The cyber law your organisation probably doesn’t need to worry about — and why that might be exactly the problem
The Cyber Security and Resilience Bill passed its third reading in the House of Commons on 16 June and arrived in the Lords the following day. If you’ve seen coverage of it, you could be forgiven for wondering whether any of it applies to you.
The honest answer, for most organisations, is: not directly. The Bill updates the Network and Information Systems (NIS) Regulations, which cover a specific and fairly narrow set of designated sectors — transport, energy, drinking water, health, and digital infrastructure, plus some large online services. Unless you’re running a water treatment works or operating critical health infrastructure, the obligations in this legislation don’t land on your desk.
And yet I’d argue this is precisely the moment to pay attention.
What the Bill actually does
The legislation has three main thrusts. It brings new categories of organisation into the regulated fold — managed service providers, data centres, and large load controllers. It tightens up incident reporting, because the current rules are so narrowly drawn that serious attacks on UK infrastructure have gone unreported to regulators entirely. And it puts much more explicit pressure on regulated entities to manage the cyber security risks in their supply chains.
That last part is where it gets relevant for organisations well outside the regulated sectors.
What the cyber security supply chain duty means in practice
Under the existing NIS Regulations, operators of essential services already have a general duty to manage risks to their network and information systems, and that includes supply chain risk. In practice, many have interpreted this loosely. The Bill, and the secondary legislation it will enable, is designed to change that — embedding clear accountability for supplier risk, and giving regulators the tools to enforce it.
What this means in practice is that organisations in regulated sectors — NHS Trusts, energy suppliers, water companies, major transport operators — are going to face increasing scrutiny of how they manage the cyber risks posed by their suppliers. Their regulators will expect evidence of supply chain risk assessment, appropriate contractual protections, and clear incident notification arrangements with key third parties.
None of that obligation flows directly to the suppliers themselves. There is no clause in this Bill that says a housing association, a professional services firm, or a mid-sized manufacturer must review its IT contracts. But if any of those organisations supply services to an NHS Trust, a licensed utility, or a significant transport operator, they may very soon find that their customer is asking questions they weren’t expecting.
The trickle-down effect
This is a dynamic I’ve seen play out before. When the Civil Contingencies Act came into force in 2004, the obligations landed on Category 1 responders — local authorities, emergency services, NHS bodies. But the practical effect rippled outwards. Those organisations quickly realised that their ability to continue functioning during a disruption depended heavily on whether their key suppliers and partners could do the same. Business continuity requirements that were never written into law for private sector suppliers became, in practice, a condition of doing business with the public sector. Organisations that couldn’t demonstrate any continuity planning found themselves at a disadvantage — not because legislation required it of them, but because their customers now had to be able to answer for it.
The same dynamic is likely here. Regulated entities, facing real enforcement risk and higher potential fines (the Bill significantly raises maximum penalties), will start looking harder at their supply chains. They will want to know that their critical suppliers have appropriate cyber security measures in place. They will want contractual rights to audit, to receive breach notifications, and to require remediation. Many will use this as a prompt to consolidate their supplier base around organisations that can demonstrate credible cyber security practices.
If you supply to any regulated sector — directly or as a sub-contractor further down the chain — this is worth taking seriously now, not when the questionnaire arrives.
What good supply chain cyber risk management actually looks like
For the organisations that are directly regulated, the expectation is increasingly aligned with the NCSC’s Cyber Assessment Framework: understand your critical dependencies, assess the risks those dependencies create, have appropriate contractual protections in place, and be able to demonstrate that you’ve done this in a systematic way rather than on an ad hoc basis.
For suppliers, the mirror image of that is being able to answer the questions that are coming. That means having a clear picture of your own cyber security posture, being able to articulate what measures you have in place, and — in many cases — holding recognised certifications that provide independent assurance. Cyber Essentials remains the baseline the government keeps pointing to. ISO 27001 is increasingly expected by larger regulated entities.
It also means reviewing your own supplier arrangements. If you rely on third-party IT management, cloud services, or any provider with access to your systems or data, you need to understand what security standards they maintain and what your rights are if something goes wrong. The Bill is explicit that this chain of accountability doesn’t stop at the first tier.
The broader point
Legislation like this tends to accelerate a shift that was already happening. Cyber security has been moving, slowly, from a technical function to a governance one — something that boards are expected to understand, own, and be accountable for. The Bill’s supply chain provisions, combined with the wider commercial pressure they will create, are likely to push that shift further and faster.
For organisations that are ahead of this — that can demonstrate genuine cyber resilience, not just a policy document filed somewhere — there is a real competitive advantage in the sectors where their customers face regulatory scrutiny. For those that aren’t, the risk isn’t just a cyber attack. It’s being quietly filtered out of supply chains by customers who can no longer afford the reputational and regulatory exposure of working with suppliers they can’t vouch for.
The Bill doesn’t apply to most organisations. The consequences of what it sets in motion very likely do.
