The UK Cyber Security and Resilience (Network and Information Systems) Bill was introduced to the House of Commons on 12 November 2025, with second reading scheduled for 6 January 2026. The Bill amends the Network and Information Systems Regulations 2018 — the post-Brexit retained version of NIS1 — rather than transposing NIS2 directly. The substantive effect is similar to NIS2 in two key respects: it expands the regulatory perimeter to include managed service providers and large data centres, and it strengthens supervisory powers and penalty structures. The Bill extends to the whole of the UK and is the most significant overhaul of UK cybersecurity regulation since the original 2018 Regulations.
What does the Bill change in scope?
Three categories of newly-regulated entities are the headline change. First, Relevant Managed Service Providers (RMSPs) — medium and large MSPs that provide ongoing IT support and management to other businesses by connecting to their computer systems. The Information Commissioner's Office (ICO) is designated as the supervisor for RMSPs. The UK government estimates 900 to 1,100 additional MSP entities will fall into scope under the new regime, depending on final definitions in secondary legislation. Second, data centres meeting size thresholds — those with IT capacity of 1MW or more, or 10MW or more for operators serving only their own organisation — are brought into scope under Ofcom supervision. Third, additional categories may be designated through Henry VIII powers in the Bill, including potential future expansion to specific cloud services and intermediate digital service providers.
What is a Relevant Managed Service Provider?
The Bill defines an MSP functionally rather than by reference to specific service types. The core test is provision of an ongoing managed service to a customer that involves connection to the customer's computer systems. This deliberately captures a broad range — IT outsourcing, security operations as a service, cloud management services, application hosting and management, and similar arrangements. A "Relevant" MSP is one that meets the size threshold (the UK has indicated this will track NIS2's headcount-and-turnover model, approximately 50 employees or £10 million turnover, with refinement in secondary legislation) and is not within the narrow exceptions for certain micro or small enterprises. The status applies to an entity providing managed services in the UK regardless of where the entity is established — a US-headquartered MSP serving UK customers is within scope.
# UK CSR Bill scope (as introduced, November 2025)
Existing NIS regulated entities (unchanged from 2018 Regulations)
-> Operators of essential services (OES) in:
energy, transport, health, drinking water, digital
infrastructure subsectors
-> Relevant digital service providers (RDSPs):
online marketplaces, online search engines, cloud
computing services
New: Relevant Managed Service Providers (RMSPs) — ICO supervised
-> Medium and large MSPs providing ongoing managed IT services
-> Approximately 900-1,100 additional entities estimated
New: Data centres — Ofcom supervised
-> Operators with IT capacity 1MW or more (commercial)
-> Operators with IT capacity 10MW or more (own use only)
Future expansion via secondary legislation
-> Potential further digital service categories
-> Designation power for specific named providers
What obligations apply?
The Bill imposes a duty of care obligation on regulated entities that mirrors NIS2 Article 21 in substance. Entities must take appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of the network and information systems they use. The Bill references ten broad areas — closely tracking NIS2 — including risk analysis, incident handling, business continuity, supply chain security, secure development, vulnerability handling, cyber hygiene, training, cryptography, and access control. Secondary legislation under the Bill will provide more detailed expectations per regulated category. RMSPs and data centres will face proportionately calibrated requirements reflecting their distinct operational characteristics.
What is the incident reporting regime?
The Bill requires regulated entities to notify the relevant supervisor of significant incidents. The reporting cadence aligns to NIS2 in substance: a 24-hour early warning, a 72-hour incident notification with available technical detail, and a one-month final report. The reporting endpoints differ by supervisor — Ofcom for data centres, ICO for RMSPs, and the existing sectoral supervisors (Ofgem, ORR, ICO for RDSPs, etc.) for previously-regulated entities. The Bill also empowers the Secretary of State to direct regulated entities to take specific actions following an incident, including remediation steps and customer notifications — a power broader than the equivalent NIS2 regime.
What about penalty structure?
The Bill significantly expands the penalty framework. Current NIS Regulations 2018 cap fines at £17 million for the most serious breaches. The Bill introduces a tiered regime closer in scale to NIS2 and GDPR — penalties scaled by entity turnover, with maximum fines in the order of 4% of global turnover for the most serious breaches, and lower-tier penalties for procedural and lesser substantive violations. The exact ceilings will be confirmed during parliamentary stages and secondary legislation. The Bill also introduces a periodic penalty mechanism allowing supervisors to impose daily fines for continuing non-compliance, similar to the Dutch periodic penalty payment model.
How does this interact with PSTI and the Software Code of Practice?
The UK now has a layered regulatory architecture. The Product Security and Telecommunications Infrastructure (PSTI) Act covers consumer connectable products. The CSR Bill covers operators of essential services, digital service providers, RMSPs, and data centres. The Software Security Code of Practice (voluntary, launched May 2025) addresses software vendors that supply organisations and businesses. The AI Cyber Security Code of Practice addresses AI system providers. An entity may face obligations under more than one of these regimes — a software vendor that also provides managed services to UK customers will face both the Code (voluntary) and the CSR Bill (mandatory). The Bill anticipates this by including coordination provisions between supervisors and by allowing common evidence packs to support multiple obligations.
What about supply chain dependencies?
The Bill carries forward and strengthens the supply chain risk management duty. Regulated entities must consider the cybersecurity of their direct suppliers and service providers, taking into account vulnerabilities specific to each supplier, the overall quality of their products and cybersecurity practices, and the outcomes of any coordinated supply chain risk assessments. The duty is calibrated proportionate to the criticality of services received. The Bill explicitly references the Software Security Code of Practice as a relevant baseline for assessing software supplier security posture — bringing the Code from voluntary to influential-by-reference status without making it mandatory.
What is the timetable?
Second reading on 6 January 2026 begins the substantive parliamentary scrutiny. Committee stage typically follows within weeks of second reading and would run into early Q2 2026. Subject to passage through both Houses without major contention, Royal Assent could be achieved by mid-to-late 2026. Secondary legislation — including the detailed scope criteria for RMSPs and data centres, the supervisor-specific reporting templates, and the proportionate measures expected per category — would follow, with the practical regime expected to commence in late 2026 or early 2027. Entities can prepare against the Bill text now without waiting for the secondary legislation, because the substance of the duty of care is unlikely to shift materially between Bill and final regulations.
What should MSPs and data centre operators do now?
Three steps. First, confirm in-scope status. For MSPs, the test is whether the entity provides ongoing managed services to UK customers and meets the size threshold. For data centres, the IT capacity threshold determines status. Second, gap-assess against the ten technical and organisational measures, prioritising areas where current posture is below typical NIS2 baseline — supply chain risk management and secure development are common gap areas. Third, structure incident response and supervisor engagement processes ahead of commencement; ICO and Ofcom have existing regulatory engagement models that newly-supervised entities will need to integrate with.
How Safeguard Helps
Safeguard provides RMSPs and data centre operators with the evidence base the UK CSR Bill expects: software inventory, SBOM, supplier risk scoring, vulnerability management with reachability validation, and incident workflow aligned to the 24/72-hour/one-month cadence ICO and Ofcom will operate. The platform's policy gates enforce the ten technical and organisational measures inside CI/CD pipelines, so secure development and vulnerability handling become evidenced controls rather than narrative policy statements. For MSPs whose customers face NIS2, DORA, or CRA obligations downstream, Safeguard's TPRM evidence pack supports both the MSP's own CSR Bill compliance and the customer's supply chain due diligence in a single artefact. The platform aligns evidence with the Software Security Code of Practice principles so that MSPs serving public sector customers can demonstrate Code-aligned posture alongside CSR Bill compliance.