The UK Government has just released its policy statement for the long-awaited Cyber Security and Resilience Bill, marking the most significant overhaul of the UK’s cyber regulations since the introduction of the NIS Regulations in 2018.

Announced in the King’s Speech last July, the Bill arrives in response to a rapidly escalating cyber threat landscape, with the aim of strengthening the UK’s digital infrastructure and building national resilience. While it applies broadly to sectors designated as Critical National Infrastructure (CNI), healthcare is front and centre in the Government’s motivation and, as such, the Bill carries important implications for healthcare providers, digital health suppliers, and organisations working with the NHS.

You can read the full policy statement here, but below, we’ve outlined the key measures and, crucially, what they mean for those operating in or alongside the UK healthcare sector.

Overview: A Response to Escalating Risk

As the Government notes in its policy statement, “resilience is not improving at the rate necessary to keep pace with the threat.” Few sectors illustrate this more starkly than healthcare.

The Synnovis ransomware attack in 2023, which affected pathology services supporting NHS hospitals in London, led to the postponement of over 10,000 outpatient appointments and more than 1,700 elective procedures. The disruption not only exposed the fragility of digital supply chains but also highlighted the tangible impact of cyber incidents on patient care and public health.

In response, the Cyber Security and Resilience Bill sets out to modernise the UK’s cyber defence framework through four key objectives:

• Expanding the scope of regulation to include more organisations critical to digital and operational resilience
• Strengthening regulatory powers to improve oversight, enforcement, and risk mitigation
• Streamlining incident reporting to enable faster, coordinated responses to cyber threats
• Enhancing government agility, allowing for more rapid interventions as new risks emerge

For the healthcare sector, this represents a step change in expectations around supply chain resilience, oversight, and regulatory accountability.

The Purpose of the Bill

The Bill serves two core objectives:

1. Strengthen national security and public resilience by modernising the UK’s cyber defence framework.
   
   
2. Promote economic growth by ensuring the security of the digital infrastructure on which essential services and innovation depend.
   

By addressing outdated regulations, bringing more organisations into scope, and ensuring oversight bodies are adequately empowered, the Bill aims to create a stable, secure foundation for the UK's increasingly digital public services. 

Key Measures Introduced by the Bill

1. Bringing More Organisations Into Scope

Managed Service Providers (MSPs)

For the first time, Managed Service Providers (MSPs) will fall within the scope of cyber regulation under the updated NIS Regulations. This reflects the significant and often privileged access MSPs have to the networks, infrastructure, and sensitive data of the organisations they serve.

This development is particularly relevant for the health and care sector, where MSPs frequently underpin the digital infrastructure of both frontline NHS services and the health tech vendors that support them. Whether directly contracted by NHS bodies or operating in the wider supply chain, MSPs will now be required to meet a set of formal obligations.

These obligations mirror those already placed on relevant digital service providers under the existing NIS framework and the NCSC’s Cyber Assessment Framework (CAF). They include:

• Implementing proportionate technical and organisational security measures
  
• Ensuring business continuity and incident response planning
  
• Providing staff training on cyber and data risks
  
• Adhering to enhanced incident handling and reporting requirements
  
  

Regulatory oversight of MSPs will fall under the Information Commissioner’s Office (ICO), which will now have the authority to monitor, investigate, and enforce compliance within this newly regulated group.

Critical Suppliers

The Bill is also expected to introduce a new mechanism allowing regulators to designate individual organisations as “Critical Suppliers”, including small and medium-sized businesses, if their products or services are deemed essential to the operation of regulated entities.

In practice, this means that a supplier does not need to be a large enterprise to fall within scope. If their systems, software, or services support the delivery of essential services, such as those provided by the NHS, they can be regulated as part of the national cyber resilience framework.

This is a significant development for the healthcare sector, where digital health vendors, infrastructure providers, and specialist solution suppliers often play a foundational role in delivering patient-facing or back-office services.

Once designated, these Critical Suppliers will be required to meet the same baseline obligations as operators of essential services or relevant digital service providers. Regulators will also be empowered to define supply chain security duties for NHS providers and digital health organisations. These may include contractual requirements, due diligence obligations, and risk-based assessments to minimise third-party vulnerabilities.

2. Empowering Regulators with New Oversight Powers

Expanded Incident Reporting

Under the current NIS Regulations, cyber incidents are only reportable if they cause a direct interruption to the continuity of an essential or digital service. In practice, this threshold has proven too narrow, many serious incidents have gone unreported, limiting regulators’ visibility of emerging threats and delaying appropriate responses.

The Cyber Security and Resilience Bill seeks to address this by significantly broadening the criteria for reportable incidents.

What’s Changing?

Regulated organisations will be required to report:

• Any incident capable of significantly impacting the provision of an essential or digital service, even if service continuity is not directly disrupted
  
  
• Incidents affecting the confidentiality, availability, or integrity of systems and data, including:
  
  • Compromises to sensitive health data
    
  • Spyware or malware infections
    
  • Attacks using third-party vendors (such as MSPs) as an access point
    
  • Other security events that degrade trust or functionality

Organisations in scope will be expected to:

• Notify their regulator and the National Cyber Security Centre (NCSC) within 24 hours of becoming aware of a significant incident
  
• Submit a full incident report within 72 hours, detailing impact, response, and mitigation measures
  
• Inform affected customers, such as NHS partners or patients, where their data, access or service continuity may have been compromised

Organisations within scope and their suppliers will need to have internal processes in place to rapidly identify, triage, and escalate incidents in line with these new obligations.‍

Technical and Methodological Standards

The regulation will enable the Government to set sector-specific baseline security standards, moving away from rigid, prescriptive controls toward risk-based measures that evolve alongside the threat landscape.

These standards are expected to align with the Cyber Assessment Framework (CAF), already in use across the defence sector and increasingly being adopted within healthcare, where it is now the standard for Category 1 organisations and likely to apply to Category 2 soon. This transition marks a shift from compliance as a formality to a focus on measurable resilience and continuous improvement.

Want to understand what the CAF means for healthcare? Read our full breakdown here.

ICO Information Gathering Powers

As the scope of regulation expands, the Information Commissioner’s Office (ICO) will take on a more proactive supervisory role, particularly over digital service providers, including Managed Service Providers (MSPs) and critical suppliers.

To support this shift, the regulation will enhance the ICO’s ability to identify emerging cyber risks before they materialise by strengthening its information gathering and investigatory powers.

The ICO will be able to:

• Request detailed data from regulated entities at the point of registration, including information about their digital infrastructure, services, and cyber risk posture
  
  
• Issue information notices more broadly, giving it the authority to request additional details at any point for the purposes of risk assessment or investigation
  
  
• Access information from third parties, even those outside the regulatory scope, where relevant to understanding risks across the broader digital ecosystem
  
  
• Take pre-emptive action, using the information gathered to identify vulnerabilities, prioritise oversight, and support early intervention—rather than acting only after an incident has occurred
  
  

The ICO will also be empowered to enforce registration compliance, ensuring that digital service providers within scope are properly identified and regulated

Cost Recovery Mechanisms

Regulators will be permitted to recover the cost of enforcement and oversight directly from regulated organisations. Expect fees to follow.

3. Futureproofing Through Delegated Powers

One of the key challenges addressed by the Bill is the speed at which cyber threats evolve, often outpacing the ability of existing legislation to respond. The regulation seeks to grant the Secretary of State the authority to update the regulatory framework without needing to pass new Acts of Parliament. This ensures the Government can swiftly:

• Add new sectors or entities to the scope of regulation
  
• Adjust security obligations based on technological shifts (e.g. AI-enabled attacks)
  
• Respond to emergent national security threats

This agility will be critical in protecting NHS infrastructure, where the speed of change in both threats and technologies continues to accelerate.

Additional Measures Under Consideration

While the core proposed components of the Bill have been set out above, the Government is also considering a number of supplementary measures, which may be introduced through this or future legislation. These include:

• Bringing data centres formally into scope, recognising their designation as Critical National Infrastructure (CNI)
  
  
• The introduction of a Statement of Strategic Priorities to align regulatory objectives across all sectors and regulators
  
  
• Emergency powers of direction, enabling the Government to require immediate action from either regulators or regulated entities in the face of serious cyber threats

Implications for Healthcare Organisations

While the Cyber Security and Resilience Bill is still at the policy stage, the direction of travel is clear, and healthcare is firmly in scope. If enacted, the Bill would place new and more stringent expectations on healthcare organisations, not only to secure their own systems, but also to manage risk across their supply chains. Here’s what’s likely to lie ahead:

✅ Greater scrutiny for both large and small health tech organisations

Organisations once considered “too small to regulate” may now fall within scope, particularly if they are designated as critical suppliers or fall under the expanded definition of Managed Service Providers (MSPs). Regardless of size, digital health vendors will need to be prepared to demonstrate security, continuity, and incident response capabilities and to do so under formal regulatory oversight.

✅ The shift to CAF brings new compliance expectations

With the Cyber Assessment Framework (CAF) replacing DSPT for Category 1 organisations, and likely Category 2 soon, compliance is no longer a static checklist. Healthcare organisations must evidence ongoing security maturity with risk-based controls, staff training, and business continuity planning embedded as standard practice.

✅ Supply chain security is no longer optional

Both NHS Trusts and Integrated Care Systems (ICSs) will be expected to carry out more rigorous due diligence on third-party suppliers. This includes assessing the cyber risk posed by partners, requiring assurances, and ensuring that contractual and technical controls are in place to mitigate vulnerabilities across the supply chain.

For suppliers, this means demonstrating your security posture not just internally but to your NHS clients as part of procurement, onboarding, and ongoing assurance.

✅ Compliance comes with a cost, both operational and financial

New regulatory cost recovery mechanisms could mean that organisations may be required to pay fees associated with oversight and enforcement. Both healthcare providers and their suppliers should begin factoring compliance-related costs into forward planning, from dedicated resources to training, tooling, and potential regulator charges.

Final Thoughts

While still at the policy stage, the intent of the Cyber Security and Resilience Bill is unambiguous: to modernise the UK’s cyber resilience framework, strengthen regulatory oversight, and ensure that essential services, including the NHS, are better protected in the face of an increasingly complex threat landscape.

Naq’s platform and expert support helps healthcare providers, digital health innovators and MSPs to ensure they’re not only ready to meet today’s compliance standards, but prepared for what’s coming next.

‍From supply chain security monitoring and staff training, to incident response planning and support for frameworks like DSPT, DTAC, and ISO 27001, Naq’s platform makes compliance not only manageable, but ensures cyber security is baked into your business operations.

If you’re looking for guidance on preparing for the proposed changes or want to ensure your organisation stays compliant as security requirements evolve, we’re here to help. Click here to speak to our team.

Click here to access the full policy statement.

‍