The UK's cyber regulation is being overhauled. The Cyber Security and Resilience Bill — currently moving through Parliament, with Royal Assent expected during 2026 — is the most significant update to the country's cross-sector cyber framework since 2018. It widens the rules to cover more of the economy, strengthens incident reporting, and increases enforcement powers and potential fines.

Why this matters to you

Notably, the Bill brings medium and large managed service providers, data centres and parts of critical supply chains directly into scope for the first time. The NCSC has also reported a sustained rise in serious incidents. Even businesses that aren't directly regulated may feel the effects through their suppliers and contracts.

What to do now

  1. Check whether you — or your key suppliers — are likely to fall within the expanded scope.
  2. Prepare early using existing resources: Cyber Essentials, the NCSC Cyber Assessment Framework, and the Cyber Governance Code of Practice.
  3. Tighten incident reporting and response so you can meet faster notification expectations.
  4. Treat this alongside your wider obligations (UK GDPR, sector rules) rather than in isolation.

As an MSP, we're preparing for these changes ourselves and can help you get ahead of them. (This is general information, not legal advice.) Get in touch.

Source: Regulatory Outlook May 2026: Cyber security — Osborne Clarke