The Cyber Security and Resilience Bill: Getting your business ready, Principal Security Author at Pluralsight, outlines how UK businesses can proactively prepare for the implications and requirements of the forthcoming Cyber Security and Resilience Bill.
As the Cyber Security and Resilience Bill progresses through parliament, [to be introduced to Parliament later in the 2025-26 legislative session] businesses that act now have a clear opportunity to get ahead. With stricter compliance requirements, steeper fines of up to £100,000 a day and tighter reporting deadlines just around the corner, the regulatory landscape is set for a major shift.
The bill will expand the scope of regulatory oversight, grant the government enhanced enforcement powers, and align the UK’s cyber regulations with the EU’s NIS2 directive. All of this aims to create a more secure digital environment both domestically and on the continent.
Against the backdrop of modern organisations facing rising security threats, particularly supply chain attacks, third-party breaches and vulnerabilities, new regulations are a positive step. These regulations will ensure businesses can strengthen their cybersecurity defences and reflect a commitment to cybersecurity as a national priority.
However, to ensure businesses are prepared, they must guarantee their workforce is ready. That means equipping them with the skills and knowledge to meet both the new compliance demands and bolster cybersecurity. Upskilling across technical and non-technical roles will be critical to prepare – below I outline why it’s important, and what steps organisations should be taking now to get ready.
Why should businesses care?
Cybercrime is already costing UK businesses. In 2025 alone, 8.58 million cybercrimes were reported by UK businesses, with total losses over the past five years reaching £44bn. The threats of operational disruption, reputational damage and financial loss are a constant risk for many organisations.
The stakes are set to rise even higher with the introduction of new legislation. Non-compliance could result in fines of up to £100,000 per day or 10% of global annual turnover, whichever is higher.
Adding to the complexity, third party involvement in data breaches has doubled over the last year and is now seen in 30% of all cyberattacks. As a result, beyond public services and utilities, over 1,000 IT service providers and suppliers will soon fall under regulatory scope, requiring companies to assess and ensure the cyber hygiene of their entire supply chain.
Expanded reporting requirements will also raise the bar. Businesses will need to report a broader range of cyber incidents – including ransomware attacks, network breaches and service disruptions – with strict timelines of 24 hours for initial notification and 72 hours for a full report. As it stands, only four in ten businesses report disruptive breaches outside of their organisation, meaning these new rules will place additional strain on already stretched cybersecurity teams. Adapting to these regulations will demand time, resources and operational change – making early preparation essential for avoiding penalties and ensuring readiness.
How to prepare
Despite rising threats, many businesses still lack the necessary talent to respond quickly and effectively to immediate attacks. According to research from the Chartered Management Institute (CMI), just 10% of managers say they have basic cyber knowledge such as using secure passwords and identifying phishing attacks.
Similarly, Pluralsight research reveals that 45% organisations say they don’t have the right people or skills in place to manage security risks effectively and this isn’t a new issue: cybersecurity has been the number one technical skills gap since 2021.
Investing in cyber training isn’t just about avoiding fines, it’s about building resilience. Upskilling staff across all roles, from board members to front-line employees, helps embed cyber awareness into daily operations and decision-making.
Look at processes and procedures
Most organisations already have a data breach reporting procedure that meets GDPR reporting requirements. However, like NIS2, the bill’s proposed reporting obligations will introduce tighter deadlines and a wider scope of incidents.
To stay compliant, organisations should conduct a thorough security audit to ensure that their procedures are updated to reflect this. In addition, regular rehearsals of cybersecurity incident response – such as red team blue team exercises – are essential to strengthen readiness and improve response effectiveness under pressure.
Educate key leaders on compliance
Cybersecurity oversight must come from the top. Yet, board-level responsibility for cyber has been steadily declining from 38% in 2021 to just 27% in 2025. This downward trend is at odds with the direction of the new legislation which places significantly greater accountability on senior leadership.
To meet these expectations, key decision-makers must be fully informed by the regulatory landscape, the organisation’s exposure and their roles in ensuring cyber resilience. Re-engaging leadership is essential to build a culture of accountability, readiness and proactive risk management.
Review supplier contracts
The bill makes supply chain vigilance a board-level issue. Failure to comply with its two-stage incident reporting can expose organisations financially, so prime contractors need watertight language that obligates third parties to raise the alarm and co-operate with any subsequent investigation. Yet, most UK firms are starting from a low base, with only 14% of businesses formally assessing the cyber-risk posed by their immediate suppliers.
Contracts therefore need to move beyond generic ‘reasonable endeavours’ wording. In practice, that means inserting a mandatory 24-72-hour breach notification clause that extends to all sub-contractors and mandating evidence of control maturity through certifications such as ISO 27001 or Cyber Essentials Plus.
Contractors should also be required to have an up-to-date Software Bill of Materials (SBOM), clear timelines for applying patches, and businesses should hold the contractual right to carry out annual security audits and forensic investigations at no additional cost.
Together, these measures give regulated organisations meaningful oversight of third-party resilience, along with the documentation regulators are likely to demand after a breach.
Finally, international firms should also align their contract language with NIS2-style obligations already live in the EU. This ensures that a breach at a single supplier triggers a unified incident response across jurisdictions. Framing these updates as commercial value-adds rather than compliance hurdles often help reduce pushback and speeds up contract execution – particularly with managed service providers, who now sit firmly within the scope of the new rules.
Develop resilience and recovery plans
The bill mandates that businesses develop and maintain comprehensive resilience and recovery plans. These plans should detail how businesses will respond to and recover from cyber incidents, ensuring minimal disruption to operations and swift restoration of services.
Invest in training for all employees
Staff training is the most common preventative measure adopted following a cyber breach in 2025, employed by 32% of businesses. While this is a positive sign, businesses need to be more proactive in providing employees with the skills to navigate a cyber breach earlier.
IT professionals should be up to date on security certifications and practice with hands-on training. For example, hands-on labs and sandboxes are vital to ensure real-time experience identifying and protecting against simulated attacks.
Businesses should not underestimate the importance of non-technical employees having a basic understanding of their role in preventing phishing, social engineering and other cyberthreats. In fact, phishing attacks are the most prevalent and disruptive cyber breach – and these attacks target individuals regardless of their role or seniority. Building a strong first line of defence starts with empowering every employee to spot and stop threats before they escalate.
Final words
The new regulations mark a shift from optional to mandatory when it comes to cybersecurity standards. But they also offer a strategic opportunity. Businesses that invest now will be more resilient, trusted and better positioned to outpace cyberthreats.
