At the heart of this initiative is the upcoming Cyber Security and Resilience Bill, which is expected to be introduced to Parliament later this year. The government’s commitment to fortifying the nation’s defences signals a proactive approach to tackling the ever-growing risks posed by cybercriminals and hostile state actors.

Why this matters

Recent high-profile cyber attack (like the ransomware incident that disrupted NHS hospitals in London) have exposed critical vulnerabilities across digital infrastructure. These incidents highlight the pressing need for a comprehensive, nation-wide response. The government’s new policy aims to address these gaps by ensuring that both public and private sectors are equipped to prevent, respond to, and recover from cyber threats. 

What does the Cyber Security and Resilience Bill mean for SMEs?

The new bill isn’t just a concern for large enterprises; SMEs across the UK will be directly impacted by the changes. The expansion of the Network and Information Systems (NIS) Regulations will require a broader range of businesses (especially those involved in critical supply chains or providing digital service) to implement stronger cybersecurity measures. 

Organisations will also be required to report cyber incidents, such as ransomware attacks and data breaches, to the authorities. This will allow the government to respond faster, track trends and offer support during cyber emergencies. In turn, SMEs will need to ensure they are well-prepared for such incidents, implementing security protocols and incident response plans. 

Key highlights of the policy

  1. Broader Coverage Under NIS Regulations
    The bill proposes expanding the current NIS Regulations to cover more digital services and supply chains. This change targets overlooked weak spots frequently exploited in cyberattacks, helping to strengthen defences across various sectors. 
  1. More Powers for Regulators
    Regulators including the ICO (and sector-specific authorities such as Ofcom, FCA, Ofgem and what may be the new iteration of the NHS) will be granted increased enforcement capabilities and the ability to proactively investigate cybersecurity practices. There’s also a push to allow these agencies to recover costs for oversight work, ensuring they are properly resourced. 
  1. Mandatory Cyber Incident Reporting
    Organisations will need to report significant cyber incidents (like ransomware attacks) promptly. This helps the government respond faster and gain a clearer picture of the evolving threat landscape. SMEs, in particular, will need to ensure they understand what constitutes a reportable incident and have the necessary systems in place to comply with the new rules. 

Additional measures in the works

  • Restrictions on Ransomware Payments 

The UK government is considering introducing a ban on ransomware payments by public sector organisations and key infrastructure operators. Businesses are also likely to face stricter rules for reporting ransomware attacks (within 72 hours of an incident), with a full report due within 28 days. 

  • Cyber Governance Code of Practice 

A new code is being developed to guide company leadership on managing cyber risks effectively. This is an essential step for SMEs, as it ensures that cybersecurity becomes a core business priority rather than being relegated to an IT issue. 

Why SMEs need to act now

With the potential for increased oversight, compliance costs and penalties for non-compliance, SMEs must take steps to protect themselves against cyber risks. This includes conducting regular security audits, training staff to recognise phishing attacks and investing in secure systems and software. 

By staying informed about the new regulations and taking proactive measures, SMEs can protect their businesses from fines, reputational damage and the financial strain of a cyberattack. Importantly, these measures will also allow businesses to demonstrate to customers, regulators and partners that they take cybersecurity seriously, which will become a key differentiator in the marketplace. 

Protect your business against emerging cyber threats

As the UK strengthens its cybersecurity regulations, it’s more important than ever for SMEs to stay ahead of the curve. The new Cyber Security and Resilience Bill will have a significant impact on how businesses manage cyber risks and report incidents. 

Need help for these changes?

Contact our CDIL team to help you review how this bill will impact your business and make sure you are compliant with the evolving regulations.