The UK’s Cyber Security and Resilience Bill has been moving through Parliament quietly, and most SMEs have not been paying attention. That is understandable. Legislative progress is rarely fast or dramatic, and the bill does not carry the immediate urgency of a data breach or a ransomware attack. But it reached the report stage in the House of Commons on 14 May 2026, and contains provisions that UK businesses — and especially their IT providers — need to understand now as part of any serious approach to managed cyber security, rather than waiting until compliance obligations are fully in force.
What the Cyber Security and Resilience Bill actually says
The Cyber Security and Resilience Bill is the UK government’s response to growing concerns about systemic cyber risk across critical infrastructure and the supply chains that serve it. It extends the existing NIS regulations framework, broadening the scope of who must demonstrate formal cyber governance, and strengthening the requirements around incident reporting and supply chain security.
The most significant development for businesses working with managed IT providers is this: managed service providers are now specifically in scope. That means the obligations placed on MSPs to demonstrate how they secure, monitor, patch, and recover the services they manage for clients are no longer a matter of professional best practice. They are becoming a compliance requirement.
The practical consequence of this is still working through as the bill progresses, but the direction is clear. Regulators and enterprise clients will increasingly expect provable cyber governance, not assumed cyber governance. The question an auditor or client will ask is not whether you have good intentions around security. It is whether you can demonstrate what controls are in place and produce the evidence to support it.
Are most UK SMEs directly in scope?
Not immediately. The bill’s primary focus is on organisations providing critical infrastructure and essential digital services. Most SMEs operating in professional services, logistics, manufacturing, or similar sectors will not fall directly under the legislation’s requirements.
But supply chain obligations create indirect pressure. If your business provides services to organisations that are in scope, those organisations will increasingly require evidence of your cyber posture before extending or renewing contracts. And if your IT provider is specifically in scope as a managed service provider, their certification status becomes relevant to how confident you can be in the platforms and services they deliver to you.
This is a pattern familiar from GDPR. Most SMEs were not directly regulated in the way large data processors are, but the obligations that landed on their suppliers and clients changed the expectations placed on them nonetheless.
What the bill means for cyber resilience in practice
The shift the bill reinforces is one from informal trust to documented, auditable cyber resilience. For years, many organisations have operated on the basis that their IT provider was good, their controls were reasonable, and their response in the event of an incident would be adequate. That is trust-based security, and it is not the same as evidence-based security.
Moving to an evidence-based model does not require a complete overhaul of how a business operates. It requires that the controls already in place are documented, that documentation is kept current, and that the organisation can answer specific questions with specific evidence rather than general assurances.
For MSPs, this means being able to demonstrate how every client platform is secured, patched, monitored, and backed up, with evidence that is timestamped and retrievable. For the SMEs they serve, it means knowing which questions to ask and expecting clear answers.
The practical starting point for UK SMEs
Cyber Essentials remains the most accessible and most immediately relevant certification for SMEs looking to build a demonstrable cyber governance baseline. It covers the five control areas that account for the large majority of common attack vectors: firewalls, secure configuration, user access control, malware protection, and patch management. Getting these controls in place, documented, and independently verified addresses the foundations that both the bill’s requirements and most client questionnaires are looking for.
For organisations that have not yet pursued Cyber Essentials, now is the right time. Not because the bill will land tomorrow with penalties attached, but because the direction of travel in both regulatory expectation and enterprise procurement is clear, and the groundwork takes time to put in place properly.
For those who already hold Cyber Essentials, the next progression is Cyber Essentials Plus, which adds independent verification of the controls in place rather than self-assessment. From there, IASME Cyber Assurance and, for organisations requiring it, ISO 27001 alignment provide progressively stronger and more internationally recognised evidence of cyber governance maturity.
What Si Futures is doing
We are currently working through Cyber Essentials certification as a combined UK and South Africa organisation. This is not a badge exercise. It is the process of building the evidential framework that allows us to answer every relevant question about how we secure the platforms and services we manage with current, structured, auditable documentation.
For our clients, this means that the governance we have always applied in practice will increasingly be something we can prove. That is a shift that benefits both sides of the relationship, and it positions us for the stronger compliance expectations the bill is reinforcing.
If you are a UK-based business and you are not sure whether you are prepared for what is coming, a good starting point is a conversation about your current posture. Not an audit, not a project, just a structured look at where you are, where the gaps might be, and what the most practical first steps look like. Speak to our team to arrange that conversation.
The season for getting this in place is now.
