UK Cyber Security and Resilience Bill: CNI's New Rulebook

On the 12th of November, the UK Government introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament. For many in the security industry, this was a long-awaited update to the NIS Regulations of 2018. But if you view this merely as a “refresh” of existing paperwork, you are missing the signal amongst the noise.

This Bill represents a fundamental shift in how the UK views the cybersecurity of its Critical National Infrastructure (CNI). It acknowledges a hard truth that we in the sector have known for years: our digital supply chains are soft underbellies, and legacy Operational Technology (OT) environments often lack the visibility required to detect modern threats.

As we move from the first reading into the legislative process, the intent is clear. The era of “self-regulation” in the supply chain is ending. For CNI operators—whether you run a public safety radio network, a utilities grid, or a transport hub—the perimeter has effectively expanded, and the clock on incident reporting has sped up significantly.

Here is what you need to know about the major changes and crucially, what you need to do about them.

The Bill is designed to close the gaps left open by the original NIS Regulations, specifically targeting the complex web of third-party dependencies that modern infrastructure relies upon.

1. Scope Expansion (The “No Hiding Place” Rule)
   The regulatory net has been cast wider. It now explicitly includes Managed Service Providers (MSPs), data centres, and “load controllers” (such as those managing Electric Vehicle (EV) charging networks). If you outsource the management of your IT or OT networks, your provider is likely now a regulated entity with its own statutory duties.
2. Critical Supplier Designation
   This is perhaps the most significant change for CNI. Regulators will gain the power to designate specific third parties as “Critical Suppliers”. This means if a specific vendor’s software or hardware is essential to the safety of your operation, that vendor can be directly regulated, regardless of where they are headquartered. You can no longer simply point the finger at a supplier when things go wrong; the government is now looking directly at them, too.
3. The 24-Hour Stopwatch
   The reporting timelines are being tightened to align more closely with EU standards, such as NIS2. The Bill introduces a two-stage reporting requirement: an initial notification within 24 hours of becoming aware of an incident (or even a “near miss” with significant potential impact), followed by a full report within 72 hours.

The Challenge: In a standard IT environment, a Security Information and Event Management (SIEM) tool might flag this instantly. In an OT environment, like a radio network, “awareness” can be slower without the right sensors. If you don’t know you’ve been breached for two days, you are already non-compliant.

4. Penalties with Teeth
   The cost of failure has escalated. We are moving away from fixed caps to a turnover-based model. Serious breaches can incur fines of up to £17 million or 4% of global turnover, whichever is higher. This moves cyber resilience from an IT operational expense to a board-level financial risk.
5. Powers of Direction
   In extreme cases involving national security, the government will have the power to direct organisations to take specific actions—such as isolating a compromised system to prevent spread. This implies you need the technical capability to actually do that without collapsing your entire operation.

For the CISO managing a corporate network, these changes are manageable with standard tools. But for the operational leads managing LMR (Land Mobile Radio) or industrial control systems, the implications are profound. We frequently see a “visibility gap” in CNI. We have rigorous monitoring on the enterprise IT side, but the operational side—the voice networks, the SCADA systems—often runs on trust. Under the new Bill, that trust is insufficient.

If a threat actor pivots from a compromised MSP into your radio network, and you lack the log ingestion to see that lateral movement, you cannot meet the 24-hour reporting threshold. You are flying blind in a storm.

We cannot wait for Royal Assent to start preparing. The direction of travel is set. Here is where you should focus your energy:

1. Map Your Supply Chain Dependencies: You need to know exactly which third-party suppliers are mission-critical. If your radio network relies on a specific MSP for patching or backhaul, identify them. Are they prepared for these regulations?
2. Audit Your Contracts: Review agreements with your MSPs. Do their incident reporting SLAs align with your new statutory 24-hour obligation? If they report to you in 48 hours, they have already made you non-compliant.
3. Bridge the Visibility Gap: You must stop treating OT and IT as separate security fiefdoms. Ingest logs from your mission-critical networks (LMR, SCADA) into a centralised security monitoring platform. You cannot report what you cannot see.
4. Test Your “Break Glass” Procedures: If the Secretary of State ordered you to isolate a segment of your network tomorrow, could you do it? Test your incident response playbooks for physical and logical isolation.

The Cyber Security and Resilience Bill is not just about compliance; it is about assuring the continuity of the services that keep society functioning. It removes the luxury of obscurity for third-party suppliers and demands a level of real-time awareness that many legacy environments currently lack.

The time to engineer that visibility is now. Do not wait for the fine to justify the budget.