for ICO and NCSC
  • Client notification procedures
  • Regular testing.

The 24-hour clock starts when you become aware of an incident.

Review Access Controls

Clearly document:

  • Who has administrative access across your client base
  • How long access lasts
  • What happens when staff leave or change roles
  • Evidence of access controls.

Documentation

To quicky assess impact and meet the 24 hours to submit an initial report, but even to demonstrate your due diligence to regulatory inspectors and avoid penalties, it is fundamental to maintain:

  • Risk assessments and security decisions
  • Security measures implemented
  • Incident response activities
  • Access control reviews
  • Supply chain security assessments.

Conclusion

The Cyber Security and Resilience Bill represents a fundamental shift in UK digital security. For SMEs in Northern Ireland and Ireland providing IT services across borders, the implications are significant but manageable with proper preparation.

Key Takeaways:

  1. Scope: Providing managed IT services to UK clients means potential regulation, regardless of location[4]
  2. Timeline: The Cyber Security & Resilience Bill will be implementation phased through 2026[1]
  3. Core Requirements: Appropriate security measures, 24/72 hours incident reporting and client notification[1]
  4. Cross-Border Reality: Serving UK and Irish/EU clients may require parallel compliance
  5. Support Available: Free NCSC and government guidance[1].

Key Resources

Official Information:

NCSC Resources:

Do you need further help or advice?

Article reviewed by the InterTradeIreland Trade Hub Team: March 2026


References

[1] UK Government. Summary of the Bill - Cyber Security and Resilience (Network and Information Systems) Bill: factsheets. Published 12 November 2025: https://www.gov.uk/government/publications/cyber-security-and-resilience-network-and-information-systems-bill-factsheets/summary-of-the-bill

[2] UK Government. Tough new laws to strengthen the UK's defences against cyber-attacks on NHS, transport, and energy. Published 12 November 2025: https://www.gov.uk/government/news/tough-new-laws-to-strengthen-the-uks-defences-against-cyber-attacks-on-nhs-transport-and-energy

[3] UK Government Impact Assessment. Cyber Security and Resilience Bill - Final stage impact assessment. Published November 2025: https://assets.publishing.service.gov.uk/media/690cafd3d4c5f31272d3e6b2/cyber_security_and_resilience_bill_impact_assessment.pdf

[4] UK Parliament. Cyber Security and Resilience (Network and Information Systems) Bill 2024-26. Bill 329 introduced 12 November 2025: https://bills.parliament.uk/bills/4035

[5] UK Government. Enforcement - Cyber Security and Resilience (Network and Information Systems) Bill: factsheets: https://www.gov.uk/government/publications/cyber-security-and-resilience-network-and-information-systems-bill-factsheets/enforcement

[6] NCSC UK Cyber Assessment Framework 4.0:
https://www.ncsc.gov.uk/files/NCSC-Cyber-Assessment-Framework-4.0.pd