Boggy - stock.adobe.com
The cyber law that could change everything
The aim of the Cyber Security and Resilience Bill is to target critical infrastructure operators and essential service providers. Midmarket businesses need to be aware that they may be part of a critical supply chain and open to scrutiny as a result.
Midmarket businesses are the engine room of the UK economy. They account for roughly a third of private sector turnover and employ millions of people across manufacturing, professional services, logistics and technology. They are also, increasingly, the businesses that keep regulated industries running; supplying the components, software, services and expertise that critical infrastructure depends on. That position carries weight. It is also about to carry new responsibility.
The Cyber Security and Resilience Bill, introduced to Parliament in November 2025, targets operators of essential services, critical infrastructure and managed service providers. The security obligations it places on those organisations will move through their supply chains via contracts, procurement questionnaires and supplier audits.
For example, this could include a manufacturer supplying components to a utility company, a professional services firm handling compliance work for an NHS supplier, or a software business whose product sits inside critical infrastructure. These businesses are big enough to matter operationally to their customers but lean enough to have a limited dedicated security team.
This is not just a compliance story. For the CISOs and IT leaders reading this, the regulatory mechanics will already be familiar territory. But the more important conversation is the one that is not yet happening in most midmarket boardrooms: that getting ahead of these requirements is a growth strategy. Access to government procurement frameworks. Stronger positioning in competitive bids. The ability to supply into European markets where equivalent regulation is already in force. The businesses that treat this as an opportunity rather than an overhead will be better positioned than those that treat it as a tick-box exercise.
The statistics on cyber risk for mid-market organisations were already uncomfortable before this Bill arrived. According to the latest government research, two thirds of medium-sized UK businesses reported a cyber breach last year. Ransomware demands, which doubled in a single year, hit an estimated 19,000 UK businesses. And only 15% of businesses had formally reviewed the cyber risks their immediate suppliers pose to them.
Attackers have worked out that mid-market businesses are not just worth targeting in isolation, they often provide a critical interface to something bigger.
The commercial pressure will arrive through customer contracts and procurement requirements, not a request from a regulator.
Why minimum compliance is not the same as being secure
This is why this Bill is so important to understand. Not which businesses fall inside its legal scope but what it exposes about gaps in supply chain resilience across the UK's critical infrastructure and services.
The businesses that see this as solely a compliance burden will do the minimum. I have seen organisations spend months getting an audit signed off on something that only had applicability over a small subset of the organisation, which does little to offer assurance and deliver trust.
Compliance does not mean secure.
Consider that every regulatory framework went through several years of iteration before coming into law. By the time it lands, the threat has often moved on. The absence of a requirement is not an absence of a risk, and so any framework or compliance statements should be regarded as a minimum baseline, and reviewed against the current geopolitical, economic and technical landscape, for ongoing relevance.
Certifications to known standards carry applicability statements that define exactly which part of the business is in scope. Many buyers glance at the certificate and move on. This could include certification covering a single datacentre, for example, while the people, the processes and the decisions that sit behind it are never examined. Ask yourself honestly: are you really doing the right thing for the right reasons? Regulated enterprises under pressure to show they have done proper supply chain assessments are going to be reliant on the evidence supplied, and so it's prudent to start performing due diligence in advance to truly understand the applicability and assurances provided, and where gaps exist that could highlight significant exposure.
What going above and beyond actually looks like in practice
In 2012, when ISO 22301, the business continuity management standard, was published, a typical response was to check what competitors were doing, scope the certification to whatever satisfied the customer tenders and get the audit signed off.
At Fujitsu, where I led the business continuity transformation programme, we refused that logic. The question we asked was simple: it's not about you; it's about your customers. What will it take to make the whole company resilient, not just the part a customer interfaces with? Because a datacentre does not function in isolation, it requires a whole of company effort. That includes the finance team, the account managers, human resources, the leadership team making decisions at 2am when something goes wrong, and ultimately all the employees across the company.
The objective was clear, but delivering it took time, effort and commitment. We became the first IT services provider in the UK to achieve ISO 22301 certification across every part of the business. Not just the datacentres. Not just the service desks. Not just the managed service. The entire company. That decision came from asking an honest question: where do we sit in the supply chain, and what happens to our customers if we fail? When you answer that honestly, the scope and reality of what you need to do looks nothing like a checklist. It's a clear business decision to go above and beyond minimum expectations.
The same test applies now. Those midmarket businesses that use the Bill as a reason to understand their position in the market and dependencies placed upon them will be in a different conversation with their customers entirely. That open conversation is worth having before the customer asks for it.
The dangerous assumption sitting inside mid-market businesses
When a new regulation lands, a typical response is to assume the IT team or the managed service provider has it handled. Sometimes they do. Never make assumptions. An assumption is a risk until you turn it into a fact.
If a critical supplier goes down, you may go down with them, and no contract clause changes that. The instinct may be to make them accountable with service penalties or severance clauses. But leaning on a supplier is not the same as leaning into one. This is where collective resilience matters. Have you ever run an exercise together to find out what happens if a service fails? If they do not have the capability, you both need, you have two choices: working together to reduce the gap or removing the dependency on them through diversification of supply. These are not questions to be determined during an active incident.
It is worth noting that the Bill introduces a 24-hour incident reporting requirement for organisations in direct scope, and suppliers will be expected to support that. Having visibility of your systems and a response plan in place before something goes wrong requires preparation.
The commercial upside the compliance conversation keeps missing
Every conversation I have about this Bill circles back to risk and resilience. There is an absolute return on investment when this is done well. Security done properly is a commercial differentiator. It opens doors and creates new lines of business.
If you are going above and beyond, and you can demonstrate that this is fundamentally part of how you run your business, not a compliance checklist, all those things are going to propel you further in customer conversations. The question that tends to separate suppliers in a competitive bid is not whether they hold a certificate but whether they can answer plainly: what happens if something goes wrong at midnight on a Friday?
Government procurement makes this more concrete. Public sector contracts increasingly require demonstrable security maturity. Midmarket businesses that can evidence this maturity gain access to procurement frameworks they would not otherwise qualify for.
The European dimension matters for businesses thinking about growth. The EU's NIS2 Directive has been in force since October 2024, and UK businesses supplying into European markets are already fielding security questions from EU customers. UK businesses with strong, demonstrable cyber credentials are increasingly being seen as a safe and credible option. Much of what became GDPR grew from UK data protection law and the Cyber Security and Resilience Bill sits in that same tradition. Adhering to the Cyber Security and Resilience Bill provides a moment to shine.
Why this conversation belongs in the boardroom, not just the IT department
Whether to treat this Bill as a cost or an opportunity is a leadership decision. The consequences of getting it wrong are commercial, not technical.
If you are a CEO or a financial director, the question that matters is straightforward: how do you use this to show a demonstrable return on investment with your customers? People buy from people. The trust you build is what separates you from everyone else bidding for the same work. Do you want to be known for going the extra mile? For being the trusted entity in your supply chain?
I think about it this way. The businesses that take it seriously are not making a bet on whether something may or may not go wrong. They are building something that compounds — better risk posture, better services for customers, and longevity for stakeholders.
The Bill is moving through Parliament now. Implementation runs to 2027 and 2028, which sounds distant until you realise that regulated enterprises are already adjusting their supplier requirements. The businesses that will be best placed are not the ones that start thinking about this in 2027. They are the ones acting now. Security has always been about staying ahead of the risk, not catching up with it. This Bill is simply the latest reminder that the mid-market has a more important role to play in the UK's collective resilience than it is often given credit for.
Read more about the Cyber Security and Resilience Bill
- An amendment to the UK’s Cyber Security and Resilience Bill calls for the government to publish a ‘digital sovereignty strategy’ to promote domestic technology.
- An amendment to the Cyber Security and Resilience Bill proposes giving the government a ‘kill switch’ to close datacentres hosting AI if they pose a critical threat to UK infrastructure or national security.
- New cyber legislation is necessary but a wider effort is needed to harden the UK's security and resilience.
