Active Legislation

The UK just rewrote the cyber rulebook for the first time in seven years.

LegislationInteractiveMay 202610 min read

The Cyber Security and Resilience Bill updates the laws that govern how UK businesses handle cyber risk. If you are an SME in a supply chain, using a managed IT provider, or delivering digital services, the ground beneath you has shifted. This is the plain-English version.

GHOSTLINE Intel // Legislative intelligence briefing // May 2026

£14.7bn

Annual cost to UK economy

1,100

MSPs brought in scope

24hr

Incident report window

Turnover max penalty

Why this exists

The UK's current cyber security regulations, the NIS Regulations, landed in 2018. They were based on an EU directive that has since been replaced by a much tougher version called NIS2. Meanwhile, the UK has watched the NHS get hit via a managed service provider, the Ministry of Defence lose staff data through a contractor, and high street retailers get publicly dismantled by ransomware gangs. The government's position is simple: the old framework is no longer enough.

How we got here

2018

NIS Regulations land in the UK

Based on the EU's NIS Directive. Covers operators of essential services and some digital service providers.

Jan 2023

EU activates NIS2 Directive

Stricter baselines, more sectors, tougher penalties. The UK, post-Brexit, is now behind.

2024

NHS Synnovis attack + MoD breach

A ransomware attack on NHS blood-testing supplier Synnovis disrupts London hospitals for months. A state-sponsored breach exposes MoD payroll data via a contractor.

Oct 2025

NCSC Annual Review: 204 significant incidents

The NCSC reports a record year. The government writes to all FTSE 350 CEOs urging action.

12 Nov 2025

Bill introduced to Parliament

The Cyber Security and Resilience Bill formally enters Parliament.

Who is in scope

The net just got wider. Significantly. The original NIS Regulations covered a fairly narrow set. The Bill expands that in three directions: new types of organisation, critical suppliers, and a flexible mechanism to add more sectors later.

New: Managed Service Providers

900 to 1,100 MSPs brought under regulation for the first time. IT management, help desk, and security providers now have statutory obligations.

New: Data Centre Operators

Colocation (1MW+) and enterprise (10MW+) now regulated. Must report incidents and notify affected customers.

New: Critical Suppliers

Regulators can label specific suppliers as "critical" if disruption would significantly impact essential services. Even an SME can be designated.

Expanded: Health, Water, Energy, Transport

Already in scope. Now subject to stronger requirements, tighter reporting, and enhanced regulator powers.

Eight changes that matter

Supply chain: mandatory risk management ▶

New duties require operators to actively assess and manage cyber risk across their supply chains. If you supply a regulated entity, expect questionnaires and audit requests.

NCSC CAF becomes legally binding ▶

In-scope organisations must meet requirements drawn from the NCSC Cyber Assessment Framework. Governance, risk management, asset management, vulnerability management, identity and access, logging and monitoring, and incident response.

24-hour initial incident notification ▶

Initial notification to the regulator and the NCSC within 24 hours. Full detailed report within 72 hours. "Near miss" incidents also need reporting.

Turnover-based fines for serious breaches ▶

Serious: up to £17 million or 4% of annual global turnover. Less severe: up to £10 million or 2% of turnover. Daily fines of up to £100,000 for continuing non-compliance.

Enhanced ICO and regulator powers ▶

The ICO and other regulators can proactively investigate vulnerabilities, designate critical suppliers, and take enforcement action. They can also recover costs.

MSPs regulated by statute ▶

MSPs will be regulated by statutory obligations, not just customer contracts. Must meet defined security standards, monitor environments, and report incidents promptly.

Government can expand scope ▶

The Secretary of State can bring new sectors into scope via secondary legislation. If you are "just outside" scope today, that gap may close without much warning.

Emergency direction powers ▶

During national security incidents, the Secretary of State can mandate specific security actions from in-scope organisations without normal regulatory process.

The reporting clock

T+0

DISCOVERED

24hr

INITIAL NOTIFY

72hr

FULL REPORT

Prompt

CUSTOMER NOTIFY

Readiness self-check

Tick what you already have. No data leaves this page.

✓Formal incident response plan exists and has been tested
✓Supplier security requirements are documented in contracts
✓24-hour reporting process is mapped and understood
✓NCSC CAF alignment has been assessed or started
✓MFA is deployed on email, admin, and finance systems
✓Critical suppliers have been identified and reviewed
✓Board has explicit responsibility for cyber security
✓Evidence of compliance is being collected, not assumed

GHOSTLINE helps you meet these requirements.

BASELINE tracks compliance. ARCHIVE captures evidence. WATCH keeps the board informed. CORE gives you 24-hour reporting capability.

Request access