The Cyber Security and Resilience Bill – what’s next for SMEs?

The government's Cyber Security and Resilience Bill was announced in April. Here's what your business can do to prepare for what's ahead

On April 1, the UK Government gave a clearer idea of how it plans to strengthen the nation’s online defences and better protect essential services and businesses. Notably, it outlined the scope of the upcoming new Cyber Security and Resilience Bill, offering the first real look at what the legislation will cover ahead of its formal introduction later this year.

For the government, it’s a necessary step to take within the context of a growing wave of threats against the UK’s Critical National Infrastructure (CNI).

Figures from Thales’s 2024 Data Threat Report show that 93 per cent of CNI organisations experienced an increase in cyberattacks during the last year, 42 per cent of which suffered a data breach. Further, according to its latest annual review, the National Cyber Security Centre (NCSC) was involved in 430 incidents, up from 371 in 2023.

These are alarming figures, particularly when considering the widespread impacts that attacks on CNI can have.

Back in May 2024, the payroll data of approximately 270,000 members of Britain’s armed forces were exposed to Chinese hackers following a breach involving a third-party contractor. One month later, a ransomware attack on an NHS supplier led to the postponement of over 10,000 appointments and 1,693 procedures at two hospitals. Further, in September, Transport for London (TfL) was forced to suspend multiple services across London after the details of 5,000 customers were accessed.  

The purpose of the new Cyber Security and Resilience Bill

In outlining the scope of the new Cyber Security and Resilience Bill, the statement from the UK government is clear: with the UK’s digital economy increasingly under attack from cybercriminals and hostile states, impacting essential public services and infrastructure, digital resilience can no longer be optional. It must become a national priority.

The new bill aims to shift the dial in this direction, updating the UK’s legacy frameworks, addressing gaps in the current regulation and ensuring that all relevant entities are brought within scope of the rules.

Crucially, it won’t just apply to critical national infrastructure (CNI) organisations themselves. Indeed, the government has confirmed that 1,000 service providers will fall into the scope of the measures.

This is a logical evolution. In today’s hyperconnected environment, attackers are increasingly focused on first exploiting networks of suppliers and partners. In fact, in all three of the major attacks that took place between May and September 2024, it was third-party partners that were compromised first.

In essence, supply chain breaches have become digital backdoors that threat actors are using to infiltrate CNI. By targeting smaller businesses linked to CNI – many of which have tighter budgets and fewer cybersecurity resources – attackers can exploit the weakest link in the chain to devastating effect.

Recognising this, the government has confirmed that the new bill will aim to harden supply chains and extend protections across critical services, including IT service providers and other essential vendors. Specifically, it said that the bill will:

  • Expand the remit of regulation to protect more digital services and supply chains
  • Empower regulators to ensure essential cyber safety measures are being implemented
  • Mandate increased incident reporting to give the government better data on cyberattacks and improve the understanding of threats

Ensuring proactive alignment with ISO 27001

With the new bill set to bring more entities into scope of the regulatory framework and introduce new requirements, many SMEs will be keen to understand exactly what they need to do to become compliant moving forward.

While the specifics of the bill won’t be confirmed until later in the year, that shouldn’t stop organisations from preparing. The question is, how exactly can firms get ahead without knowing exactly what will be asked of them?

The answer lies in a shift in mindset. Instead of treating compliance as a box-ticking exercise, reacting to new legislation as and when it’s introduced, digital service providers and CNI suppliers should instead think about making proactive and continual improvements to their security and risk management strategies.

Here, following the guidance provided by internationally recognised security standards such as ISO 27001 can be a logical place to start. Offering frameworks for the implementation and management of information security management systems, it provides a blueprint for success that firms can leverage, rather than having to build their own strategy from the ground up.

While adopting key international standards such as these is likely to help organisations align with the upcoming Cyber Security and Resilience Bill, those that do embrace them will also benefit in several other ways.

In achieving ISO 27001 certification, organisations are able to demonstrate that they are following security best practices which can in turn build confidence among partners and customers. In addition, those best practices can improve internal alignment by clearly defining overarching objectives and departmental responsibilities – be it legal, security, governance or technical teams.

In today’s fast-moving regulatory environment, new requirements and demands are continuously emerging, including the upcoming Cyber Security and Resilience Bill. Building a centralised, standards-based strategy can significantly streamline compliance efforts.

As CNI threats continue to grow, and the regulatory landscape continues to tighten, those who proactively embrace best practices from the outset will be much better placed to not only meet compliance deadlines, but sustain stronger, effective foundations for combatting evolving threats.

The requirements of the Cyber Security and Resilience Bill haven’t been confirmed. But the ability of firms to proactively build strategies that achieve compliance by design is clearer than ever.  

Sam Peters is chief product officer of ISMS.online

Read more

12 cybersecurity questions every VC should ask – VC portfolio companies can suffer a one-third drop in enterprise value if they’ve been crippled by a cyber attack. Ian Shelby says there are a dozen questions VC investors need to ask potential investments

5 effective strategies for managing change in business – Oxford Business College’s Sarwar Khawaja guides us through navigating change in your business, from vision to digital transformation

Are we training leaders for yesterday’s problems? – Simon Phillips discusses how to future-proof leadership development to meet modern business needs

Related Topics

Cybersecurity