Cyber Security and Resilience Bill - Small Business Guide
The Cyber Security and Resilience Bill is the biggest update to UK cyber regulation in years. It widens who is directly regulated and, through the supply chain, reaches far more businesses than it names.
Most small businesses are not directly regulated. The practical impact for them comes through contracts and tenders, as regulated customers push security requirements down their supply chains.
This guide explains what the Bill does, who is in scope, the supply-chain cascade, and where it stands in Parliament.
Where the Bill Stands
Status as of June 2026: the Bill has completed its House of Commons stages and is moving to the House of Lords. Royal Assent is expected later in 2026, with the detail filled in by regulations, and phased implementation could run into 2028.
Because much of the substance sits in secondary legislation still to come, treat the points below as the current shape rather than the final word. We update this guide at each milestone, and you can track progress on the Bill's parliamentary page.
What the Bill Does
The Bill updates the Network and Information Systems Regulations 2018, the UK's existing cyber rules for essential and digital services. It widens the regime, strengthens incident reporting, and raises penalties.
It also gives regulators new powers to bring critical suppliers into scope, which is how the rules reach down the supply chain.
Who Is Directly Regulated
The headline new group is managed service providers. Medium and large providers that manage IT systems for other organisations come under direct regulation for the first time, overseen by the Information Commissioner's Office.
The Bill also covers operators of essential services and digital service providers already in the regime, with data centres above set thresholds and other designated entities brought in. Our managed service provider guide covers that group in detail.
The Supply-Chain Cascade
This is the part that matters to smaller businesses. Regulators can designate critical suppliers, who then become directly regulated, and regulated organisations are expected to push security requirements onto their own suppliers.
The likely effect is that aligned demands appear in contracts, tenders and supplier audits well beyond the directly regulated population. If you supply a regulated customer, you will feel it through your contracts.
Incident Reporting and Penalties
Regulated organisations face a two-stage reporting duty: an initial notification within 24 hours and a fuller report within 72 hours of becoming aware of a significant incident.
Penalties are tiered. The standard maximum is the greater of 10 million pounds or 2 percent of worldwide turnover, rising to the greater of 17 million pounds or 4 percent for the most serious failures.
Bill at a Glance
| Element | Detail |
|---|---|
| Builds on | The Network and Information Systems Regulations 2018 |
| New regulated group | Medium and large managed service providers, overseen by the ICO |
| Supply chain | Critical suppliers can be designated and brought into scope |
| Incident reporting | 24-hour initial notification, 72-hour fuller report |
| Penalties | Up to the greater of 17 million pounds or 4 percent of worldwide turnover |
| Status | In Parliament as of June 2026, Royal Assent expected later in 2026 |
What Small Businesses Should Do Now
If you are not directly regulated, the smart move is to get your security documentation in order so you can answer supplier security questions without scrambling. That means an information security policy, an incident response procedure and clear supplier security expectations.
Cyber Essentials certification is a strong, recognised baseline that answers many supplier questions in one go.
How Policy Pros Can Help
We get your security documentation ready for the demands this Bill pushes down the supply chain, from IT security policies to incident response and supplier security. Our Cyber Essentials policies help you meet the baseline customers increasingly ask for.
For the managed service provider view, see our managed service provider guide. Official sources include the GOV.UK Bill collection and the House of Commons Library briefing.
Frequently Asked Questions
Does the Cyber Security and Resilience Bill apply to small businesses?
Most small businesses are not directly regulated by the Bill. The impact usually comes through the supply chain, as regulated customers push security requirements into contracts and tenders. If you supply a regulated organisation, expect to meet those requirements even though you are not named in the Bill.
When will the Cyber Security and Resilience Bill become law?
As of June 2026 the Bill has completed its House of Commons stages and is moving to the House of Lords. Royal Assent is expected later in 2026, with much of the detail set by regulations and phased implementation potentially running into 2028.
Who is newly regulated under the Bill?
The main new group is medium and large managed service providers, which come under direct regulation overseen by the Information Commissioner's Office. The Bill also updates the regime for operators of essential services and digital service providers and lets regulators designate critical suppliers.
What are the incident reporting deadlines in the Bill?
Regulated organisations face a two-stage duty: an initial notification within 24 hours of becoming aware of a significant incident, followed by a fuller report within 72 hours. Notification to the National Cyber Security Centre and affected customers may also be required.
What should a small business do to prepare?
Get your security documentation in order so you can answer supplier security questions quickly: an information security policy, an incident response procedure and supplier security expectations. Cyber Essentials certification is a recognised baseline that answers many of those questions at once.
