The Bill was in Public Bill Committee at the time of publication. Provisions described reflect the Bill as introduced and may be subject to amendment. Verify current status at bills.parliament.uk.
Each quarter, IISZON will discuss one potential gap or challenge between what the regulations or vendors assume and what operational technology environments are in reality. This edition: the Cyber Resilience Bill versus the organisations it will govern.
What the Bill changes
The Cyber Security and Resilience (Network and Information Systems) Bill (the "Cyber Resilience Bill") will improve, modernise and expand the NIS Regulations 2018 scope. It moves from "appropriate and proportionate" (a phrase the industry has perhaps tolerated over the years) to defined, auditable, enforceable minimum standards. The Bill places named senior management accountability at the centre of the governance framework. Directors will be required to take ownership of cyber risk reporting and oversight. The mechanics of individual accountability remain subject to committee scrutiny, but the direction is clear.
Incident reporting moves to a two-stage process: initial notification to the competent authority and NCSC within 24 hours of awareness, followed by a full technical report within 72 hours. The reporting trigger also widens. Events merely capable of having a significant future impact are now reportable, not just confirmed incidents. Supply chains become your problem contractually and evidentially, with competent authorities gaining the power to designate specific businesses as critical suppliers, bringing them directly under the NIS regime. Financial penalties shift to the higher of £17 million or 4% of worldwide annual turnover, with daily fines for ongoing non-compliance. For organisations with a significant parent group, the turnover-based figure is the one that matters.
Competent authorities are not going to wait for Royal Assent to update their assessment expectations.
The Operational Gap
The Bill assumes six specific capabilities will be tested, including board-level accountability and risk maturity, a shift to dynamic risk management and controls validation, enhanced supply chain management, mandatory technical capabilities and controls, rapid incident response and enhanced reporting and finally regulatory future proofing which will allow changes to be expedited to meet the evolving landscape.
Some of the challenges and gaps which will need to be addressed by operators and regulators alike include:
- Network segmentation and framework alignment. Process networks are often designed for safety and availability rather than monitoring, creating visibility gaps that compliance frameworks will require to be formally addressed. Many OT environments also lack the documented segmentation methodology that competent authorities will expect. ISA/IEC 62443's Zone and Conduit model maps directly onto CAF outcomes and provides that baseline. Organisations without it face a significant evidential gap.
- Legacy system vulnerabilities. Many remain within defined operational risk tolerances and will not be patched. Where patching should not occur, the focus needs to be on documented compensating controls, and residual risk formally accepted and reviewed within an appropriate timeframe.
- Evidential automation. Limited automation of control effectiveness means organisations struggle to generate the ongoing evidence that regulators and the CAF assessment process will expect.
- Board-level maturity. Risk management, security awareness and communication at board level remain areas where improvement is needed across parts of the sector.
The gap isn't always technical. It can be organisational. The regulation has been written with operational technology in mind, but there is still work to do in closing the gap between what the legislation assumes and what some environments actually are.
One principle the Bill cannot override: where cybersecurity controls introduce unacceptable risk to safety instrumented systems or safety-critical operational processes, they cannot simply be imposed. That is an engineering reality, not a compliance workaround, and one that competent authorities will need to reflect in their assessment approaches.
In my opinion, none of these are new problems. The Bill simply removes the flexibility that allowed them to remain unresolved.
How do you respond
For organisations already aligned to the NIS Directive and the CAF Basic Profile, the Bill is an evolution, not a reinvention. The obligations it introduces largely reflect what the Basic and Enhanced Profile already require of OES organisations. For organisations that have been actively managing risk with a clear, governed view of their risk tolerance and appetite, compliance tends to follow organically and maturity develops alongside it. The evidential infrastructure the Bill now demands is largely the same infrastructure that good risk management produces. Those that treated their NIS obligations as a paperwork exercise will find the Bill far less forgiving.
Four practical starting points for boards and security teams:
- IEC 62443 gap analysis for OT and IACS environments. A structured risk assessment is the foundation. Security Level targets, zone and conduit definitions, and segmentation decisions all need a documented baseline to measure against. Every step should produce a real artefact: assumptions registers, requirements specifications, residual risk positions, and a remediation plan. Every decision justified, every claim evidenced. There are no shortcuts here that will not surface later under scrutiny.
- Supply chain mapping. Identify which suppliers would meet the Bill's critical supplier designation threshold and start those conversations now, before the designation process makes them reactive.
- Board training and reporting cadence. The Bill requires directors to own cyber risk. Structured cyber literacy training and a regular board reporting cycle are the starting point, not a downstream consideration. This is where governance failures will be most visible to regulators.
- Continuous capability assurance. A CAF self-assessment was the starting point, and is now not the destination. Align findings to architecture principles, defined end states, and maturity targets to build a capability model that goes beyond point-in-time compliance. The aim is continuous validation of control effectiveness against evolving threats, with the Basic Profile, Enhanced Profile and beyond serving as markers of progress rather than the limit of ambition. In safety-critical environments, the capability model must also hold the safety boundary. Resilience that introduces safety risk is not progress.
I am fortunate to work with forward-thinking boards and mature teams. But this will remain a persistent challenge for parts of the sector, and one we at IISZON continue to engage with directly.
IISZON supports Operators of Essential Services across advisory, assurance, recovery and innovation. If you would like to understand where your Operational Gaps are before a regulator finds them, we are available to discuss it.