Cyber Security and Resilience Bill: SME Guide for 2026 | System Force IT

The most significant UK cyber-security legislation in over a decade is moving through Parliament — and the supply-chain ripple effects are already landing in SME contracts. Here’s what’s coming, who it touches, and the five things to do about it now.

If you supply, support, or sell into a regulated UK business — a hospital, a utility, a bank, an MSP, a data centre, or any of their direct suppliers — you have probably already noticed it. The security questions in tenders are getting longer. Renewals are now requiring a Cyber Essentials certificate. New contracts are appearing with 24-hour breach-notification clauses and audit rights you would not have seen two years ago.

That is not a coincidence. It is the early ripple of the Cyber Security and Resilience Bill — the CSRB — as it works its way through Parliament. The Bill is the biggest update to UK cyber-security law in over a decade. Although it is technically aimed at a specific list of regulated organisations, the practical consequences fan out across the entire UK SME population.

Here is the plain-English version of what is happening, and what to do about it.

What the CSRB actually is

The CSRB updates the Network and Information Systems Regulations 2018 — the existing UK rules for cybersecurity in critical sectors — and aligns them broadly with the EU’s NIS2 Directive. It was introduced to the House of Commons in November 2025 and is currently under active Parliamentary scrutiny, with Royal Assent expected in the 2026-27 session.

The Bill does five things in particular:

• Widens the regulated population. Medium and large managed service providers, certain data centres, and a wider set of digital services are brought into scope for the first time.
• Tightens the security requirements. In-scope organisations must implement appropriate technical and organisational measures, with a much clearer expectation of what “appropriate” means.
• Shrinks the reporting window. A two-stage incident-reporting duty: initial notification within 24 hours of a significant incident, full report within 72 hours.
• Increases regulator powers: sharper inspection, information-gathering, and financial penalty powers.
• Pushes security obligations down the supply chain. Regulated entities must manage the security risks posed by their suppliers, which is where the real impact on SMEs begins.

The 24/72-hour reporting duty

The new reporting timeline is the most operationally demanding element of the Bill. Once an in-scope organisation has a reasonable suspicion of a significant cyber incident, the clock starts. An initial notification must be sent to the regulator and the National Cyber Security Centre within 24 hours. A full report will be issued within 72 hours. After the full report, the affected organisation must identify and notify any UK customers materially affected by the incident.

There is no realistic way to meet a 24-hour deadline if your organisation does not already know who declares an incident, who leads the response, who talks to the regulator, and who is authorised to send the initial notification. Those decisions cannot be made for the first time mid-incident.

“If the only time your incident-response plan ever leaves the drawer is during the incident itself, you do not have a plan — you have a document.”

The supply-chain cascade — and why MSPs are central to it

This is the part of the CSRB that most SMEs miss. The Bill does not just regulate a defined list of organisations; it requires those organisations to manage the cybersecurity risk presented by their suppliers. In practice, that means new contractual security clauses, supplier questionnaires, certification requirements, and audit rights flowing downstream from regulated entities to their suppliers — and from those suppliers to their suppliers.

Managed service providers sit at the centre of this cascade. Most UK SMEs depend on an MSP for some or all of their IT and security. Under the CSRB, medium- and large-sized MSPs were directly regulated and overseen by the Information Commissioner. That changes the relationship between MSP and client in two ways. First, the MSP itself has new obligations — and the better ones are already moving to meet them. Second, the MSP’s downstream clients inherit some of that pressure: an MSP delivering security services to a regulated entity will need to evidence the controls being applied to that environment, and will increasingly want to standardise on a baseline of controls across its client base to do so.

If you supply a regulated business directly — even occasionally — you should expect CSRB-aligned requirements to appear in your contracts and tenders well before the Bill receives Royal Assent. Larger customers are not waiting; they are aligning their procurement requirements now.

Five things UK SMEs should do now

None of these requires waiting for the Bill to become law. All of them improve real-world security regardless of regulation, and all of them set the business up to respond credibly when the first CSRB-driven request from a customer arrives — which, for many SMEs, will be in the next twelve months.

1. Achieve or refresh Cyber Essentials. This is the UK’s baseline scheme, and it is increasingly a hard floor for procurement. The Government’s April 2026 open letter to UK businesses explicitly called for organisations to certify to or align with Cyber Essentials and embed it across their supply chains. If you do not currently hold a certificate — or if yours has lapsed — this is the single highest-impact move available right now.
2. Enforce MFA universally and turn off legacy authentication. Multi-factor authentication on every account, every application, every time — including admin accounts and service accounts. Disable legacy authentication protocols at the tenant level. This block of work prevents the overwhelming majority of credential-based intrusions, costs little, and is one of the first controls any CSRB-aligned procurement question will probe. See our Microsoft 365 Security page for the controls we deploy as standard.
3. Document a real incident-response plan. Who declares an incident?. Who leads the response? Who is authorised to communicate with the regulator? Who notifies customers? Where the contact details are kept. What the first hour looks like. The plan does not need to be elaborate — it needs to be specific, written down, accessible offline, and read by the people named in it.
4. Build a basic supplier-risk register. List your suppliers, tier them by criticality (which ones have access to your data, your systems, your customers?), and document the most recent assurance you have for each. This is the foundation of any conversation about supply-chain security — yours, or your customers’.
5. Map your top ten customers against the direct or indirect CSRB scope. Are any of them likely to be directly regulated under the CSRB? Do any of them supply someone who is? If two or more answers are yes, you are in the supply-chain cascade. The work to prepare is the same regardless of how soon the first request lands; only the deadline differs.

The bottom line

The CSRB is going to land. The supply-chain pressure is already landing. The businesses that begin preparing now will be the ones still winning regulated contracts in 2027; the businesses that defer it will eventually be required to do the same work, on a worse timeline, under more pressure, and at higher cost.

Cybersecurity has graduated from an IT topic to a board-level operational topic in the UK, indistinguishable in importance from financial controls or data protection. The CSRB is the regulatory acknowledgement of that shift. Treating it as a strategic shift rather than a compliance project is the move that separates the businesses that come out ahead from the businesses that just barely keep up. For organisations whose cyber security posture is already structured around recognised frameworks like Cyber Essentials and ISO 27001, the CSRB is largely confirmation of work already done.

“The businesses that take this seriously now will not be the ones in the news in three years.”

Or call us directly: 01452 701355. We are based in Gloucestershire and work with UK SMEs across professional services, manufacturing, healthcare, financial services, and digital sectors.

About System Force IT

System Force IT is a managed IT and cybersecurity provider based in Gloucestershire, serving UK SMEs across regulated and high-trust sectors. We specialise in Microsoft 365 security, Cyber Essentials, ISO 27001 alignment, and incident response readiness for businesses where IT is operationally critical — not a commodity overhead. UKAS-accredited ISO/IEC 27001:2022 certified · Microsoft Solutions Partner · Cyber Essentials practitioners.