The Cyber Security and Resilience Bill is the UK government’s most significant update to cyber legislation since the original NIS Regulations in 2018. It expands who must meet formal cyber security standards, tightens incident reporting timelines, and for the first time brings managed service providers under direct regulatory oversight. If your business uses an external IT provider or supplies services to larger organisations, this Bill will affect you.
The Bill passed its second reading in January 2026 and has been progressing through committee stage since February. While it primarily targets operators of essential services, data centres and MSPs, the ripple effect on SMEs through supply chain requirements is substantial.
What the Bill Actually Changes
Three things matter most for small and medium-sized businesses.
Managed service providers become regulated. An estimated 900 to 1,100 MSPs will come under direct ICO oversight. They will need to meet defined security standards and report incidents within prescribed timeframes. If your IT is managed externally, your provider will be held to higher standards, and you should be asking them how they are preparing.
Incident reporting gets stricter. Organisations in scope must report cyber incidents to their regulator and to the NCSC within 24 hours of becoming aware. A full report must follow within 72 hours. This replaces the slower, less consistent reporting that existed under the 2018 regulations.
Supply chain scrutiny increases. Regulated organisations will be required to assess and manage cyber risk across their suppliers. SMEs that supply goods or services to larger businesses can expect more cyber security clauses in contracts, assurance questionnaires and minimum securitystandards becoming routine.
How This Affects SMEs (Even If You Are Not Directly in Scope)
The Bill does not impose direct obligations on most small businesses. But the indirect effects are real.
Larger clients will start asking whether you hold Cyber Essentials certification, whether you have an incident response plan, and whether your data is properly protected. Businesses that cannot demonstrate reasonable cyber security measures risk losing contracts or being excluded from tender processes altogether.
The government has been clear that SMEs are not expected to invest in enterprise-grade tools. The expectation is proportionate: understand your risks, take reasonable steps to manage them, and be able to show evidence of both. Cyber Essentials, maintained access controls, regular patching and a tested incident response plan go a long way toward meeting that bar.
The Penalties Are Significant
For organisations directly in scope, fines can reach £17 million or 4% of global annual turnover, whichever is higher. For less severe breaches, the cap is £10 million or 2% of turnover. Regulators can also impose daily fines of up to £100,000 for ongoing non-compliance.
SMEs are unlikely to face fines directly under this Bill. But losing a contract because you cannot satisfy a client’s supply chain requirements has a similar financial impact at a smaller scale.
What You Should Do Now
You do not need to wait for the Bill to receive Royal Assent before acting. The direction is clear, and the expectations are already filtering into commercial contracts.
Start with a basic cyber security review. Identify what data your business holds and where it is stored. Check your backups and access controls. Make sure your multi-factor authentication is in place across all accounts. Consider whether Cyber Essentials certification would strengthen your position with clients.
If you use a managed IT provider, ask them directly how they are preparing for the new regulatory requirements. A good provider will already be working toward compliance. If they cannot answer that question clearly, it may be worth reviewing the relationship.
How This Connects to Your IT Provider
The Bill specifically names managed service providers as a new regulated category. This means your IT partner will face the same obligations as digital service providers: formal security standards, incident reporting duties and regulatory oversight by the ICO.
For businesses that already work with a proactive managed IT services provider, this should be reassuring. It raises the baseline across the industry and makes it harder for underqualified providers to operate without accountability.
At The Unite Group, we hold ISO 27001 certification and operate as an IASME-accredited Cyber Essentials certification body. We are already aligned with the standards the Bill is designed to enforce. If you want to understand how the Cyber Security and Resilience Bill affects your business or your current IT arrangements, speak to our team about a cyber security review and we will help you identify any gaps.