There is a new cybersecurity law coming. The Cyber Security and Resilience Bill is currently going through Parliament and is expected to receive Royal Assent later this year. It will be the most significant change to UK cyber regulation since the NIS Regulations came into force in 2018.
If you run a small or medium-sized business, you might assume this does not apply to you. In some cases, that is technically correct. But the practical reality is quite different.
The short version: Even if your business is not directly regulated, your larger clients will use this Bill as the benchmark for what they expect from their suppliers. If you cannot demonstrate basic cybersecurity, you risk losing contracts.
What the Bill actually does
The Cyber Security and Resilience Bill expands the scope of who must comply with cybersecurity regulations in the UK. Currently, only operators of essential services (energy, water, transport, health) and some digital service providers are covered. The Bill adds two important new categories:
- Managed service providers - IT companies that manage systems, networks or infrastructure on behalf of other businesses. Around 900 to 1,100 providers are expected to fall into scope.
- Designated critical suppliers - any business whose products or services are so critical that their disruption could significantly affect an essential service.
These organisations will need to register with the regulator, report significant cyber incidents within 24 hours, and take proportionate measures to manage cybersecurity risk.
Why this matters even if you are not in scope
The Bill creates a ripple effect through the supply chain. Regulated organisations - and the larger businesses that work with them - will be required to assess and manage cyber risk across their suppliers. That means you.
In practice, this looks like:
- More security questionnaires before you win or renew contracts
- Minimum cybersecurity standards written into commercial agreements
- Evidence of certification such as Cyber Essentials becoming a prerequisite, not a nice-to-have
- Incident reporting expectations flowing down from your clients to you
If a regulated business cannot demonstrate that its supply chain is secure, it is the one that faces enforcement action. That gives them every reason to be demanding.
What you should do now
You do not need to wait for the Bill to become law. The direction of travel is clear, and most of these steps are good practice regardless.
1. Get Cyber Essentials certified. This is the UK government-backed scheme that demonstrates you have the basics covered. It is increasingly expected by public sector and larger private sector clients. If you already have it, consider moving to Cyber Essentials Plus.
2. Review your contracts. Check whether your existing agreements include cybersecurity obligations. Understand what your clients may start asking for at renewal.
3. Enable multi-factor authentication everywhere. If you have not done this already, it should be your first priority. It is the single most effective step against account compromise.
4. Assign responsibility. Someone in your leadership team needs to own cybersecurity. It does not need to be a full-time role, but it cannot be nobody’s job.
5. Have an incident response plan. If something goes wrong, you need to know who does what. A one-page plan that everyone has seen is better than a 50-page document gathering dust.
6. Keep systems patched and backed up. Basic hygiene, but the statistics show that most breaches still exploit known vulnerabilities and missing backups.
Key takeaway: The Bill does not require expensive enterprise-grade tools. It expects proportionate, reasonable security measures. For most SMEs, that means getting the fundamentals right and being able to prove it.
The timeline
The Bill completed its committee stage in the House of Commons in February 2026 and is now heading for Report Stage and Third Reading before moving to the House of Lords. Royal Assent is expected in late 2026, with implementation phased through 2026 and 2027.
That gives you time to prepare, but not time to ignore it. Businesses that act now will be in a stronger position when their clients start asking questions - and they will.
Where Intech fits in
We help businesses across the UK get their cybersecurity fundamentals right - from Cyber Essentials certification through to managed detection and response. If the new Bill has you wondering where you stand, we can help you find out.
Not sure where your business stands? We can run a no-obligation security review and help you get ahead of the new requirements.
Learn more →Topics