The cyber security and resilience bill: Practical steps to prepare your business

The cyber security and resilience bill: Practical steps to prepare your business

The cyber security and resilience bill: Practical steps to prepare your business

https://www.openaccessgovernment.org/the-cyber-security-and-resilience-bill-practical-steps-to-prepare-your-business/211211/

Publish Date: 2026-07-06 11:05:00

Source Domain: www.openaccessgovernment.org

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.
Image: © Alexander Sikov | iStock
Andrew Ingram, Director of High Tide Group, discusses the implications of the new Cyber Security and Resilience Bill for organisations of all sizes and outlines practical steps to take as cyber security transitions from good advice to legal obligation
As I write, the Cyber Security and Resilience Bill is completing its passage through the House of Commons, having reached its report stage and third reading this June. It is the most significant overhaul of the UK’s cyber security law since 2018, and it deserves the attention of every organisation, not just the large ones it appears to target. In my first two pieces I touched on the direction of travel; here I want to set out what the Bill actually changes, and the practical steps you can take now.
What the Cyber Security and Resilience Bill changes
The Bill updates the ageing Network and Information Systems Regulations of 2018, which were widely felt to have fallen behind the threats we now face. The headline changes are significant. For the first time, managed service providers like us are brought directly into scope, with a duty to register with the regulator and to maintain appropriate, proportionate security. Data centres and cloud platforms are recognised as essential services in their own right. There are stronger expectations around supply chains, faster reporting of serious incidents, and a firmer footing for the National Cyber Security Centre’s Cyber Assessment Framework. In short, the Government is trying to harden the whole digital ecosystem, not just the obvious targets.
Why it reaches smaller organisations
You might read all of that and conclude it has nothing to do with you. That would be a mistake. Even if your organisation is never directly regulated, the new duties on larger bodies – councils, NHS trusts, big corporates – will flow straight down to their suppliers as contract clauses and security questionnaires. We are already seeing the question change from “are you certified?” to “can you prove your suppliers are too?” Cyber Essentials remains the sensible place to start: it isn’t the finish line, but it forces the basics into place and is fast becoming the price of entry for doing business at all.
Business continuity
Continuity and resilience sit at the heart of the Bill, and this is the area I’m asked about most. The most useful exercise costs nothing: sit your team down and ask what you would actually do if every screen in the building went dark tomorrow morning. Is your IT provider’s number saved only in the system you can no longer reach? Does anyone have the authority to declare an incident and start the plan? A good plan is short, printed, and known to more than one person. Helen, our CFO, leads on continuity for us, and that’s deliberate: it’s a business risk, not a server problem, and it shouldn’t live solely with the IT department.
Backups, and the reporting clock
Backups alone are not resilience. Modern ransomware can sit quietly in a network for weeks, even months, before it triggers, which means the backups you’ve been dutifully taking may already carry the infection. Keep at least one copy isolated, so it can’t be encrypted along with everything else, and test your restores – a backup you have never recovered from is a hope, not a safeguard. This matters all the more because the Bill points towards faster reporting of serious incidents, within a day or two rather than a leisurely week. You can only report quickly, and recover with confidence, if you already know what good looks like.
Your people
Faster reporting only works if staff feel able to speak up the moment something looks wrong. We always advocate a no-blame culture: no one should be punished for being honest. The organisations that come through an incident well are almost always the ones where reporting a suspicious email is met with thanks, not a telling-off.
None of this requires a vast budget. The Bill is, in my view, an overdue and welcome step, and the businesses that treat it as a prompt to get the basics right – rather than a box to tick grudgingly – will be the ones still standing when, not if, their turn comes. In the coming months, we’ll look in more detail at what compliance looks like in practice, and how to prepare without breaking the bank.
Please note: This is a commercial profile