The new Bill represents a step-change in regulatory expectations, says Rob Demain, Founder and CEO of e2e-assure, which specialises in managed threat detection and response services
To better protect organisations against cyber-crime, the UK government is proceeding with a new legislative approach called the UK Cyber Security and Resilience Bill, likely to become law in 2026. Rather than take the same approach as EU governments which are rolling out country-specific adoptions of the NIS2 directive (a direct replacement of the NIS Regulations 2018 which the UK currently adheres to), this approach is more tailored to the UK’s national environment. The Bill is designed to simplify fragmented legacy systems and accelerate the UK towards modernised digital resilience.
The Bill widens the scope beyond what the NIS Regulations 2018 covered. This means that local governments and their suppliers must take time to understand the implications. They need to review and update their systems, policies and partnerships in preparation.
At e2e-assure, we’ve worked with the public sector for over a decade, to monitor and protect against cyber threats. Therefore, we understand the added pressure this new Bill places on local authorities, which act as custodians of extremely sensitive data. With personal health records and financial information at risk, public-sector breaches could have severe consequences such as long-term reputational damage.
So, what do the key changes look like and what can cyber risk owners in local government do to get ahead of the Bill coming into law next year?
What does the UK Cyber Security and Resilience Bill cover?
1. Bringing more entities into scope of the regulatory framework
Bring managed service providers into scope
The Bill will bring more entities into the scope of the regulatory framework, including managed service providers (MSP) that provide core IT services to all types of UK business. Specifically, local authorities rely on MSPs for services such as data and content management as well as communications.
Which managed services are brought into scope will be defined in the Bill once released. However, it’s known that the Information Commissioner’s Office (ICO) will act as the regulator of MSPs through information gathering, investigation and enforcement powers.
There is good reason for the scope to widen, which is important for local authorities to understand. MSPs have access to their clients’ IT systems, networks, data and infrastructure, making them extremely attractive targets for threat actors. Those serving local government will be particularly appealing thanks to their links to sensitive data. Take, for example, an attack on the housing provider Locata in August 2024. Locata was serving multiple local authorities including Manchester City, Salford City and Bolton Metropolitan Borough Councils. The attack exposed thousands of service users to a phishing campaign that asked for identity verification for tenancy options, demonstrating how attackers can exploit third-party providers to reach local government.
The widened scope will place new duties on MSPs, to help build a more informed picture of the changing threat landscape, and the specific threats to local government. In the Cyber Security and Resilience policy statement, it is estimated the Bill will protect a further 900-1,100 MSPs, better positioning them as trusted and reliable partners against cyber-crime.
Strengthen supply chain security
An important objective of the Bill is to strengthen security across the supply chain, which it plans to address by empowering the government to set stronger supply chain duties for operators of essential services (OES) and relevant digital service providers (RDSP). Regulators will also be given more power to designate ‘critical suppliers’ aka third-party suppliers whose services are so vital that any failure could cause significant disruption to the services they’re supporting.
Local authorities must map their existing IT ecosystems against the threshold criteria. This means assessing all their suppliers taking into consideration the supply of goods and services, significant disruption effect, reliance on networks and information systems and whether they’re already regulated. Following assessment, local authorities must engage with suppliers to ensure they have a plan to adhere to the Bill. Following these conversations, cyber risk managers should review contracts and renegotiate as required. There’s also potential value in consolidating their supplier pool, to remain compliant.
Suppliers should be reassessed regularly, so local governments are aligning with the National Cyber Security Centre’s Cyber Assessment Framework (NCSC CAF 4.0) objective A4.a, that they have a deep understanding of their supply chain and are able to manage its risks. This can be achieved through suppliers’ security posture evaluation, assessing access and influence over critical systems, and implementing the necessary policies, processes and governance.
2. Empowering regulators and enhancing oversight
Improving incident reporting
The Bill calls for quicker incident reporting, particularly strictly for local authorities which must prepare for two-stage reporting, to both the NCSC and other regulators e.g. the ICO.
Local authorities and their suppliers will be required to report any cyber incidents more promptly, not just at the point of failure, but also as part of ongoing risk management. Senior leaders will be expected to take accountability, and regulators will be given more power to enforce audit requests or even apply financial penalties.
Cyber risk owners should evaluate how they currently detect, assess and report cyber threats. They’ll need to make changes in line with the Bill’s requirements that initial notifications are made within 24 hours of becoming aware, followed by a fuller incident report inside 72 hours.
3. Ensuring the regulatory framework can keep pace with the ever-changing cyber landscape
Keeping pace with the support of third parties
It’s the policymakers’ intension for the proposed Bill to be regularly updated. As the cyber threat landscape evolves, so too must the UK’s cyber legislation if it is to remain relevant and effective. Ultimately, this will be better for the protection of local authorities but it does increase complexity and pressure for cyber risk owners. Working with a third party, with the right experience and deep technical knowledge, can help cyber risk owners keep up with compliance to avoid costs, and damage to reputation.
CAF 4.0 alignment
Outside of third-party support, local authorities can refer to the CAF 4.0 for guidance on the best framework to follow. The framework, which is set to become more relevant under the Bill, has been recently updated to provide a tighter, more actionable standard for managing cyber risk in government.
There are four key updates to the framework, taking the number of contributing outcomes from 39 to 41. The changes are designed to push senior leaders and cyber risk owners to make decisions based on real threat intelligence, rather than assumptions. They drive suppliers to take responsibility for providing evidence of compliance rather than claims, to support cyber crime prevention.
A2.b – Threat understanding – The framework now requires formal integration of threat intelligence into risk decisions. Senior leaders need to reevaluate how risk assessments are performed and confirm trusted external sources are used.
A4.b – Secure software development and support – Local authorities must now verify secure development practices, ongoing support and lifecycle management of their software. Procurement and cyber risk managers will need a clear view of the origins and maintenance commitments of software.
C1 and C2 – Security Monitoring and Threat Hunting – While previous versions of the framework encompassed security monitoring, threat hunting is completely new. CAF 4.0 expands expectations around security monitoring to include enrichment, correlation, baselining of behaviour, retention, and structure triage. With regards to threat hunting, the new framework expects local authorities to conduct structured, hypothesis-driven hunts, converting findings into repeatable detections and playbooks.
D1 – Response and recovery – CAF 4.0 requires realistic, tested scenarios that include ransomware and supplier failures, alongside defined recovery sequences and clear communication channels.
A key theme of the changes is that they require leadership attention, contractual adjustments and measurable performance tracking, rather than being solely focused on technological changes. The changes will enforce standards on local government, with departments and authorities required to demonstrate ongoing compliance improvements. Positively, the CAF is already familiar for many. Those who aren’t using it will need to carry out a self-assessment or call on third party support to help prioritise next steps.
In conclusion
The UK Cyber Security and Resilience Bill represents a step-change in regulatory expectations, presenting both new challenges and new opportunities to local government. The widening scope of the regulatory framework to include MSPs, the increased responsibilities around supply chain assurance, expectations around faster incident reporting, and the empowerment of regulators to hold local governments accountable, all call for more proactive risk management.
To keep pace, cyber risk managers can lean on third-party support for guidance, while aligning with the new CAF 4.0 framework before the Bill comes into law. Compliance should be more than a one-off exercise, with the framework principles embedded into all decision making, driving regular reassessment of supplier contracts, and holding senior leaders accountable. Local authorities who view the Bill as a roadmap to long-term resilience will be in a stronger position to avoid disruptive downtime and protect sensitive data, ultimately maintaining public services, and their trust, in today’s complex digital landscape.
Leave a Reply