The Cyber Security Bill Nobody's Talking About
The Cyber Security Bill Nobody's Talking About
There is a piece of legislation moving through Parliament right now that will change how businesses think about IT security. It has already passed its committee stage in the Commons. It will almost certainly become law this year. And most business owners have never heard of it.
It is called the Cyber Security and Resilience Bill.
If you run a manufacturing business with 25 to 250 employees, this is not abstract. It is coming directly for the way your IT is managed, who is responsible for it, and what happens when something goes wrong.
What does it actually do?
Three things that matter for businesses like yours.
Your IT provider becomes regulated. For the first time, managed service providers — the companies that look after your IT — will fall under direct regulatory oversight. Somewhere between 900 and 1,100 MSPs across the UK will be brought into scope. That means your IT provider will need to demonstrate that they meet specific security standards, report incidents within defined timescales, and maintain evidence that they are doing what they claim to do. If they cannot, they face fines of up to £17 million or 4% of global turnover.
The question this raises is simple: does your current IT provider know this is coming? And are they ready for it?
Supply chain pressure arrives before the law does. Regulated organisations — energy companies, healthcare providers, transport operators — will be required to assess and manage cyber risk across their supply chains. If you supply products or services to any of these sectors, you will start receiving security questionnaires. They will ask whether you have documented access controls, incident response plans, tested backups, and proper network segmentation.
This is already happening. We have seen manufacturers receive exactly these questionnaires from their largest clients. Not because of any regulation. Because the client's own compliance requirements now flow downhill.
Incident reporting gets mandatory. When something goes wrong — a breach, a ransomware attack, a significant outage — there will be mandatory reporting obligations. Not when you get around to it. Within defined timescales. This means you need to actually know when an incident has happened, which requires monitoring that most small and mid-sized businesses do not have in place.
Why manufacturers should care right now
Manufacturing is not directly in scope for the CSRB — yet. But that distinction is misleading.
If you supply to businesses that are in scope, their obligations become your problem through the supply chain. If your IT provider is in scope — and they will be — their compliance requirements will change how they work with you. And if you have any EU clients, EU operations, or EU supply chain exposure, the EU's NIS2 directive already applies and is significantly stricter: 24-hour initial incident reporting, mandatory access controls, and explicit inclusion of manufacturing as an in-scope sector.
The question is not whether this affects your business. It is whether you find out on your terms or on someone else's.
What this looks like in practice
A manufacturer we work with received a security questionnaire from their largest client last year. Standard procurement process — the client's IT team had sent it to every supplier. The manufacturer had no idea whether they could answer yes to half the questions.
Their office and shop floor were on the same network. They had no documented access controls. They had never thought about any of it because nobody had ever asked.
That questionnaire did not come from a regulator. It came from the people they could not afford to lose as a client.
That is what the Cyber Security and Resilience Bill looks like before it passes.
Three things to check today
Does your IT provider know about the CSRB? Ask them directly. If they look blank, that tells you everything. If they are already preparing, ask them what changes they are making and what it means for you.
Can you answer a security questionnaire? If a major client sent you one tomorrow — documented access controls, network segmentation, incident response plan, backup testing evidence — could you answer it honestly? If not, those are the gaps to close first.
Where does your data go when something breaks? Not theoretically. Actually. Do you have tested backups? Do you know how long recovery takes? Has anyone ever tested it? The Bill will make incident reporting mandatory. If you cannot detect and report an incident, you have a compliance gap before the law is even passed.
The uncomfortable reality
None of this is difficult to fix. Documented access controls, network segmentation, tested backups, a clear incident response plan — these are foundational. They are not expensive. They are not disruptive.
The problem is that most businesses have never been asked. And when they are asked — by a regulator, by a client, by an insurer — the time to prepare has already passed.
The direction is clear. The expectations are already filtering into commercial contracts. The businesses that start now will answer the questionnaire honestly. The ones that wait will find out what it costs to lose a contract they thought was secure.
If you are not sure where your business stands — that uncertainty is the answer.