s the Cyber Security and Resilience Bill progresses through parliament, businesses that act now have a clear opportunity to get ahead. With stricter compliance requirements, steeper fines of up to £ 100,000 a day and tighter reporting deadlines just around the corner, the regulatory landscape is set for a major shift.
The bill will expand the scope of regulatory oversight, grant the government enhanced enforcement powers and align the UK’ s cyber regulations with the EU’ s NIS2 directive. All of this aims to create a more secure digital environment both domestically and on the continent.
Expanded reporting requirements will also raise the bar. Businesses will need to report a broader range of cyber incidents – including ransomware attacks, network breaches and service disruptions – with strict timelines of 24 hours for initial notification and 72 hours for a full report. As it stands, only four in ten businesses report disruptive breaches outside of their organisation, meaning these new rules will place additional strain on already stretched cybersecurity teams. Adapting to these regulations will demand time, resources and operational change – making early preparation essential for avoiding penalties and ensuring readiness.
How to prepare
Matthew Lloyd Davies, Principal Security Author at Pluralsight
Against the backdrop of modern organisations facing rising security threats, particularly supply chain attacks, third-party breaches and vulnerabilities, new regulations are a positive step. These regulations will ensure businesses can strengthen their cybersecurity defences and reflect a commitment to cybersecurity as a national priority.
Despite rising threats, many businesses still lack the necessary talent to respond quickly and effectively to immediate attacks. According to research from the Chartered Management Institute( CMI), just 10 % of managers say they have basic cyber knowledge such as using secure passwords and identifying phishing attacks.
However, to ensure businesses are prepared, they must guarantee their workforce is ready. That means equipping them with the skills and knowledge to meet both the new compliance demands and bolster cybersecurity. Upskilling across technical and non-technical roles will be critical to prepare – below I outline why it’ s important and what steps organisations should be taking now to get ready.
Why should businesses care?
Cybercrime is already costing UK businesses. In 2025 alone, 8.58 million cybercrimes were reported by UK businesses, with total losses over the past five years reaching £ 44bn. The threats of operational disruption, reputational damage and financial loss are a constant risk for many organisations.
The stakes are set to rise even higher with the introduction of new legislation. Non-compliance could result in fines of up to £ 100,000 per day or 10 % of global annual turnover, whichever is higher.
Adding to the complexity, third party involvement in data breaches has doubled over the last year and is now seen in 30 % of all cyberattacks. As a result, beyond public services and utilities, over 1,000 IT service providers and suppliers will soon fall under regulatory scope, requiring companies to assess and ensure the cyber hygiene of their entire supply chain.
Similarly, Pluralsight research reveals that 45 % organisations say they don’ t have the right people or skills in place to manage security risks effectively and this isn’ t a new issue: cybersecurity has been the number one technical skills gap since 2021.
Investing in cyber training isn’ t just about avoiding fines, it’ s about building resilience. Upskilling staff across all roles, from board members to front-line employees, helps embed cyber awareness into daily operations and decision-making.
Look at processes and procedures
Most organisations already have a data breach reporting procedure that meets GDPR reporting requirements. However, like NIS2, the bill’ s proposed reporting obligations will introduce tighter deadlines and a wider scope of incidents.
To stay compliant, organisations should conduct a thorough security audit to ensure that their procedures are updated to reflect this. In addition, regular rehearsals of cyber security incident response – such as red team blue team exercises – are
The bill will expand the scope of regulatory oversight, grant the government enhanced enforcement powers and align the UK’ s cyber regulations with the EU’ s NIS2 directive.
WWW. INTELLIGENTCISO. COM 49