error
Subscriptions are not available for this site while you are logged into your current account.
close
Skip to main content
Submit RFP

      On 1 April 2025, the UK Government published its Cyber Security and Resilience Policy Statement, marking a significant step forward in strengthening the nation’s digital defences. This policy introduced legislative measures to expand the scope of the Network and Information Systems (NIS) Regulations, as part of a broader initiative to enhance national cyber resilience.

      The Cyber Security and Resilience Bill underscores the UK’s growing reliance on digital systems and the risks posed by increasingly complex supply chains. Building on the NIS Regulations, which focused on compliance and regulatory measures, the Bill introduces a more strategic approach through prioritising proactive risk management and resilience, encouraging organisations to actively think ahead and strengthen their defences to ensure their critical services can withstand a cyber incident.

      The updated legislative intent brings a key change to existing regulation, encompassing a wider range of organisations into the regulatory scope, including Managed Service Providers (MSPs), reflecting the evolving threat landscape and the critical role these entities play in the UK’s digital infrastructure. By doing so, the government aims to improve the security and resilience of essential IT systems and services, protect a broader range of sectors from cyber threats and develop a more comprehensive understanding of the risks facing the UK’s critical digital services.

      Find out more
      Janina Herrmann
      Janina Herrmann

      Director, Consulting Cyber and Resilience

      KPMG in the UK

      Georgia Hunter
      Georgia Hunter

      Senior Manager, Operational Resilience

      KPMG in the UK

      Expanding the scope of cyber security regulation

      One of the key differentiators of the Cyber Security and Resilience Bill against other cyber regulations is its expansion beyond the UK’s traditional critical national infrastructure sectors such as energy, transport, water, and healthcare. While these remain central, the Bill recognises that the threat landscape has evolved, and organisations in scope will include:

      Managed Service Providers (MSPs): These providers deliver crucial IT services and cybersecurity support to many organisations, meaning a single breach can impact numerous clients. Recognising this risk, the Bill holds MSPs to the same rigorous standards as traditional critical sectors.

      Operators of essential services (OES) and relevant digital service providers (RDSP): The Bill addresses a major gap in the NIS regulation by introducing targeted measures to manage supply chain cyber risks. It gives the government power to set stricter supply chain duties for OES and RDSP and allows regulators to designate high-risk vendors as Designated Critical Suppliers (DCS). They will face similar obligations as regulated entities and this shift aims to reduce the risk of major service disruptions caused by vulnerabilities in third-party providers, boosting overall national cyber resilience.

      What does this mean for organisations?

      These organisations will be subject to the following requirements introduced by the Bill to increase the resilience of critical infrastructure and ensuring continued delivery of essential services:  

      • Resilience culture

        Encourages embedding cyber governance at the leadership level, pushing organisations to adopt frameworks like Cyber Essentials and stricter protocols such as regular security audits and system upgrades.

      • Improved Cyber incident reporting

        Organisations must notify the regulator of any significant cyber incidents that could materially affect the delivery of essential services. The reporting process follows a two-stage structure: an initial notification must be submitted to both the regulator and the NCSC within 24 hours of becoming aware of the incident, followed by a detailed incident report within 72 hours.

      • Strengthening the Information Commissioner’s Office (ICO)

        Expanded duties for digital service providers to share information with the ICO during registration, broader criteria for the ICO to issue information notices, and the creation of information-sharing gateways that allow third parties to provide relevant data to the ICO.

      • Stronger Supply chain

        By enabling regulators to proactively identify and oversee critical suppliers, the Bill aims to reduce systemic risk and improve resilience across interconnected supply chains. Organisations will need to assess and strengthen their supplier relationships, implement robust third-party risk management practices, and ensure compliance throughout their extended operational networks.

      Why Cyber Security is central to Operational Resilience?

      While the Cyber Security and Resilience Bill aims to strengthen the UK’s digital defences, its true value lies in how it enhances broader operational resilience by embedding cyber security into the core of organisational risk management and continuity planning.

      In today’s digital world, cyber threats such as ransomware and supply chain attacks are not just IT issues, they are direct risks to an organisation’s ability to continue delivering essential services. This makes cyber resilience a fundamental part of operational resilience.

      The financial services sector provides a well-established example of how cyber and operational resilience can be integrated, particularly through its Critical Third-Party (CTP) regulation. These offer valuable insights into some of the expectations from the Cyber Security and Resilience Bill:

      • Both the Bill and the CTP framework place strong emphasis on third-party risk.

        They recognise that a disruption to a single provider, such as a cloud platform or IT infrastructure service can have a ripple effect across multiple essential services. This is especially relevant for managed service providers (MSPs), whose resilience is critical to the wider supply chain.

      • Incident reporting is another area of alignment.

        While both frameworks require timely notification of significant cyber incidents, the Bill introduces a more structured approach and stricter timelines which helps improve regulatory oversight and supports faster, more coordinated responses.

      • The Bill also adopts principles from the National Cyber Security Centre’s Cyber Assessment Framework (CAF).

        This mirrors the financial sector’s approach which is itself influenced by the EU’s Digital Operational Resilience Act (DORA), where CTPs are expected to continuously assess and manage both internal and external risks, and to adapt based on lessons learned.

      Conclusion

      The Cyber Security and Resilience Bill represents a pivotal step in the UK’s commitment to strengthening national cyber resilience. By expanding the scope of the NIS regulations and placing greater emphasis on Managed Service Providers (MSPs) and supply chain security, the Bill aims to protect a broader range of essential services from increasingly sophisticated cyber threats.

      Recent events have exemplified the real-world impact of cyber vulnerabilities. For example, earlier this year a major IT outage at Heathrow Airport caused widespread flight cancellations and delays, disrupting thousands of passengers. Similarly, a cyberattack on Spain’s energy grid in early 2024 led to temporary blackouts and operational disruptions, both demonstrating how threat actors are now targeting critical infrastructure with the potential to destabilise entire operations.

      The Cyber Security and Resilience Bill is a timely step in the right direction, reinforcing the principle that it is no longer a matter of if a cyber incident will occur, but when. It should be recognised not just as a regulatory measure, but as a strategic catalyst for embedding cyber resilience into the heart of operational continuity, drawing on the Financial Services sector’s hard-earned lessons to fortify the UK’s digital infrastructure.

      Introducing Our Resilience Series

      This article marks the beginning of a series from us, and in our next article we will explore the cyber security angle of these changes in more detail, examining what the new regulatory expectations mean in practice, how organisations can assess their current cyber maturity and what steps they should take to align with the Bill’s requirements. We’ll also explore how threat actors are evolving, what proactive defence looks like in today’s landscape, and how businesses can build resilience not just within their own operations, but across their entire digital supply chain.

      Stay with us as we unpack the future of resilience—where cyber security meets continuity, and preparation becomes competitive advantage.

      Our people

      Janina Herrmann
      Janina Herrmann

      Director, Consulting Cyber and Resilience

      KPMG in the UK

      Georgia Hunter
      Georgia Hunter

      Senior Manager, Operational Resilience

      KPMG in the UK

      Get in touch

      Read enough? Get in touch with our team and find out why organisations across the UK trust us to make the difference.

      Contact us
      Person smiling whilst using a mobile phone