CNI security and resilience are now a shared legal obligation. Time to invest.
16th September 2025 • Online
CISOs face more scrutiny, more firms in scope, broader duties, and a stronger regulatory environment. Organisations found wanting will be in trouble.
More security investment is both compulsory and a strategic opportunity
The UK faces increasingly severe and frequent cyber threats from hostile states and cybercriminals. Recent incidents (e.g. ransomware attack on NHS suppliers) illustrate real-world impacts of cyber breaches. Supply chains are a major vulnerability, and current resilience is not improving fast enough.
The case for change is obvious: The current framework, based on the NIS Regulations 2018, is outdated and narrowly scoped. The next set of UK legislation aims to expand and modernise these regulations to match today’s threat landscape. And it aligns with the EU’s NIS2 directive while reflecting UK-specific needs. Of course, in the EU, and for anyone who wishes to do business there, things are moving even faster.
CISOs face expanding regulatory scope and empowered regulators:
- Managed Service Providers (MSPs) to be brought under regulation due to their critical IT roles.
- Supply chain security strengthened by allowing regulators to designate “Critical Suppliers” subject to new duties.
- Stronger technical standards and methodological requirements aligned with the NCSC Cyber Assessment Framework.
- Enhanced incident reporting (within 24–72 hours), including obligations for customer notifications.
- ICO granted proactive powers to collect data and act before incidents.
- Introduction of modern cost recovery mechanisms to make regulators financially self-sustaining.
- Delegated powers for the Secretary of State to swiftly update regulations without new primary legislation.
So, what does this mean for CNI organisations and those who service them?
- Businesses, especially MSPs and digital service providers, will face new compliance and reporting duties. Critical SMEs and other third parties may also come under regulation if they support essential services.
- Your organisation may now be in scope, especially if you offer or rely on managed services, data centres, or critical suppliers.
- Incidents affecting confidentiality, availability, or integrity must be reported within 24–72 hours –not just service disruptions.
- Regulators can now designate specific third parties as Critical Suppliers –you may be liable for their cyber failings.
- Expect proactive enforcement, more detailed technical standards (aligned with the NCSC CAF), and fee-based funding of oversight.
- The Secretary of State may direct your firm or regulator to take urgent action in response to national security threats.
Increased regulation looks like a burden –and it certainly means more investment in security. But it is also a strategic opportunity.
- Regulatory clarity means less ambiguity on cyber expectations.
- Proactive compliance and supply chain hygiene can become competitive advantages.
- This is a call to CNI security professionals to harden your risk posture before enforcement catches up.
This is a national infrastructure priority and CISOs must lead the shift from compliance minimalism to strategic cyber resilience.