The UK’s cyber laws are evolving. The upcoming Cyber Security and Resilience Bill is set to raise the bar on cyber protection across essential services and digital businesses. In this post, we’ll break down the Bill’s key measures and discuss how Cyber & Data’s services – notably Cyber Essentials certification support and our Cyber Risk Assessment (CRA) – can help your organisation get ahead of these changes. The focus is on practical guidance for SMEs and charities, who, while not directly regulated by the Bill, will feel its impact indirectly and can seize this moment to strengthen their cyber defences.

A Quick Summary of the Bill

What is the Cyber Security and Resilience Bill? It’s new UK legislation (expected before Parliament in 2025) that updates the 2018 Network and Information Systems (NIS) Regulations. The Bill’s goal is to boost the UK’s cyber resilience in the face of rising threats – from state-sponsored attacks to ransomware – and to protect the services we all rely on (energy, healthcare, digital services, etc.). In plain terms, it’s about making sure that critical organisations, and the companies that support them, are doing what’s necessary to fend off cyber attacks and recover quickly if incidents occur.

Key measures in the Bill include:

  • Expanding Scope to MSPs: Managed Service Providers – IT service companies that manage systems for clients – will come under regulation for the first time. This means hundreds of previously unregulated tech providers (an estimated 900–1100 MSPs across the UK) will be required to meet specific security standards. Why? REcent attacks on companies via their MSPs showed that weaknesses in IT providers can cascade to many victims. Under the Bill, MSPs will be overseen by the ICO and held to similar duties as cloud or digital service providers – ensuring they themselves practice good cyber hygiene and protect client data.

  • Strengthening Supply Chain Security: The Bill gives regulators new powers to tackle supply chain risks. Essential service operators (think NHS trusts, utilities) and major digital firms will be expected to impose cybersecurity requirements on their key suppliers. The intent is to prevent a weak link in the chain from undermining an entire sector’s resilience. Practically, large organisations will increase scrutiny on the cyber practices of even their smaller partners.

  • Tightening Incident Reporting: Today, many cyber incidents don’t have to be reported unless they cause service outages. The new law will broaden the criteria of what must be reported (e.g. significant data breaches or ransomware, even if services keep running). It also introduces faster reporting timelines: affected organisations must notify regulators and the National Cyber Security Centre (NCSC) within 24 hours of discovering a major incident, and provide a full report within 72 hours. Additionally, certain digital providers (like cloud services, and potentially data centre operators) will have to inform their customers if they suffer a significant incident. This emphasis on quick transparency aims to ensure help can be provided promptly and that downstream users can take precautions.

  • Empowering Regulators: The Bill boosts the tools available to regulators (such as the ICO and sector-specific authorities). Regulators will be able to issue binding guidance and codes of practice on what security measures companies should implement, aligning with the latest technical standards (for example, using the NCSC’s Cyber Assessment Framework as a benchmark for good practice). They’ll also be able to recover costs via fees – meaning companies in scope may pay an annual fee to fund oversight, similar to how the ICO operates under GDPR. The ICO in particular will get stronger information-gathering powers to identify which digital providers (including MSPs) are in scope and assess their criticality. In short, expect more active and well-resourced enforcement of cyber rules. Significant penalties (fines) will apply for non-compliance, up to millions of pounds as under the current NIS regime.

What about SMEs and charities? Most small businesses and charities will not be directly regulated by this Bill – it’s targeting larger operators of essential services and key digital providers. The government has stated it wants to “minimise regulatory burden on small businesses,” only roping in a very small number of critical small firms that meet the strict ‘critical supplier’ criteria. For example, a small software vendor that provides a system used throughout the NHS might be singled out, but your average local business or charity is not going to get an unexpected compliance notice from a regulator. However, that doesn’t mean SMEs and charities can ignore it. The ripple effects are significant:

  • Higher Customer Expectations: If you supply products or services to any larger company or public sector body, you’ll likely see tougher cybersecurity requirements in contracts. Big organisations will be obliged (and motivated) to ensure their suppliers aren’t the weak link. This could mean needing certifications like Cyber Essentials, passing security questionnaires, or adopting specific policies to keep those clients. Being proactive now (before it’s mandated) can save you scramble and stress later, and may even be a selling point in its own right.

  • Best Practice Becoming Standard Practice: The Bill is part of a broader push to make robust cybersecurity “business as usual” across the economy. It sends a signal that practices once considered optional or “extra” – like regular risk assessments, incident response planning, staff cyber awareness training – are now strongly encouraged for all. SMEs and charities that follow the spirit of the law will reap benefits: fewer breaches and downtime, and greater trust from customers and stakeholders.

  • The Reality of Threats: Importantly, the cyber threats addressed by the Bill (ransomware, data theft, etc.) hit organisations of all sizes. In fact, around half of UK businesses fell victim to a cyber breach or attack in 2024. Charities too have been ransomware targets, suffering loss of donor data and funds, as well as reputaional damage. So even without direct legal obligations, improving your cyber resilience is just good sense. Think of the Bill as a timely reminder to put your cyber house in order.

Cyber Essentials: A Baseline Every Organisation Should Have

One of the best steps any SME or charity can take towards cyber resilience – and something we strongly recommend at Cyber & Data – is to attain the Cyber Essentials certification. This is a government-backed scheme that lays out five fundamental technical controls to protect against the most common threats. Specifically, Cyber Essentials covers:

  • Firewalls and Internet Gateways: Ensuring you have secure barriers at your network perimeter.

  • Secure Configuration: Setting up computers and devices securely (e.g. disabling unused features, enforcing strong settings).

  • User Access Control: Managing accounts and privileges so that staff only have access to what they need, and admin rights are tightly limited.

  • Malware Protection: Using antivirus/anti-malware software or other means to guard against viruses, spyware, ransomware, etc.

  • Security Update Management: Keeping software and devices up-to-date with the latest patches to fix vulnerabilities.

These might sound basic – and that’s exactly the point. They’re the essential baseline. When implemented properly, the five Cyber Essentials controls can prevent around 80% of common cyber attacks. Think of things like phishing emails carrying malware, or opportunistic attacks scanning for unpatched systems – these are largely stopped in their tracks if you have the Cyber Essentials measures in place. It’s no wonder the UK Government promotes Cyber Essentials heavily; it’s described as one of the best tools available to protect the majority of organisations from the majority of cyber attacks.

How Cyber Essentials aligns with the Bill’s goals: The Bill is about raising the overall level of cybersecurity, and Cyber Essentials is the clearest expression of what “good basic security” looks like. In fact, the government’s policy documents have noted that encouraging widespread adoption of Cyber Essentials is one of the easiest ways to boost national resilience, especially among organisations in digital supply chains. If every business a big company deals with has Cyber Essentials, the whole chain is less likely to suffer a simple, preventable breach. So by getting Cyber Essentials certified, you’re very much answering the call of this legislation – even if indirectly. You’re demonstrating that your organisation has the foundational defences that regulators want to see become universal.

Why Cyber Essentials is a smart move now:

  • It’s increasingly expected: Beyond security benefits, Cyber Essentials is swiftly becoming a commercial must-have. Many government contracts already mandate Cyber Essentials certification for bidders. In the private sector, too, large enterprises often prefer suppliers who are certified. Having that Cyber Essentials badge can open doors to opportunities (or at least, keep you in the running when security is assessed).

  • It’s achievable and affordable: Cyber Essentials is designed for SMEs – it’s not a months-long ISO 27001-style ordeal. It involves a self-assessment (and an external scan for the “Plus” version), focusing on practical steps. For most small organisations, it’s very attainable with some guidance. And the process of preparing for it often uncovers quick improvements (for example, “Oh, we never turned on disk encryption on our laptops – let’s do that now”). It’s a high-impact, relatively low-cost exercise.

  • Maintaining it drives good habits: Because certification is annual, it instills a cycle of reviewing and improving basics each year. This continual attention to security hygiene is exactly what the government wants to foster. Threats evolve, and so must our defences; Cyber Essentials provides a framework for that ongoing vigilance.

How we help with Cyber Essentials: Cyber & Data has extensive experience assisting organisations through the Cyber Essentials journey – from gap assessments and remediation support to the final certification. In the context of the new Bill, we emphasize to clients that getting Cyber Essentials now will put you in an excellent position to meet future requirements (be it client-driven or regulatory). It’s not just a box-ticking exercise; it’s laying a strong foundation to build upon. We can guide you step-by-step, and even bundle Cyber Essentials as part of a broader resilience programme.

Building Resilience with a Cyber Risk Assessment (CRA)

Going beyond the basics, organisations should consider a comprehensive Cyber Risk Assessment. Cyber & Data’s CRA service is a deep-dive evaluation of your cybersecurity posture, and it serves as an ideal complement to Cyber Essentials – in fact, it encompasses Cyber Essentials and then some.

What is the Cyber Risk Assessment (CRA)? In short, it’s an expert-led assessment based on the well-known CIS Critical Security Controls – a set of 18 priority control areas that cover all aspects of cybersecurity. Our CRA looks at how your organisation measures up against each of these controls, which include things like inventorying your assets, managing user accounts, securing your configurations, backing up data, monitoring logs, training users, preparing for incidents, and more. For each control, we identify whether you’re at a Good, Better, or Best level (or if anything is missing altogether), and we provide clear recommendations to improve to a desired target state. The outcome is a detailed report and action plan, prioritised by risk.

How does this help with the new Bill? The Bill doesn’t come with a checklist that every business must follow (especially not SMEs, who aren’t directly regulated). But if you read between the lines, it’s pushing organisations towards known best practices – exactly the kind of practices that our CRA encapsulates. By undergoing a CRA, you are essentially benchmarking your organisation against a gold-standard security framework that aligns with regulatory expectations. In fact, the government’s recommended framework for regulated entities (the NCSC’s Cyber Assessment Framework) closely parallels the CIS Controls. So you’ll be preparing as if an auditor were coming – but doing it proactively and on your own terms.

Specific benefits of our CRA service:

  • Maps to Cyber Essentials and beyond: We deliberately map each part of our assessment to the Cyber Essentials requirements where applicable. This means as we evaluate your controls, we also answer: are you meeting CE standards in this area? You’ll clearly see which of the CE’s five control themes need work. In many cases, the CRA will exceed CE’s scope – and that’s a good thing, because you’ll uncover improvements CE doesn’t explicitly require (for example, incident response planning, which CE doesn’t cover, but our CRA does). Think of CRA as one-stop-shopping for all your cybersecurity frameworks: one assessment can set you up to pursue Cyber Essentials, and even inform steps toward ISO 27001 or other standards, since the Controls are quite comprehensive.

  • Focused on resilience: The word “resilience” in the Bill’s title is about keeping businesses running in spite of cyber attacks. Our CRA puts a strong emphasis on measures that enhance resilience, such as data backup and recovery, incident response, and service provider management – which deals with how you manage risk from vendors/partners. By following the recommendations in these areas, an SME or charity can drastically improve its ability to withstand and recover from incidents – exactly what regulators want to see in the wider ecosystem.

  • Prioritised action plan: We understand that smaller organisations don’t have unlimited resources to throw at cybersecurity all at once. A valuable aspect of the CRA is that it prioritises the remediation actions. Typically, we identify the top 5–10 high-priority gaps that should be addressed first (often they relate to strengthening access controls, patching critical systems, or securing default configurations – the common culprits). Lesser risks are slated for later. This way, you can tackle improvements in phases, hitting the most important things early (some of which might coincide with getting Cyber Essentials), and scheduling further enhancements over 6–12 months. It’s a pragmatic roadmap.

  • Documentation and evidence: After a CRA, you’ll have a professional report detailing your security posture. This is more than just an internal tool – you can use it to demonstrate to clients, partners, or insurers that you take cybersecurity seriously and have a plan. In the context of the Bill, if a big customer asks “what are you doing about cybersecurity?”, being able to share that you’ve undergone a Gold-Standard Cyber Risk Assessment and are remediating findings is a strong answer. It shows you’re not waiting around; you’re actively managing your cyber risk.

Cyber & Data’s approach: Our team will work closely with your key people (IT staff or providers, leadership) to gather information for the CRA. We review policies, scan technical configurations, and interview where needed – all with minimal disruption. The result is delivered in a plain-English report with visuals and tables for clarity. We then hold a session with you to walk through the findings and recommended actions. It’s not about pointing out faults; it’s about empowering you with knowledge to improve. Many clients actually turn the CRA report into an actionable checklist for their IT team or provider – and we’re happy to assist or periodically check in as you make progress. By the end of the process, you will have a much clearer understanding of your cyber risks and confidence in how to address them.

Crucially, combining Cyber Essentials certification and a Cyber Risk Assessment gives you the best of both worlds: you achieve an important credential (CE) to show the world, and you get a thorough internal improvement plan (CRA) to elevate your security maturity moving forward. This combination is a powerful way to get ahead of whatever the Cyber Security and Resilience Bill might indirectly throw at you.

Proactive Steps – Get Ahead of the Legislation

The upcoming Cyber Security and Resilience Bill underscores that cybersecurity isn’t just an IT issue – it’s a core business continuity and governance issue. For SMEs and charities, the takeaway should be proactive, not reactive. Here are some final thoughts on taking action:

  • Don’t wait to be compelled – act voluntarily. Often, smaller organisations might only act when a contract forces them to, or after a breach occurs. Break that pattern. Use the momentum of this Bill’s introduction as a chance to review and upgrade your practices before you’re told to. This proactive stance will put you ahead of peers and might even save money (preventing incidents is cheaper than cleaning up after them, and prepping for standards early avoids last-minute costly scrambles).

  • Engage leadership and trustees. Make sure the decision-makers in your business or charity understand the importance of this. The Bill can be a handy reference point to brief your board or trustees: “The government is pushing for better cyber resilience; here’s what we propose to do in our organisation to align with that.” When leadership is on board, initiatives like getting Cyber Essentials or conducting a CRA are seen as strategic, not just operational tasks.

  • Leverage expert help. You don’t have to navigate this alone. Cyber & Data is here to help demystify the requirements and implement solutions that fit your size and sector. Whether it’s guiding you to Cyber Essentials certification, performing a comprehensive Cyber Risk Assessment, delivering staff training, or managing certain security functions for you, we can tailor our support to your needs. Our ethos is to be a trusted partner who boosts your confidence in handling cyber risks.

  • Stay informed. Cyber threats and laws are not one-time news – they evolve. Follow updates from trusted sources like the NCSC. We regularly post updates and insights (on our blog and LinkedIn) about cybersecurity developments, including this Bill’s progress. By staying in the know, you can anticipate what’s coming down the line (for example, if down the road the government extends certain requirements to more businesses, you’ll hear it from us early).

✅ Take Action Now

If you’re an SME or charity leader reading this, ask yourself – is my organisation prepared for the rising expectations on cybersecurity? If the answer is “not fully” or “I’m not sure,” now is the perfect time to act. Get in touch with Cyber & Data to discuss a Cyber Essentials readiness check or to schedule a Cyber Risk Assessment. We’ll bring our expertise to bear so you can focus on your mission with peace of mind that your cyber defences are solid. By proactively strengthening your cybersecurity today, you’ll not only align with the direction of future regulations but also protect the continuity and reputation of your organisation.

Let’s work together to turn the challenges of the Cyber Security and Resilience Bill into opportunities – for stronger security, competitive advantage, and a safer digital environment for all.

If you believe your organisation may be affected, or you want to strengthen your cyber resilience, contact Cyber & Data today for expert guidance and immediate support.

📧 Email: [email protected]
📞 Call: +44 1743 644404

Privacy Preference Center