What is happening
The Cyber Security and Resilience (Network and Information Systems) Bill was introduced to Parliament in November 2025 and has since cleared the House of Commons, moving to the House of Lords in mid-2026, with Royal Assent expected later in the year. It is the most significant update to UK cyber regulation since the NIS Regulations of 2018.
The reform explicitly widens scope to bring managed service providers, data centres and critical digital suppliers into the regulated net — and it places new duties on regulated organisations to manage cyber risk across their supply chains.
Why it matters even if you are not "in scope"
This is the part most business owners miss. The supply-chain provisions mean that regulated organisations will be required to take reasonable, proportionate steps to ensure their suppliers do not introduce vulnerabilities. In practice, that pushes obligations downstream through contracts.
If you supply, integrate with, or hold data for an organisation that is in scope, you can expect to be asked to demonstrate a certain standard of security — through contractual commitments, evidence of controls, incident-reporting arrangements and business-continuity plans. Organisations that cannot show mature third-party risk management risk losing bids or facing remediation costs.
In short: a large number of businesses that will never appear on a regulator's list will still feel the effect, because their customers will require it of them to keep winning work.
The other pressures stacking up
- Rising threat volume. The NCSC's 2025 Annual Review reported a sharp increase in significant cyber incidents, and government estimates put the annual cost of cybercrime to the UK economy in the billions.
- Board-level expectation. In late 2025 the government wrote directly to the UK's largest businesses stressing that cyber oversight is a board responsibility, and pointing to the NCSC Cyber Assessment Framework and Cyber Governance Code of Practice.
- Tighter reporting windows. The Bill is expected to introduce significantly shorter mandatory incident-reporting timeframes, which many organisations are not currently set up to meet.
The capabilities that answer this
The Bill turns "good security practice" into a procurement checklist your customers will hold you to. In practice, meeting it means putting specific managed capabilities in place rather than buying tools piecemeal:
- A 24/7 Security Operations Centre (SOC) with Managed Detection & Response (MDR): the monitoring and rapid triage that the tightened reporting windows effectively require. Most organisations cannot staff this in-house — it is bought as a managed service.
- Endpoint and network detection & response (EDR / NDR): the visibility to detect an incident early enough to report it inside the mandated window.
- vCISO advisory and compliance readiness: senior security leadership on a fractional basis to run the NCSC Cyber Assessment Framework gap analysis, own the governance narrative, and produce the evidence your regulated customers demand.
- Incident response & remediation: a tested plan and a team on call, aligned to the reporting timeframes.
What to do now
The Bill will phase in over time, but the sensible preparation does not depend on the final commencement date:
- Scope check. Establish whether you — or a meaningful share of your customers — are likely to be in scope.
- Baseline your controls. A vCISO-led gap analysis against the NCSC Cyber Assessment Framework, or certification such as Cyber Essentials / Cyber Essentials Plus, gives you a defensible position.
- Stand up detection & response. A managed SOC / MDR service is where most organisations have the biggest gap and the least in-house capacity.
- Review supplier contracts. Both the ones you sign and the ones you ask others to sign.
How we help
Open Way Technologies is an independent advisory. We assess where your organisation stands against the frameworks that will underpin the new regime, and match you with the right managed SOC / MDR and vCISO provider from a vetted network — at no cost to you. We are not tied to any single vendor, so the recommendation is driven by what fits your risk profile and sector.
This article is general information, not legal advice. For a view on whether your organisation is in scope, take specialist advice.