The UK Government has just released its policy statement for the long-awaited Cyber Security and Resilience Bill, marking the most significant overhaul of the UK’s cyber regulations since the introduction of the NIS Regulations in 2018.
Announced in the King’s Speech last July, the Bill arrives in response to a rapidly escalating cyber threat landscape, with the aim of strengthening the UK’s digital infrastructure and building national resilience. While it applies broadly to sectors designated as Critical National Infrastructure (CNI), healthcare is front and centre in the Government’s motivation and, as such, the Bill carries important implications for healthcare providers, digital health suppliers, and organisations working with the NHS.
You can read the full policy statement here, but below, we’ve outlined the key measures and, crucially, what they mean for those operating in or alongside the UK healthcare sector.
As the Government notes in its policy statement, “resilience is not improving at the rate necessary to keep pace with the threat.” Few sectors illustrate this more starkly than healthcare.
The Synnovis ransomware attack in 2023, which affected pathology services supporting NHS hospitals in London, led to the postponement of over 10,000 outpatient appointments and more than 1,700 elective procedures. The disruption not only exposed the fragility of digital supply chains but also highlighted the tangible impact of cyber incidents on patient care and public health.
In response, the Cyber Security and Resilience Bill sets out to modernise the UK’s cyber defence framework through four key objectives:
For the healthcare sector, this represents a step change in expectations around supply chain resilience, oversight, and regulatory accountability.
The Bill serves two core objectives:
By addressing outdated regulations, bringing more organisations into scope, and ensuring oversight bodies are adequately empowered, the Bill aims to create a stable, secure foundation for the UK's increasingly digital public services.
For the first time, Managed Service Providers (MSPs) will fall within the scope of cyber regulation under the updated NIS Regulations. This reflects the significant and often privileged access MSPs have to the networks, infrastructure, and sensitive data of the organisations they serve.
This development is particularly relevant for the health and care sector, where MSPs frequently underpin the digital infrastructure of both frontline NHS services and the health tech vendors that support them. Whether directly contracted by NHS bodies or operating in the wider supply chain, MSPs will now be required to meet a set of formal obligations.
These obligations mirror those already placed on relevant digital service providers under the existing NIS framework and the NCSC’s Cyber Assessment Framework (CAF). They include:
Regulatory oversight of MSPs will fall under the Information Commissioner’s Office (ICO), which will now have the authority to monitor, investigate, and enforce compliance within this newly regulated group.
The Bill is also expected to introduce a new mechanism allowing regulators to designate individual organisations as “Critical Suppliers”, including small and medium-sized businesses, if their products or services are deemed essential to the operation of regulated entities.
In practice, this means that a supplier does not need to be a large enterprise to fall within scope. If their systems, software, or services support the delivery of essential services, such as those provided by the NHS, they can be regulated as part of the national cyber resilience framework.
This is a significant development for the healthcare sector, where digital health vendors, infrastructure providers, and specialist solution suppliers often play a foundational role in delivering patient-facing or back-office services.
Once designated, these Critical Suppliers will be required to meet the same baseline obligations as operators of essential services or relevant digital service providers. Regulators will also be empowered to define supply chain security duties for NHS providers and digital health organisations. These may include contractual requirements, due diligence obligations, and risk-based assessments to minimise third-party vulnerabilities.
Under the current NIS Regulations, cyber incidents are only reportable if they cause a direct interruption to the continuity of an essential or digital service. In practice, this threshold has proven too narrow, many serious incidents have gone unreported, limiting regulators’ visibility of emerging threats and delaying appropriate responses.
The Cyber Security and Resilience Bill seeks to address this by significantly broadening the criteria for reportable incidents.
Regulated organisations will be required to report:
Organisations in scope will be expected to:
Organisations within scope and their suppliers will need to have internal processes in place to rapidly identify, triage, and escalate incidents in line with these new obligations.
The regulation will enable the Government to set sector-specific baseline security standards, moving away from rigid, prescriptive controls toward risk-based measures that evolve alongside the threat landscape.
These standards are expected to align with the Cyber Assessment Framework (CAF), already in use across the defence sector and increasingly being adopted within healthcare, where it is now the standard for Category 1 organisations and likely to apply to Category 2 soon. This transition marks a shift from compliance as a formality to a focus on measurable resilience and continuous improvement.
Want to understand what the CAF means for healthcare? Read our full breakdown here.
As the scope of regulation expands, the Information Commissioner’s Office (ICO) will take on a more proactive supervisory role, particularly over digital service providers, including Managed Service Providers (MSPs) and critical suppliers.
To support this shift, the regulation will enhance the ICO’s ability to identify emerging cyber risks before they materialise by strengthening its information gathering and investigatory powers.
The ICO will be able to:
The ICO will also be empowered to enforce registration compliance, ensuring that digital service providers within scope are properly identified and regulated
Regulators will be permitted to recover the cost of enforcement and oversight directly from regulated organisations. Expect fees to follow.
One of the key challenges addressed by the Bill is the speed at which cyber threats evolve, often outpacing the ability of existing legislation to respond. The regulation seeks to grant the Secretary of State the authority to update the regulatory framework without needing to pass new Acts of Parliament. This ensures the Government can swiftly:
This agility will be critical in protecting NHS infrastructure, where the speed of change in both threats and technologies continues to accelerate.
While the core proposed components of the Bill have been set out above, the Government is also considering a number of supplementary measures, which may be introduced through this or future legislation. These include:
While the Cyber Security and Resilience Bill is still at the policy stage, the direction of travel is clear, and healthcare is firmly in scope. If enacted, the Bill would place new and more stringent expectations on healthcare organisations, not only to secure their own systems, but also to manage risk across their supply chains. Here’s what’s likely to lie ahead:
Organisations once considered “too small to regulate” may now fall within scope, particularly if they are designated as critical suppliers or fall under the expanded definition of Managed Service Providers (MSPs). Regardless of size, digital health vendors will need to be prepared to demonstrate security, continuity, and incident response capabilities and to do so under formal regulatory oversight.
With the Cyber Assessment Framework (CAF) replacing DSPT for Category 1 organisations, and likely Category 2 soon, compliance is no longer a static checklist. Healthcare organisations must evidence ongoing security maturity with risk-based controls, staff training, and business continuity planning embedded as standard practice.
Both NHS Trusts and Integrated Care Systems (ICSs) will be expected to carry out more rigorous due diligence on third-party suppliers. This includes assessing the cyber risk posed by partners, requiring assurances, and ensuring that contractual and technical controls are in place to mitigate vulnerabilities across the supply chain.
For suppliers, this means demonstrating your security posture not just internally but to your NHS clients as part of procurement, onboarding, and ongoing assurance.
New regulatory cost recovery mechanisms could mean that organisations may be required to pay fees associated with oversight and enforcement. Both healthcare providers and their suppliers should begin factoring compliance-related costs into forward planning, from dedicated resources to training, tooling, and potential regulator charges.
While still at the policy stage, the intent of the Cyber Security and Resilience Bill is unambiguous: to modernise the UK’s cyber resilience framework, strengthen regulatory oversight, and ensure that essential services, including the NHS, are better protected in the face of an increasingly complex threat landscape.
Naq’s platform and expert support helps healthcare providers, digital health innovators and MSPs to ensure they’re not only ready to meet today’s compliance standards, but prepared for what’s coming next.
From supply chain security monitoring and staff training, to incident response planning and support for frameworks like DSPT, DTAC, and ISO 27001, Naq’s platform makes compliance not only manageable, but ensures cyber security is baked into your business operations.
If you’re looking for guidance on preparing for the proposed changes or want to ensure your organisation stays compliant as security requirements evolve, we’re here to help. Click here to speak to our team.
Click here to access the full policy statement.