UK Cyber Security and Resilience Bill 2026: What Regulated CISOs Must Build Before Commencement

The Cyber Security and Resilience (Network and Information Systems) Bill was introduced to Parliament on 12 November 2025, with Royal Assent expected late 2026 and phased commencement running through 2028. On 15 October 2025 the Information Commissioner's Office (ICO) fined Capita plc and Capita Pension Solutions a combined 14 million pounds for a March 2023 breach that affected 6.6 million people, with the regulator citing a 58-hour delay in quarantining an infected device after a high-priority alert was raised within 10 minutes. For Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) sitting inside UK operators of essential services, managed service providers (MSPs), datacentre operators and their critical suppliers, the regulatory pipeline now looks heavier than at any point since the Network and Information Systems (NIS) Regulations 2018 came into force. The Bill expands scope, splits supervision across the ICO and the National Cyber Security Centre (NCSC) with sector regulators, accelerates the reporting clock and ties fines to global turnover. What exactly changes when the Bill commences, who falls inside the new perimeter, how do the new reporting and penalty mechanics work, and what should a UK CISO build over the next 90 days so the first audit cycle does not become the first enforcement file? This guide answers each of those questions against the statutory text, the ICO's 2025 enforcement record and NCSC's Cyber Assessment Framework (CAF) v4.0.

The current regime, the NIS Regulations 2018, was built for a smaller universe of operators of essential services in energy, transport, water, health and digital infrastructure, plus a narrow class of relevant digital service providers. The Bill rewrites that perimeter and gives sector regulators sharper tools. Three structural shifts matter most. First, scope expansion: managed service providers, datacentre operators with a contracted IT power load of 1 megawatt or more, and a new category of "critical suppliers" come directly inside the regime for the first time. Second, supervisory teeth: sector regulators (Ofcom, Ofgem, Ofwat, NHS England, the FCA and PRA for finance, and the ICO for relevant digital services) retain their competent-authority status, while the NCSC takes a more visible supervisory role across the board. Third, the penalty ladder is rebuilt with two tiers and an ongoing-contravention daily fine. The Bill also formalises customer-notification expectations in defined circumstances, supply-chain risk obligations that line up with CAF v4.0 outcomes, and a clear 24-hour early-warning plus 72-hour full-report incident clock to both the sector regulator and the NCSC. None of these obligations are new in spirit. What changes is that they become statutory duties with turnover-linked fines, replacing a regime where many operators treated the NIS Regulations as a paperwork exercise. The Capita settlement, in which an initial proposed fine of 45 million pounds was reduced to 14 million through voluntary settlement, is a preview of what a confident regulator will look like once the Bill is in force. CISOs should assume that the same evidentiary standard the ICO applied under Article 32 of the UK General Data Protection Regulation (UK GDPR) will be applied by NCSC and sector regulators under the new statute.

The previous regime missed entire categories of operator that 2024 and 2025 attacks proved to be systemically important. The Bill closes those gaps explicitly, and CISOs need to test their own designation early rather than wait for the sector regulator to assert it. Managed service providers are now named in primary scope. Any organisation providing ongoing administration, monitoring or operation of customer IT systems, including remote management, cybersecurity services, identity services or cloud-management offerings, should expect to be inside the regime. The Marks and Spencer compromise in April and May 2025, which started inside the Tata Consultancy Services helpdesk, is the regulator's exhibit A for why MSPs must be supervised in their own right. Datacentre operators with at least 1 megawatt of contracted IT power fall in by physical-asset threshold, which captures most colocation and hyperscale facilities operating in the UK. Critical suppliers are designated by sector regulators on the basis of how serious a disruption to their service would be for an operator of essential services. The Synnovis pathology incident in June 2024, which contributed to 10,000 cancelled outpatient appointments, 1,700 cancelled operations and a confirmed contribution to a patient death at King's College Hospital, is the model case for what "critical supplier" is intended to capture. UK arms of Indian and EU multinationals should map their group entities carefully. A UK-incorporated MSP subsidiary will be in scope on its own footing. A UK datacentre operated as a branch of an EU parent will be in scope under the UK regime independently of any European Union Network and Information Security Directive 2 (NIS2) designation at the parent. Where a group already provides services into the EU, dual NIS2 and UK regime obligations diverge on customer-notification thresholds, on supplier supervision and on the incident reporting clock. Building a single internal definition of "reportable incident" that satisfies both is the work to start now, before sector regulators publish UK-specific incident thresholds in secondary regulations.

UK CISOs have been operating under multiple overlapping reporting clocks for years. The Bill consolidates one set of those clocks for the cyber regime and tightens the front end. The mechanic is a 24-hour early warning followed by a 72-hour full incident report, both to the sector regulator and to NCSC. The 24-hour window is short on purpose. It is built to force operators to surface an incident before the technical investigation is complete, in the same way the Article 33 UK GDPR 72-hour clock has long forced controllers to notify the ICO with whatever they have. Expect the regulator to read a 24-hour delay similarly to how the ICO read Capita's 58-hour containment delay: as evidence that detection, triage and escalation were not built to the standard the statute now requires. A parallel ransomware-reporting regime is moving alongside the Bill. The Home Office government response of 22 July 2025 confirms that public-sector bodies and Critical National Infrastructure (CNI) operators will be banned from paying ransoms; all other UK victims contemplating payment will fall into a payment-prevention regime with a 72-hour notification of intent to pay; and economy-wide mandatory incident reporting (72-hour initial and 28-day full) is also being legislated. CISOs should assume that, by 2027, a single material ransomware event will potentially generate three distinct reporting channels: sector regulator plus NCSC under the Bill, ICO under Article 33 UK GDPR where personal data is involved, and Action Fraud or the National Crime Agency under the Home Office package. Whether those channels will be harmonised before commencement is an open interpretive question and one of the items board cyber committees should put to external counsel during 2026. Tabletop exercises through 2026 should now be timed against the 24-hour clock, not the 72-hour clock. Confirm in writing that on-call security leadership, communications, legal and the sector-specific incident-response contact can produce a structured early-warning notification within hours of declaration. Where 24x7 detection and triage is not yet in place, building it or sourcing it through a regulated 24x7 Security Operations Centre partner is the foundational control the rest of the Bill assumes is already there.

The penalty ladder in the Bill is the change that will move boards. The current NIS Regulations 2018 cap fines at 17 million pounds, but in practice enforcement has been rare. The Bill rebuilds the structure as a tiered, turnover-linked regime, with ongoing-contravention pressure. The tiers, per law-firm analysis of the Bill text, are: up to 10 million pounds or 2 percent of global annual turnover (whichever is greater) for standard breaches; up to 17 million pounds or 4 percent of global annual turnover for serious breaches; and up to 100,000 pounds per day for ongoing contraventions. Two design points matter. The percentage element means a UK subsidiary of a global parent is now exposed to fines calculated against group turnover. The daily contravention penalty creates direct financial pressure to remediate findings inside agreed deadlines rather than negotiate them down across multi-year programmes. The ICO's 2025 record gives a clear picture of how a UK security regulator already calibrates fines under Article 32 UK GDPR. Capita: 14 million pounds, reduced from a proposed 45 million via voluntary settlement, with the ICO citing inadequate vulnerability management and delayed containment. Advanced Computer Software Group: 3.07 million pounds (reduced from 6.09 million provisional), the first UK GDPR fine of a data processor following ransomware, with a customer account without multi-factor authentication (MFA) cited as the root cause. 23andMe: 2.31 million pounds (reduced from 4.59 million provisional) after credential-stuffing between April and September 2023 exposed genetic data of 155,592 UK residents, with failure to mandate MFA on highly sensitive data the lead failing. DPP Law: 60,000 pounds, showing that mid-market law firms are inside the enforcement perimeter too. The Data (Use and Access) Act 2025 (DUAA), in force from 5 February 2026, also raises Privacy and Electronic Communications Regulations (PECR) fines to UK GDPR ceilings of 17.5 million pounds or 4 percent of global turnover, and gives the ICO new binding assessment notices and compulsory interview notices. Combine that with the Bill's tiered structure and the practical effect, for an in-scope UK CISO, is that 2026 enforcement risk is no longer bounded by a fixed sterling cap. It is bounded by group turnover and by how long the regulator believes a contravention persisted.

The Bill does not codify specific controls. It assumes the NCSC's Cyber Assessment Framework (CAF), updated to version 4.0 in 2026, becomes the operational baseline against which competent authorities supervise in-scope entities. CAF v4.0 keeps the structure that supervisory teams already know: 4 Objectives, 14 Principles and 41 Contributing Outcomes, covering managing security risk, protecting against cyber attack, detecting cyber security events and minimising the impact of incidents. The 2026 update adds explicit coverage of secure software development, AI-related cyber risks (model supply chain, prompt injection, data poisoning, agentic identity governance), and stronger threat-hunting and monitoring requirements. CAF v4.0 is also being extended in scope to MSPs and datacentres in 2026, which means the same outcome catalogue an NHS trust uses today will be the catalogue an in-scope colocation operator is measured against from commencement. For programme owners, the practical move is to take the four objectives and map each contributing outcome to an existing control in the cyber-control library. A0 to A4 (managing security risk): board ownership, risk assessment, asset management, supply-chain risk. B0 to B6 (protecting against attack): policies and processes, identity and access control, data security, system security, resilient networks and systems, staff awareness and training. C1 to C2 (detection): security monitoring, proactive security event discovery. D1 to D2 (minimising impact): response and recovery planning, lessons learned. Each outcome should have a control owner, a primary evidence artefact, and a tested operating effectiveness sample. Where coverage is genuinely thin (most programmes find this in C1 monitoring, B4 system security around legacy estates, and the new B6 AI subdomain), prioritise remediation against the Bill's commencement window rather than against an internal three-year roadmap. A targeted AI risk assessment against the CAF v4.0 AI outcomes is a sensible first deliverable for any board that has approved generative-AI use cases since 2024.

Almost every flagship 2024 and 2025 incident in the UK started outside the victim's own perimeter. The Bill, the forthcoming Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) Critical Third Parties (CTP) regime, and CAF v4.0 all push third-party risk from a contractual question to a supervised one. The case set is now well-documented. M&S, Co-op and Harrods (April and May 2025) were attacked by the Scattered Spider and DragonForce ransomware group, with the initial M&S compromise traced to the Tata Consultancy Services helpdesk. The Cyber Monitoring Centre estimated combined cost up to 440 million pounds. Synnovis, the NHS pathology supplier, was hit by Qilin ransomware in June 2024, with 400 gigabytes exfiltrated and clinical impact contributing to a patient death. Jaguar Land Rover halted production for around five weeks across Solihull, Halewood and Wolverhampton from 1 September 2025, with estimated 1.9 billion pounds financial impact and a Bank of England assessment linking the disruption to a 0.17 percentage point Q3 GDP contraction. More than 5,000 UK organisations in the JLR supply chain were affected. What changes under the new perimeter is that the regulator can now reach the upstream supplier directly. An MSP providing helpdesk services into a regulated bank no longer sits behind a contractual veil. A datacentre operator providing colocation to a Category 1 online service is itself in scope. A "critical supplier" designation can be made by the sector regulator over an operator's head. CISOs should respond by tightening three areas. First, supplier inventory: produce a definitive list of which suppliers, if they failed, would breach an impact tolerance, miss a CAF outcome or trigger a Bill incident report. Second, evidence rights: contracts should give the operator audit, assessment and incident-information rights that line up with what sector regulators will demand. Third, joint exercises: tabletop with the top 10 supplier relationships at least annually, with named regulator-notification roles on both sides. A scoped third-party penetration testing programme against the highest-risk suppliers gives the operator independent evidence rather than relying on supplier self-attestation alone.

The Bill has not commenced. That is the working-time the programme has. A pragmatic 90-day plan, built around what the regulator is plainly going to test in the first audit cycle, breaks into three blocks of four weeks each. Weeks 1 to 4, establish scope and evidence base. Confirm in writing whether each UK entity is an operator of essential services, an MSP, a datacentre operator over the 1 megawatt threshold, or potentially a critical supplier. Produce a CAF v4.0 control-to-evidence map for each in-scope entity, listing owner, evidence artefact and last test date for each of the 41 contributing outcomes. Tabletop a ransomware scenario against the 24-hour and 72-hour clocks, with sector regulator and NCSC notification roles named. Capture the gap list. Weeks 5 to 8, close the controls that 2025 enforcement has already proven are non-negotiable. MFA on all remote access and all admin accounts, without exception (the 23andMe and Advanced fines are unambiguous on this). Network segmentation between corporate, OT and customer-facing estate, with documented test results. Endpoint detection and response with documented mean-time-to-contain measured against the Capita 58-hour benchmark. A documented vulnerability management process with patch SLAs and exception tracking that an auditor can read in 30 minutes. A formal supplier inventory tied to impact-tolerance failure modes and a refreshed contract clause library. Run an end-to-end VAPT cycle against the in-scope estate and document remediation against the next audit window. Weeks 9 to 12, test under regulatory pressure. Run a red-team or attack simulation exercise that includes social engineering against the helpdesk, MSP impersonation and credential stuffing against externally exposed identity portals. Time the response against the 24-hour clock and the 72-hour clock simultaneously. Produce a board-ready briefing document covering scope confirmation, control mapping, gap closure, tested incident response and outstanding interpretive questions for external counsel. Confirm directors and officers, cyber insurance and operational-resilience impact tolerances are aligned to the new statutory exposure. For UK programmes that need to add capacity quickly without expanding UK headcount, Certbar Security operates as a CERT-In empanelled, India-based VAPT, SOC and compliance partner with delivery teams that work across UK business hours and overnight detection coverage. The model gives a UK CISO regulator-mapped audit evidence, cost-effective offshore delivery against the CAF v4.0 outcome catalogue and 24x7 SOC monitoring through commencement of the Bill, without disrupting an existing UK SOC or internal audit function.

Not every question the Bill raises will be answered in primary legislation. Several material points will only become clear in secondary regulations, sector-regulator codes and early enforcement decisions. CISOs should table these now so the board engages with them in 2026 rather than during an incident in 2027. Five questions matter most. One: how will "critical supplier" designation interact with the FCA and PRA Critical Third Parties regime, particularly where the same cloud hyperscaler is in scope under both? Two: will the targeted ransomware payment ban for CNI and public sector cut across the FCA and PRA operational-resilience impact-tolerance rules, where paying a ransom might be the only way to remain within tolerance? Three: what thresholds will trigger mandatory customer notification under the Bill, and how will those interact with the existing ICO 72-hour personal-data breach regime under Article 33 UK GDPR? Four: how prescriptive will NCSC and ICO guidance become on AI-system specific controls, given CAF v4.0 references AI risks at outcome level but does not yet codify operational standards? Five: will sector regulator, NCSC and Action Fraud or National Crime Agency reporting channels be harmonised before commencement? Bring those questions to the audit and risk committee with a written position on each, supported by external counsel where appropriate. The supervisory regime that the Bill brings into force is built for regulators that ask sharp questions and expect documented answers. CISOs who arrive at first inspection with a control-to-outcome map, a tested 24-hour incident clock, a closed list of 2025-style failings, and a written position on the open interpretive questions will be the ones who turn the Cyber Security and Resilience Bill from an enforcement exposure into a structural advantage.