A New Cyber Law Is Coming. Here's What UK Business Owners Need to Know.
Published by Prestige Cyberguard | July 2026
---
The UK government is in the process of passing its most significant piece of cybersecurity legislation in almost a decade. It's called the Cyber Security and Resilience (Network and Information Systems) Bill — and while the name sounds like something only lawyers and IT directors need to worry about, the implications reach much further than that.
If you run a business in the UK, supply services to larger organisations, use outsourced IT support, or operate in a regulated sector, this Bill is relevant to you. Here's what it actually means, in plain English.
---
## Why is this happening now?
The existing rules — the Network and Information Systems (NIS) Regulations, introduced in 2018 — were built for a different era. They were designed to protect critical national infrastructure: power grids, hospitals, transport networks, water supplies.
But the threat landscape has changed dramatically since then. <cite index="1-1">In 2024, the UK was the most targeted country in Europe for cyber attacks, and over 40% of UK businesses experienced cyber attacks — equivalent to over 600,000 organisations. Cyber attacks are estimated to cost UK businesses £14.7 billion each year.</cite> In the year before September 2025, <cite index="1-1">the NCSC managed 429 cyber incidents, almost 50% of which were nationally significant — more than double the amount from the previous year.</cite>
The old rules haven't kept pace. The new Bill is the government's response.
---
## What does the Bill actually change?
The reforms fall into three broad areas.
### 1. More businesses will be caught by the regulations
Until now, the NIS Regulations applied mainly to operators of essential services — energy companies, NHS trusts, transport operators — and a narrow set of digital services like cloud providers and search engines.
The new Bill significantly expands that scope. Three categories of business are newly brought in:
Managed Service Providers (MSPs). This is the big one for SMEs. Many companies now outsource their IT services to managed service providers, who may provide IT helpdesks and cybersecurity services. They have unprecedented access to their customers' systems, making them an attractive target that cyber actors increasingly exploit.</cite> Medium and large MSPs will now be required to meet the same cybersecurity standards as operators of essential services. The Information Commissioner's Office (ICO) will be the regulator.
Why does this matter to you even if you're not an MSP? Because if you use an outsourced IT provider — and most SMEs do — that provider will be under new legal obligations. Their security practices will directly affect your compliance position and your risk exposure.
Data Centres. <cite index="1-1">From patient records to emails and financial systems, data centres are critical to nearly all economic activity and public services.</cite> Medium and large data centres will be classified as essential services and brought under regulatory oversight. Ofcom will be the regulator.
Critical Suppliers. <cite index="1-1">In June 2024, a supplier of pathology services to the NHS was victim of a cyber attack which caused over 11,000 postponed appointments and procedures, and, tragically, contributed to the death of a patient.</cite> That attack was a wake-up call. Regulators will now be able to designate critical suppliers — single organisations whose failure could cascade across essential services — and bring them directly into scope of the regulations.
The message is clear: your supply chain is now part of your regulatory risk.
---
### 2. Incident reporting gets faster and broader
Under the current rules, organisations only have to report a cyber incident to their regulator if it has already caused significant disruption to services. That's too late.
<cite index="1-1">The bill's reforms mean more forms of harmful cyber breaches will need to be reported to regulators where they have the potential to cause significant impacts, with initial notification within 24 hours and a fuller report within 72 hours. The NCSC will be informed at the same time.</cite>
The 24-hour initial notification window is significant. It's the same standard used in GDPR for personal data breaches — and for good reason. Rapid reporting allows regulators and the NCSC to contain incidents before they spread across interconnected systems.
For businesses in scope, this means your incident response procedures need to be ready — not built after something goes wrong.
---
### 3. The government gets more powers to act quickly
One of the limitations of the existing legislation is that updating it requires a full Act of Parliament — a slow, cumbersome process that can't keep pace with a fast-moving threat environment.
<cite index="1-1">The government will be more agile and responsive to evolving cyber threats with powers to make changes to the regime in secondary legislation, such as bringing more sectors into scope, or updating and introducing new security and resilience requirements.</cite>
In practical terms, this means the government can respond to emerging threats — a new category of attack, a geopolitical development, a newly identified vulnerability — without waiting years for a new law to be drafted and passed. <cite index="1-1">The government will also be able to direct regulators or regulated entities to take targeted and proportionate action in response to imminent threats that risk UK national security.</cite>
---
## When does this come into force?
The Bill is being introduced in phases. Some provisions — including the government's new strategic powers and information sharing rules — come into force quickly after Royal Assent. Others, including the expanded scope covering MSPs, data centres, and critical suppliers, will be introduced through secondary legislation with a consultation period planned for 2026.
The government has committed to giving businesses an adjustment period before new duties kick in. But given that consultation and drafting of secondary legislation takes time, organisations that are likely to fall in scope should be preparing now — not waiting for a letter from a regulator.
---
## What does this mean for your business specifically?
Here's the honest picture for most UK SMEs.
You are probably not directly in scope of the new Bill — at least not immediately. The regulations are primarily aimed at operators of essential services and the digital infrastructure that supports them. If you run an accountancy practice, a logistics company, a law firm, or a professional services business, you are unlikely to be named in the initial legislation.
But your supply chain almost certainly is. If your IT is managed by an outsourced provider — and the majority of UK SMEs rely on one — that provider may be coming into scope as a regulated managed service provider. That changes the questions you should be asking them about their security practices, their incident response procedures, and their contractual obligations to you. A security failure at your IT provider is now your problem too, whether the law applies to you directly or not.
And the direction of travel is clear. The government has explicitly built in powers to expand the scope of the regulations over time — without needing a full Act of Parliament. Sectors currently exempt could be brought in through secondary legislation relatively quickly. The NCSC's own guidance already points businesses of all sizes towards the Cyber Essentials baseline as a minimum standard, and that expectation is only going to harden.
The Bill is also a strong signal about what larger organisations and public sector clients will start demanding from their suppliers. If you win contracts with regulated businesses, local authorities, NHS bodies, or central government, cybersecurity accreditation — particularly Cyber Essentials — is increasingly being written into procurement requirements as a baseline condition. If you can't demonstrate it, you may find yourself locked out of opportunities you'd otherwise win on merit.
---
## The three things you should do now
1. Audit your supply chain.
Understand which third parties have access to your systems, your data, or your network. Ask your IT provider whether they expect to fall in scope of the new MSP regulations, and what they are doing to prepare. If they can't answer the question, that itself is useful information.
2. Review your incident response process.
Do you have a documented procedure for responding to a cyber incident? Do you know who to call, what to report, and within what timeframe? Even if you're not directly regulated, the 24/72 hour reporting standard is a useful benchmark for what good looks like.
3. Get your foundations right.
Cyber Essentials certification covers the five basic controls that the NCSC says would prevent the majority of common cyber attacks. It's affordable, it's increasingly expected by clients and insurers, and it demonstrates a baseline level of security maturity. If you haven't achieved it yet, now is a good time to start.
---
## How Prestige Cyberguard can help
Navigating new legislation is exactly the kind of thing that gets deprioritised when you're running a business. We help UK SMEs cut through the noise — understanding which regulations apply to them, what they need to do, and how to get there without unnecessary complexity or cost.
Whether you're working towards Cyber Essentials, trying to understand your supply chain risk, or simply want a plain-English conversation about what the Cyber Security and Resilience Bill means for your organisation, we're here to help.
Book a free 30-minute discovery call today.
[hello@prestigecyberguard.co.uk](mailto:hello@prestigecyberguard.co.uk)
---
Source: [Summary of the Cyber Security and Resilience (Network and Information Systems) Bill](https://www.gov.uk/government/publications/cyber-security-and-resilience-network-and-information-systems-bill-factsheets/summary-of-the-bill), Department for Science, Innovation and Technology, updated March 2026.