Daniel - stock.adobe.com

News

MSPs mull over impact of Cyber Security Bill

There are clear obligations for those that supply critical national infrastructure, but there might well be a wider impact on the SME community

Simon Quicke
By
Published: 12 Nov 2025 15:00

Security experts across the channel have welcomed the arrival of the Cyber Security and Resilience Bill (CSRB) in Parliament as a step towards improving defences across the public sector and beyond.

The bill has emerged in recognition of a need to step up the defences against the rising number of cyber attacks on national infrastructure, with examples of hospitals, the Ministry of Defence and the British Library all underlining the determination of bad actors to cause disruption.

The cyber security regulations cover five sectors: transport, energy, drinking water, health and digital infrastructure, along with some digital services, including online marketplaces and cloud computing services.

Jonathan Trayers, director of managed service provider (MSP) Ekco, said the high-profile examples of attacks had been stacking up and that there needed to be a response. “The Cyber Resilience Bill arrives in the wake of a slew of attacks on major UK companies – among them Jaguar Land Rover, M&S and Harrods, costing the UK economy over £2bn this year,” he said. “The bill’s new measures, including 24-hour incident reporting and tighter supply chain controls, recognise the severity of the threat now facing UK organisations.

“Cyber attacks are unfolding quickly and too widely for delayed or fragmented responses. I hope this legislation will prompt closer coordination across the private sector and help create a culture where resilience is planned, tested and continuously improved.”

Trayers said there were also clear implications for the MSP community, and that they needed to understand the implications coming from the bill.

“For organisations that rely on managed service providers, the bill raises expectations around trust and transparency,” he said. “It reinforces the need for real plans in place and treating resilience as something you build, not buy. The bill sends a clear message that cyber security is now a board-level issue. If you rely on digital infrastructure, you’ve got to take responsibility for keeping it safe.”

Improving security levels

Ric Derbyshire, principal security researcher at Orange Cyberdefense, said those that supplied critical national infrastructure (CNI) would be subject to the bill, and that it would improve security levels across the channel.

“Crucially, an area it focuses on is the complex nature of supply chains that support CNI,” he said. “It’s easy for organisations to fall into the trap of thinking of their ‘supply chains’ in the narrow terms of those immediately connected to them. By bringing new classes of service providers into scope, from managed service providers and datacentre operators to suppliers whose goods and services support critical systems, the CSRB broadens the reach of national cyber regulation.

“This shift encourages organisations involved in CNI to recognise that security and resilience rely on an interdependent ecosystem, rather than a simple chain,” said Derbyshire. “The bolstered oversight and reporting powers introduced through the bill represent a significant step change in accountability.”

Tim Pfaelzer, general manager and senior vice-president for EMEA at Veeam, said the attacks on those who supplied CNI customers were becoming more frequent and sophisticated.

“They are also becoming more targeted, going straight to CNI and their supporting supply chains to maximise damage,” he said. “I’d encourage organisations to see this for what it is; not just a new compliance hoop to jump through in an already saturated regulatory landscape, but a call to work more collaboratively within their supply chains, and to embrace greater accountability.”

Lee Johnson, chief technology officer and chief information security officer at Air IT Group, said it was a positive move to strengthen the protection of areas such as healthcare and energy, but encouraged the channel to be on guard.

“As cyber criminals find it harder to breach the public sector, many will turn their attention to the private sector, especially SMEs,” he said. “These businesses make up vast swathes of the UK economy, yet many don’t have the in-house expertise or resources to keep pace with increasingly sophisticated threats. Unless SMEs increase their cyber maturity, we risk creating a two-tier system where the most vital services are protected, but where many smaller-scale businesses are seen as better targets by bad actors.”

Read more on Managed IT Services