Navigating the new era of cyber resilience: A Cyber Security Resilience (CSR) Bill overview

The digital landscape is in a state of constant, hostile evolution, and with it, the nature of cyber threats. In a direct and strategic response to a rapidly shifting cybersecurity environment, governments worldwide are moving to fortify their digital defences, heralding a new era of digital accountability. The United Kingdom has taken a significant step forward with the introduction of the Cyber Security and Resilience Bill, which will amend and modernise the 2018 Network and Information Systems (NIS) Regulations. The existing 2018 regulations have been deemed insufficient to tackle the evolving nature of cyber threats, prompting a legislative overhaul that aims to deliver a "fundamental step change" in the UK's national security.

This legislative update, developed following a 2022 consultation, is set to amend and enhance the original NIS regulation, significantly raising the bar for cybersecurity accountability and resilience for the nation's most critical sectors. For business leaders, IT decision-makers, and compliance officers, understanding the intricacies of these changes will be a strategic imperative. This blog post will provide a detailed analysis of the UK's new cybersecurity framework, its alignment with major international standards, the latest trends shaping the threat landscape, and how CGI's cybersecurity services can empower your organisation to navigate this new regulatory environment with confidence.

The evolving threat landscape: Why a new bill is needed

The Cyber Security and Resilience Bill (CSR Bill) goes beyond routine regulatory updates, instead of being a structural shift in how cyber risk is governed across CNI. The Network and Information Systems Regulations 2018 (NIS 2018) were written for a different threat environment, before industrialised ransomware, AI-enabled attacks at scale, and before supply chain compromise became such a primary attack vector. With shifted landscapes, the risks have never been higher for regulated organisations.

We have seen ransomware evolving into a scalable business model for organised criminals, with Ransomware-as-a-Service (RaaS) models providing tooling, support, and even infrastructure to affiliates, almost eliminating the barrier to entry. Attacks are faster, more systemic, and more targeted than ever before.

AI has also accelerated our adversaries’ reconnaissance, phishing, malware, and exploitation capabilities, with attack velocities frequently beyond what humans alone can react to. This presents a cascading risk, particularly when frequently combined with reliance on highly trusted third parties, particularly managed service providers (MSPs), and other digital infrastructure, which have now become high-value targets themselves.

The CSR Bill is a natural and necessary evolution in the face of these augmented risks.

The UK's CSR Bill: a direct legislative countermeasure

The CSR Bill modernises the UK's cyber regulations, improving our critical services’ maturity and cyber defences. It comes with key provisions designed to create a more defensible and resilient ecosystem for both Information Technology (IT) and Operational Technology (OT) systems.

Expanded scope – securing the ecosystem

The CSR Bill extends beyond traditional “essential service operators” to include MSPs, data centres, key digital infrastructure providers, and designated critical suppliers. This is a welcome shift towards more ecosystem-focused resilience. Regulators will be given the power to further designate high-impact suppliers for more direct oversight, significantly expanding systemic risk management. For organisations relying on MSPs, third-party resilience is increasingly a board level issue, rather than confined to procurement concerns.

Incident reporting

While subject to debate through Parliamentary stages, updates to incident reporting requirements are intended to support the organisation and national levels. Organisations must notify relevant regulators within 24 hours of becoming aware of a significant incident; then provide a more detailed report within 72 hours. Crucial to this requirement is the expectation of detection maturity, classification capabilities, and robust escalation and incident response pathways. Where organisations can’t confidently identify and assess significant incidents within 24 hours, the issue becomes one of operational readiness. The intent here is clear: accelerate national visibility and reduce systemic contagion risk. We have, however, seen points of contention surrounding the definition of “incident” in the CSR Bill, and how that translates into the reporting obligations for each type of entity. This is likely to be a continuing area of debate as the legislative stages progress through the Commons and Lords.

Security standards

The National Cyber Security Centre (NCSC)’s Cyber Assessment Framework (CAF) is a core underlying framework for the CSR Bill. Security requirements within the bill will be aligned with the CAF, although this is not explicit within the text. The four key CAF objectives remain central: Managing Security Risk; Protecting Against Cyber Attack; Detecting Cyber Events; and Minimising Impact and Recovery Time. Key is the applicability of the framework to both IT and OT environments, given the CNI focus. We see this as a shift of regulatory focus from documentation to demonstrable resilience outcomes. Notable is the decision not to expressly standardise or prescribe frameworks in the CSR Bill text, we see this as affording organisations flexibility in approach, notwithstanding the CAF seen as a key foundation and way finder.

Enforcement

Building on the lighter NIS 2018 enforcement regime, the CSR Bill presents materially heavier enforcement powers, with maximum penalties reaching up to £17 million or 10% of global turnover. This echoes GDPR financial exposure. Some debate is ongoing as to how this will be applied does it include services that aren’t relevant to the incident or enforcement, or does it truly reach globally? This has serious financial implications, which has led multiple interested parties to make submissions to the consultations, working groups, and Committee stages. The definition of “undertaking” relevant to this calculation, is (per s49(5) CSR Bill) to be determined by the Secretary of State – this has yet to be achieved. We do, however, welcome the new cost recovery model to allow regulators to recover enforcement costs from regulated entities, further reinforcing accountability, and likely adding “teeth” to the regime.

UK and the EU

The CSR Bill sits adjacent to the European Union’s NIS2 Directive and DORA but isn’t replicating them. They align insofar as driving stronger supply chain obligations, requiring faster incident reporting, increasing enforcement penalties, and adding board-level expectations. However, NIS2 and DORA provide for explicit senior management liability, including potential personal consequences for non-compliance. The CSR Bill, however, deliberately excludes this approach. That said, the absence of explicit liability should not be mistaken for reduced or absent accountability. Regulatory scrutiny of board oversight is only continuing to increase, and governance maturity is expected to be demonstrable. This aligns with our neighbouring jurisdictions.

2026 Priorities

From conversations with clients, several priorities are clear:

1. CAF-Aligned Maturity Assessments

We support clients in establishing clear, evidence-based views of resilience across governance, protection, detection, and response. This is not only mapped to NIS 2018 (as may be amended by CSR Bill), but to frameworks including ISO 27001, NIST CSF, and DORA.

2. Supply Chain Assurance

MSP and critical supplier exposure is a widespread area of focus. We can support refinement of contractual, administrative, and technical controls, oversight mechanisms, and assurance processes. CGI’s approach includes automated tooling, aligned with similar services delivered for Telecoms Security Act (TSA) compliance.

 

3. Detection and Reporting Readiness

We support organisations in testing and validating their ability to identify, classify, and escalate incidents rapidly and effectively. Given the 24- and 72-hour reporting requirements prescribed by the CSR Bill, this will be increasingly vital. We’ve seen that tabletop exercises and other simulations are no longer optional.

 

4. Strategic Governance Review

Board-level governance is vital for cross-organisational effectiveness and maturity. We support clients in ensuring that their cyber risk ownership and accountability, reporting structures, and assurance models are clearly defined, operational, and defensible. This is not just a policy refresh; it’s about delivering measurable and reliable resilience.

Compliance to resilience

The CSR Bill also reflecting a broader shift and step forwards in regulatory philosophy. Since 2018 it’s clear that cyber security is no longer to be treated as a technical controls issue, instead it’s an enterprise risk management discipline, with national economic, security, and social implications. The Government has intentionally relied – notwithstanding short-term uncertainty – on secondary legislation, providing for the CSR Bill’s effects to evolve and adapt as threats change. It’s true that the threat landscape moves far more rapidly than can be handled by the primary legislative process. Organisations should expect the requirements to increase over time; it is hard to see security conscious areas that have unwound controls when in place. Those who see this just as a minimum compliance threshold activity are more likely to struggle, but those who see it as a catalyst for transforming resilience will be better positioned, both operationally and reputationally.