What is happening

The Cyber Security and Resilience (Network and Information Systems) Bill was introduced to Parliament in November 2025 and has since cleared the House of Commons, moving to the House of Lords in mid-2026, with Royal Assent expected later in the year. It is the most significant update to UK cyber regulation since the NIS Regulations of 2018.

The reform explicitly widens scope to bring managed service providers, data centres and critical digital suppliers into the regulated net — and it places new duties on regulated organisations to manage cyber risk across their supply chains.

Why it matters even if you are not "in scope"

This is the part most business owners miss. The supply-chain provisions mean that regulated organisations will be required to take reasonable, proportionate steps to ensure their suppliers do not introduce vulnerabilities. In practice, that pushes obligations downstream through contracts.

If you supply, integrate with, or hold data for an organisation that is in scope, you can expect to be asked to demonstrate a certain standard of security — through contractual commitments, evidence of controls, incident-reporting arrangements and business-continuity plans. Organisations that cannot show mature third-party risk management risk losing bids or facing remediation costs.

In short: a large number of businesses that will never appear on a regulator's list will still feel the effect, because their customers will require it of them to keep winning work.

The other pressures stacking up

The capabilities that answer this

The Bill turns "good security practice" into a procurement checklist your customers will hold you to. In practice, meeting it means putting specific managed capabilities in place rather than buying tools piecemeal:

What to do now

The Bill will phase in over time, but the sensible preparation does not depend on the final commencement date:

How we help

Open Way Technologies is an independent advisory. We assess where your organisation stands against the frameworks that will underpin the new regime, and match you with the right managed SOC / MDR and vCISO provider from a vetted network — at no cost to you. We are not tied to any single vendor, so the recommendation is driven by what fits your risk profile and sector.

This article is general information, not legal advice. For a view on whether your organisation is in scope, take specialist advice.