The NCSC handled 204 nationally significant incidents in the past 12 months. The year before, it was 89. That's not a trend. That's a step change.
Parliament has noticed. The Cyber Security and Resilience Bill is now in committee, being scrutinised line by line, with the committee expected to report by 5 March. This is the most significant change to UK security regulation since the NIS Regulations landed in 2018.
The Bill is still in committee and subject to amendment. But as it stands, here's what's in it.
Who it affects
The original NIS Regulations covered operators of essential services and digital service providers. The new Bill expands that scope in two directions: it regulates MSPs directly, and it places new supply chain duties on their customers.
If you're an MSP
The test is straightforward. If you manage IT systems for other businesses, you connect to their networks to do it, and you're not a small or micro enterprise (50 or more employees or €10 million in turnover), you're in scope. The euro figure comes from the EU SME definition the Bill references, a holdover from the original NIS Directive. It doesn't matter what sector your clients are in. A company managing laptops for an estate agent is caught the same as one running infrastructure for a hospital. DSIT research estimates around 1,500 of the roughly 11,500 MSPs in the UK will be affected, regulated by the Information Commission.
MSPs have been a favourite target for attackers for years, precisely because compromising one gives access to every client they manage. The MOD payroll breach via an MSP in 2024 made that point clearly enough. The supply chain angle is finally getting legislative attention.
If you're a customer in a regulated sector
Operators of essential services in health, transport, energy, water, and digital infrastructure already have obligations under the NIS Regulations. The Bill adds a new one: you'll have a statutory duty to manage the security risks in your supply chain. That includes your MSP. The detail will come through secondary legislation, but the direction is clear. If your IT provider has an incident, regulators will ask what you did to manage that risk.
If you're a smaller supplier to essential services
There's a separate power allowing regulators to designate any supplier as a "critical supplier" if their failure could significantly disrupt essential services or the wider economy. This can catch smaller MSPs that fall below the 50-employee threshold, but the bar is high. The government has said this is aimed at tier-1 suppliers, not the long tail.
Data centres with 1MW or more of IT capacity are in scope too, overseen by Ofcom.
What it requires
Two things stand out.
Incident reporting gets tighter. Regulated organisations will need to notify within 24 hours of becoming aware of an incident, followed by a full report within 72 hours. Both notifications go to the relevant regulator and the NCSC. If customers are affected, they need to be told too.
The Secretary of State gets broader powers. The Bill includes delegated powers that allow new "essential activities" to be added to scope without fresh legislation. The regulatory perimeter can expand without going through Parliament again.
What the penalties look like
The standard maximum is £10 million or 2% of global turnover, whichever is higher. For more serious breaches, that rises to £17 million or 4% of worldwide turnover. There's also a daily penalty of up to £100,000 for ongoing non-compliance.
These are GDPR-scale numbers. For most SMEs, the daily fine is the one to watch. It turns a compliance gap from a one-off problem into a compounding one.
The £210 million Cyber Action Plan
Separately, the government announced £210 million for a Cyber Action Plan focused specifically on public sector resilience. This is distinct from the Bill itself, but signals the same direction of travel. A new Cyber Unit will coordinate responses across government, and there's an ambassador scheme aimed at encouraging secure software development.
This follows a difficult 2025 for UK organisations. Marks & Spencer, the Co-op, and Jaguar Land Rover all suffered significant incidents. The NCSC's doubling of nationally significant incidents makes the spending hard to argue with.
What this means in practice
If you're an MSP, you probably already know whether you're above the threshold. If you are, start thinking about incident reporting, security obligations, and what Information Commission oversight will look like. This isn't optional and it isn't distant.
If you're a business in a regulated sector, the Bill makes you accountable for your supply chain. Ask your MSP what their incident reporting process looks like. Ask how they'd notify you within 24 hours if something went wrong. If they can't answer clearly, that tells you something about a risk you're now expected to manage.
If you're an SME outside regulated sectors, the Bill probably doesn't affect you directly. But your MSP is likely in scope regardless, and the direction of travel is clear. The government is tightening security regulation, expanding scope, and increasing penalties. Cyber Essentials is still voluntary for most businesses, but the regulatory floor is rising. Getting your house in order before you're required to is cheaper and less stressful than doing it under pressure.
The Bill is expected to complete its passage through Parliament later this year, with full implementation likely by 2028. That sounds distant. It isn't.
← All filings