From reactive defence to systemic resilience: What the new UK Cyber Security and Resilience Bill means for CISOs
Published by Tim Anderson, Chief Commercial Officer, CyberCX UK, on 24 November 2025
After more than 25 years in cyber security, working closely with governments, critical national infrastructure and global enterprises, I have not seen a legislative shift as significant as the Cyber Security and Resilience Bill that has was presented to UK Parliament this month. The Bill represents a transformation on how the UK approaches digital resilience and carries significant implications for CISOs who rely on large ecosystems of suppliers, particularly managed service providers (MSPs) and data centres.
The UK is moving towards a new national model of resilience
The Bill updates and expands the original NIS Regulations from 2018. Those Regulations were written for a very different threat landscape than we see today. Today, national scale cyber incidents are more likely to start in the supply chain than inside an individual organisation and attackers target providers that have access to multiple downstream customers with infrastructure outages that can cascade across sectors. The Bill acknowledges these realities and strengthens the resilience framework to match them.
For CISOs, the message is clear. Cyber security and operational continuity are now inseparable responsibilities and Boards will be expected to demonstrate not only the strength of their own internal controls, but also the resilience of the suppliers who support their digital operations.
Data centres and MSPs are at the centre of the reform
Two categories of supplier are particularly important in this Bill with data centres and MSPs being brought within a clearer regulatory perimeter as both represent single points where systemic risk can accumulate.
Data centres are the physical backbone of the UK’s digital economy, hosting critical applications and national scale digital services. Until now, their resilience standards have been driven by contracts and commercial frameworks rather than any form of statutory oversight. The new Bill changes this by classifying larger facilities as providers of essential digital infrastructure with duties relating to resilience, incident reporting and risk management.
MSPs have become some of the most attractive targets for cyber attackers because of the privileged access they hold, with a single compromise which can provide entry into potentially hundreds of customer environments. This was the clear lesson of events such as SolarWinds and Kaseya and the UK is aligning itself with international regulatory practice by classifying MSPs as operators whose risk management must meet defined standards.
Under the new Bill, MSPs will face obligations relating to:
- Proportionate and risk-based security measures
- Incident reporting
- Continuity management
- Co-operation with regulators
For CISOs and cyber security leaders, this will require far greater assurance across the services they buy, from endpoint management to cloud administration and network operations.
A shift from incident prevention towards continuity of service
The Bill is part of a wider trend that moves organisational focus from purely defensive operations to the ability to withstand and recover from disruptive events. The UK’s direction aligns with international thinking that resilience is a shared responsibility across the digital ecosystem.
Ciaran Martin, UK Chair of CyberCX and founding CEO of the National Cyber Security Centre, highlights this shift in expectations:
“For CISOs, the significance of the Bill lies in its shift from incident response to systemic resilience. Boards will increasingly be expected to understand their operational dependencies, not just their security controls. The UK is raising the bar. Good cyber security must now include demonstrable resilience across the supply chain, especially in critical infrastructure such as data centres and managed service providers.”
What CISOs need to prioritise now
The Bill is still moving through Parliament, but the direction is clear and preparation needs to begin immediately. The organisations that act early will be in a stronger position when regulatory obligations crystallise.
1. Identify dependencies across both data centres and MSPs
Map which applications, datasets and business services rely on data centres or MSPs that may fall within the Bill’s scope. Many organisations will discover more critical dependencies than they expect.
2. Refresh supplier governance frameworks
Contracts, due diligence questionnaires and risk assessments need updating to reflect the new duties these providers will face. This includes resilience expectations, incident disclosure requirements and evidence of proportionate risk management.
3. Strengthen incident reporting readiness
The Bill will require faster and more detailed reporting of significant incidents and near misses. Ensure processes, escalation paths and data capture mechanisms are in place.
4. Elevate digital infrastructure resilience in board reporting
Boards will expect clear, factual explanations of organisational dependencies on MSPs and data centres, along with evidence that risks are being governed and managed at the appropriate level.
5. Prepare for dual assurance
Your organisation will have duties under the Bill and your providers will have duties under the Bill. Regulators will expect both parties to be able to provide evidence of compliance and collaboration.
The beginning of a new era in supplier resilience
The Cyber Security and Resilience Bill is not just a regulatory update. It is a recognition that the UK’s digital resilience depends on shared accountability across the entire supply chain. Data centres and MSPs sit at the heart of that chain. Their inclusion in the regulatory framework is one of the most important developments in UK cyber security in recent years.
For cyber security leaders, this is an opportunity to modernise third party oversight, strengthen organisational resilience and build confidence at board level. Those who act early will not only satisfy regulatory expectations, but will also be better prepared for the real-world resilience challenges that lie ahead.
