The UK government is strengthening its cybersecurity legislation with the Cyber Security and Resilience Bill (CSRB), an update to the 2018 Network and Information Systems Regulations. Modelled on the EU’s NIS2 Directive, the new Bill significantly expands cyber risk obligations across the UK’s digital ecosystem, targeting gaps exposed by recent high-profile breaches.

At Obrela, we bring decades of compliance expertise and the power of our Managed Risk and Controls (MRC) services to simplify your journey to CSRB readiness and help build long-term resilience against emerging threats.

Background on the CSRB

The King’s Speech in July 2024 announced the UK Government’s intention to introduce the CSRB, recognising that cyber threats have outpaced current legislation. This evolved framework reflects the EU’s NIS2 and lessons from post-implementation reviews in the UK.

On 1 April 2025, the Department for Science, Innovation and Technology (DSIT) published its detailed policy statement, outlining the tougher security and reporting requirements, cost-recovery provisions and expanded enforcement powers.

The Bill’s formal introduction to Parliament is expected later in 2025, with phased compliance deadlines to follow. Early preparation will be crucial in avoiding disruptions.

Who is in scope and what is new?

The CSRB broadens its reach to cover online marketplaces, search engines, cloud platforms and upstream suppliers. For the first time, Managed Service Providers (MSPs) with privileged access to client systems will face regulation and data centres above certain thresholds will be required to prove infrastructure resilience.

To bolster threat visibility, the Bill mandates two-stage incident reporting:

• A preliminary notification to the National Cyber Security Centre (NCSC) within 24 hours
• A full incident report within 72 hours, detailing scope, impact and mitigation actions

This reporting framework aligns with NIS2 standards and will support coordinated cross-sector responses.

Additionally, public sector bodies and operators of critical infrastructure will be prohibited from making ransomware payments. This closes off an avenue of financial attack incentives and signals a more assertive national stance.

Supply chain scrutiny is also a major theme of the new Bill. Regulators will have  the authority to identify critical third-party suppliers, mandating risk assessments and audits across procurement chains. This means the CSRB is tackling one of the industry’s most exploited vulnerabilities.

Importantly, under the new Bill, the NCSC’s Cyber Assessment Framework (CAF) transitions from voluntary guidance to enforceable standards for organisations in scope. These organisations must show they have robust governance, technical controls and regular audits in place. This will support a cultural shift in how UK entities approach cyber risk management.

How Obrela supports CSRB compliance

Ensuring your readiness for CSRB needs more than just ticking boxes. It needs a tailored, end-to-end strategy. At Obrela, we start with strategic consulting that translates the regulatory requirements into actionable steps that are specific to your organisation. We then establish how to embed these into existing governance structures, helping cybersecurity to become core to your business operations rather than a siloed function.

Our unique combination MRC platform and advisory services is the powerful engine behind this transformation. It automates control assessments, tracks remediation and compiles regulator-ready evidence. Real-time dashboards offer you visibility across all of the technical and reporting requirements. This guides your teams through both the 24-hour alerts and the 72-hour incident workflows.

Our supply-chain module also audits vendors without manual effort, identifying and assessing critical suppliers at scale.

Concurrently, our cybersecurity advisors collaborate with the key personnel and the cybersecurity office to facilitate the necessary cybersecurity processes and gather the required information. They also provide consulting guidance on the effective implementation of the necessary cybersecurity controls.

From gap analysis and policy development to independent audits, Obrela gives you full lifecycle support to help reduce your risk, accelerate compliance and stay focused on running your business and meeting your objectives.

Steps towards CSRB readiness

Our approach starts with a gap and maturity analysis to benchmark the current gaps anf the maturity of the existing controls. By integrating MRC with your cybersecurity processes, we automate evidence collection and generate audit-ready reports, removing reliance on manual spreadsheets.

With Obrela, supply-chain oversight becomes seamless. We map your suppliers, set requirements and gather attestations instantly. If an incident occurs, pre-configured templates will guide you through notification and reporting ensuring you are aligned to regulatory standards.

MRC provides a comprehensive approach to cybersecurity management, leveraging the Swordfish Platform to offer situational awareness and orchestrate client-side operational, risk, and privacy management activities. With Swordfish, MRC’s services enable organizations to unify and manage all key components of enterprise security management, presenting a unified view of their security posture through a single-pane-of-glass. Document your risk, track your controls, report on your compliance and exposure with Swordfish MRC.

This approach streamlines security operations and allows organizations to focus on other critical areas of their business. By partnering with MRC, clients can benefit from the advanced technology and expertise, achieving a higher level of visibility, readiness, and resilience against today’s evolving cyber threats.

Connect with Obrela today to explore how MRC services transforms compliance obligations into a resilient, growth-ready framework.