NCSC insights into what the CSRB means for the UK’s critical suppliers

The UK’s long‑awaited Cyber Security and Resilience Bill (CSRB) is progressing through Parliament - and it lands at a moment when global geopolitics, supply chain complexity, new technologies and the evolving tactics of threat actors are all impacting the cyber landscape. 

Whenever new legislation is proposed, questions arise. We therefore welcomed the invitation to an event hosted by the National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology (DSIT) to exchange views on how the Bill can best achieve its critical objectives of improving the UK’s cyber resilience and what this means for in-scope organisations. 

The session highlighted how policy drivers shaped the Bill, confirmed that there will be some alignment with the EU (but only where this makes sense) and enabled us to raise some of those questions triggered by the Bill. We set out below some key takeaways.

Geopolitics is raising the stakes for UK critical infrastructure

Richard Horne, the NCSC’s Chief Executive, described the Bill as arriving at a time when the traditional view of threat actors has changed significantly. Now, criminal groups, nation states and hacktivists increasingly operate in overlapping ecosystems. And in a world where geopolitical tensions continue to rise, the UK - the most targeted country in Europe for cyber-attacks - faces growing exposure.

Strengthening resilience is therefore key, particularly if worsening global relations mean ‘ransomware’ is deployed against UK organisation with no option to pay - disruption, not profit, being the intention. There was a clear message that continuity of service is going to be a critical feature of building cyber resilience and the ‘direction’ powers built into the Bill are designed to give the UK a real ‘last resort’ tool kit (in a similar way to the Bank of England resolution tools created after the 2008 financial crisis). CNI organisations must therefore build resilience to help retain control of their operations in a crisis. 

A sharper focus on supply chain risk

Supply chain resilience is a key focus of the Bill, going further than the EU in this area. With UK organisations relying on long, interconnected supply chains, systemic dependencies have become a major source of exposure. The CSRB deliberately expands regulatory oversight to bring certain managed service providers (MSPs), data centres and others in scope and builds in powers to designate critical suppliers of in-scope entities (see blog).  The event discussed:

• Group entities: the current draft Bill is not clear whether, for larger organisations, intra-group MSP and data centre functions could be caught. This is clearly something DSIT are considering further.
• Dual regulation: likewise, ongoing work is needed if possible dual regulation is to be avoided, for example, for financial institutions with large data centres who are already regulated by the FCA and PRA.  
• Designated critical suppliers: DSIT stressed this would only cover tier 1 suppliers and, that thresholds would be high. While work is being done on setting the right thresholds, the intention is not to bring too wide a range of suppliers in-scope.
• Security obligations: these will be more prescriptive. Real focus should therefore be paid to the consultations and secondary legislation as this will frame what organisations have to do.  DSIT discussed putting the Cyber Assessment Framework (CAF) on a firmer footing and aligning with the EU where practicable, particularly around security and incident reporting thresholds.

Greater regulatory activity?

The Bill enhances incident notification obligations, bringing more incidents in scope. It also introduces a new 24-hour initial notification. This upfront notification is expected to be a light touch requirement, intended to just put incidents on the radar of the NCSC and relevant regulators. Secondary legislation will introduce more detail on the reporting thresholds. 

We asked whether the UK planned to follow the EU’s Digital Omnibus proposals which would simplify incident notifications using one centralised platform (see blog) - the short answer was ‘no’. 

The messaging around enforcement continues to evolve. While there are few (reported) cases under the current rules, the CSRB simplifies, as well as strengthens, the penalty regime. It also introduces turnover‑based fines of up to 4%, alongside transparent cost‑recovery powers for regulators. Businesses will therefore need to monitor the increased risk of regulatory action as guidance is developed. 

Board engagement is key but no individual liability (at present) 

Proportionality was described as a clear ministerial policy for the CSRB. This in part explains why no senior management liability regime was introduced. However, CAF does cover cyber governance and board level responsibility (albeit not individual liability), so we expect this to be an increasing focus of board’s own governance reviews. 

When will this happen?

Assuming the Bill progresses smoothly through Parliament, Royal Assent is anticipated in early 2027, with implementation later that year. A business adjustment period is expected, likely pushing compliance deadlines into 2028. However, the message was clear that in-scope organisations should begin preparing now. That means engaging in the upcoming consultations and also reviewing exiting security requirements against what are clearly the ‘new’ expectations for CNI.  

The NCSC is here to help

Finally, consistent with our experience in live incidents, the NCSC emphasised that it is not a regulator or interested in enforcement but here to help achieve better outcomes for the UK. Horne described this as a strength of the UK’s model – a deliberate decision to preserve industry trust and encourage information sharing.  The Telecommunications (Security) Act 2021 was an example of effective co‑development of security codes of practice and businesses were encouraged to adopt a similar approach with the CSRB (directly or via advisers).

For more information on the CSRB, see our longer briefing here. See also our horizon scanning article on Cyber lessons to take into 2026 .