End-to-End Risk Management for the Cyber Security and Resilience Bill: A Guide for Critical National Infrastructure

The Cyber Security and Resilience Bill is the most significant overhaul of UK cyber regulation since the NIS Regulations 2018. For critical national infrastructure operators it does three things that matter: it places the NCSC Cyber Assessment Framework (CAF) on a statutory footing as the baseline standard, it widens scope to bring in managed service providers, data centres and critical suppliers - around 1,000 additional organisations - and it introduces stricter duties including 24-hour incident notification and fines of up to £17 million or 4% of global turnover. Meeting these duties requires end-to-end risk management: knowing your assets and dependencies, running controls to a measurable maturity, detecting and reporting incidents on the clock, and proving all of it to a regulator. The Fig platform delivers exactly that, mapping your controls to the CAF and collecting the evidence continuously from the day you are onboarded.

The Cyber Security and Resilience (Network and Information Systems) Bill had its first reading in Parliament on 12 November 2025 and completed its second reading and committee stage through early 2026. Brought forward by the Department for Science, Innovation and Technology (DSIT), it is designed to deliver a step change in the resilience of the UK's essential and digital services against cyber criminals and hostile state actors.

For organisations that operate or supply critical national infrastructure, the Bill is not a minor regulatory update. It raises the legal baseline, widens who is accountable, and sharpens the consequences of getting it wrong. This guide explains what the Bill requires of CNI operators and their supply chains, how those requirements map to the NCSC Cyber Assessment Framework, and how the Fig platform provides the end-to-end risk management needed to comply - and to keep complying as expectations rise. It is a companion to our guide on the Energy Sector Cyber Security Strategy, which sets the same direction of travel for one of the most heavily targeted CNI sectors.

The Bill builds on, rather than replaces, the NIS Regulations 2018. The current NIS regime covers operators of essential services across energy (electricity, oil and gas), transport (rail, air, maritime and road), health (including NHS trusts), drinking water, and digital infrastructure - the heart of the UK's critical national infrastructure. The Bill strengthens and extends that regime in several material ways.

A statutory baseline built on the NCSC CAF

The Bill places the NCSC Cyber Assessment Framework on a firmer statutory footing as the baseline standard for in-scope organisations. The CAF stops being a recommended self-assessment tool and becomes the framework regulators will hold operators against. If you run critical national infrastructure, the CAF is now the language your compliance will be spoken in.

A wider scope - MSPs, data centres and critical suppliers

The Bill brings significantly more organisations into scope - estimates point to around 1,000 additional entities. The headline additions are managed service providers, data centre operators, and critical suppliers whose failure would disrupt essential services. This is a deliberate move to close the supply chain gap: attackers increasingly reach CNI through the third parties that service it, so the regime now reaches those third parties directly.

Faster, dual incident reporting

In-scope organisations will face stricter incident reporting duties. The expectation is an initial notification to both the relevant regulator and the NCSC (acting as the national CSIRT) within 24 hours of becoming aware of a significant incident, followed by a fuller report within 72 hours. This is a substantial tightening - it demands that operators can detect, triage and report at speed, with defensible records to back the timeline.

Stronger regulator powers and serious penalties

The Bill strengthens enforcement. The most serious breaches can attract fines of up to £17 million or 4% of global annual turnover, with standard breaches subject to penalties of up to £10 million or 2% of turnover. Regulators gain greater capacity to set requirements, demand information and act on non-compliance. For boards, cyber resilience moves firmly into the category of material legal and financial risk.

Explicit supply chain security duties

Alongside bringing suppliers into scope, the Bill reinforces duties on operators to manage the security of their supply chains. Annual questionnaires are no longer a credible answer to a regulator who expects continuous oversight of third-party risk.

Translated into operational reality, the Bill creates four obligations that every CNI operator must be able to satisfy on demand:

1. Understand and govern risk across a complex estate of IT and operational technology, with full visibility of assets, data and dependencies.

2. Protect essential services to CAF maturity, and be able to evidence that maturity rather than assert it.

3. Detect and report incidents within 24 hours, with a defensible record of decisions and actions.

4. Minimise impact and recover, with tested continuity plans and supply chain assurance that holds up to scrutiny.

The challenge for most CNI operators is not understanding these obligations. It is the fragmentation behind them. Risk lives in one tool, asset registers in spreadsheets, vulnerability data in scanners, supplier assurance in inboxes, incident records in ticketing systems, and policies in document stores. Pulling that together into a coherent, regulator-ready picture - repeatedly, at CAF depth, across IT and OT - is where time and confidence are lost. End-to-end risk management is the answer, and it is exactly what Fig was built to provide.

Fig brings the full lifecycle of cyber risk management into a single, governed platform, organised around five stages - Discover, Protect, Respond, Prove and Transfer. Each stage maps directly onto the duties the Cyber Security and Resilience Bill creates for critical national infrastructure.

Discover - know your estate and your dependencies

You cannot manage risk you cannot see. Fig's asset discovery builds a live, governed register across hardware, software, cloud and service dependencies, with accountable owners and evidence attached from day one - the foundation the CAF expects before any control conversation. Data discovery and classification identifies where critical and regulated data lives and which obligations apply to it. For CNI operators bridging IT and OT, this single view of the estate is the difference between defensible scope and educated guesswork.

Protect - reduce exposure to a measurable maturity

The Bill expects essential services to be protected to CAF maturity. Fig's vulnerability scanning consolidates scanner output and prioritises by exploitability and asset importance, so remediation effort goes where business risk is highest. Exposure modelling shows how individual weaknesses combine into business risk across critical services. Supply chain risk monitoring maps suppliers to the services and data they touch and tracks assurance evidence continuously - directly addressing the Bill's new supplier and MSP duties. People lifecycle governs access and accountability from joiner to leaver, closing one of the most common control gaps.

Respond - detect, manage and report on the clock

The 24-hour and 72-hour reporting duties make response capability a legal requirement, not a nice-to-have. Fig's incident management runs incidents from a single structured record - actions, owners, decisions, notifications and reporting - so you can notify your regulator and the NCSC within the required window and produce a defensible timeline afterwards. Agentic remediation turns findings into assigned, evidenced fixes while keeping human approval and ownership intact, accelerating the path from detection to resolution.

Prove - turn live work into regulator-ready evidence

This is where the heaviest CSRB workload sits, and where automation delivers most. Fig's compliance automation maps your controls to the frameworks behind the Bill - the NCSC CAF, the NIS Regulations and others - and collects evidence continuously, flagging stale or missing evidence before an assessor would. Policy management turns policies into operational control with approvals and attestations. Audit management builds audit packs from work that already happened, and training and policy acknowledgement evidences that people have been trained and policies acknowledged. Because evidence is reused across frameworks, demonstrating CAF maturity to a regulator does not mean rebuilding your compliance position from scratch each time.

Transfer - use your posture to manage residual risk

No control set eliminates risk entirely. Fig's business continuity makes recovery readiness measurable by connecting recovery plans, critical services and test evidence - central to the Bill's resilience focus. The embedded insurance view turns live posture, compliance and risk data into a clearer underwriting story, supporting better cyber insurance conversations and board-level risk reporting.

Because the Bill puts the NCSC Cyber Assessment Framework at the centre of compliance, it is worth mapping Fig explicitly to the CAF's four top-level objectives. This is the structure your regulator will assess you against.

• Objective A - Managing security risk. Governance, risk management, asset management and supply chain. Covered by Fig's asset discovery, data discovery and classification, supplier risk monitoring and policy management.
• Objective B - Protecting against cyber attack. Service protection policies, identity and access, data security, system security and staff awareness. Covered by Fig's vulnerability scanning, people lifecycle, exposure modelling and training and policy acknowledgement.
• Objective C - Detecting cyber security events. Security monitoring and proactive discovery. Supported by Fig's consolidated vulnerability and exposure intelligence feeding the incident process.
• Objective D - Minimising the impact of cyber security incidents. Response and recovery planning and lessons learned. Covered by Fig's incident management, agentic remediation and business continuity.

Mapping your operation to all four CAF objectives in one platform - with the underlying evidence kept live - is precisely the end-to-end capability the Cyber Security and Resilience Bill expects critical national infrastructure operators to demonstrate.

The new reporting timeline deserves particular attention because it is unforgiving. To notify a regulator and the NCSC within 24 hours of a significant incident, an operator needs three things working together: the ability to detect and triage quickly, a structured way to capture decisions and actions as they happen, and the connective tissue to link an incident back to the affected assets, services and controls. Fig's incident management provides all three in one record, so the notification is a by-product of running the incident properly rather than a frantic separate exercise - and the 72-hour follow-up report draws on the same defensible timeline.

The Bill's extension of scope to managed service providers, data centres and critical suppliers is one of its most consequential changes. If you are a CNI operator, you are now expected to evidence continuous oversight of the third parties your essential services depend on. If you are an MSP, data centre or supplier serving these sectors, you should expect to be brought into scope directly - and to face the same expectations being pushed down through your customers' procurement and contracts. Either way, Fig's supply chain risk monitoring replaces the annual questionnaire with continuous supplier assurance: mapping suppliers to services and data, tracking control evidence, and surfacing third-party risk before it becomes an incident or an audit finding.

The strongest argument for an end-to-end platform is timing. With Fig, compliance is not a project that begins months before an audit - it starts working immediately:

• Day-one CAF mapping. When an organisation is onboarded, its controls are mapped against the NCSC CAF and the NIS Regulations straight away, so you can see your maturity position from the outset rather than after weeks of manual setup.
• Evidence collected as work happens. Asset changes, vulnerability findings, supplier updates, incidents, policy approvals and training completions feed the evidence model continuously. Your regulator-ready pack is a by-product of normal operations.
• Gaps surfaced while there is still time. The platform flags stale or missing evidence and control gaps before an assessor would, turning audit preparation into routine maintenance.
• One source of truth across frameworks. Because evidence is reused, meeting CAF, NIS and the Bill's rising expectations does not multiply the workload.

The Bill is progressing, and the direction is settled even where the final detail is not. The sensible moves are the ones that hold up regardless:

1. Adopt the CAF as your operating language now, rather than waiting for enforcement to begin.

2. Build a live, unified picture of your IT and OT estate and its dependencies.

3. Stand up incident detection and reporting that can meet a 24-hour clock, with defensible records.

4. Replace questionnaire-based supplier assurance with continuous supply chain oversight.

5. Move evidence off spreadsheets and onto a platform that maps controls to frameworks and collects evidence continuously, so rising requirements do not mean rising headcount.

What is the Cyber Security and Resilience Bill?

It is UK legislation, brought forward by the Department for Science, Innovation and Technology, that reforms and expands the NIS Regulations 2018 to strengthen the cyber resilience of essential and digital services. It had its first reading on 12 November 2025 and progressed through second reading and committee stage in early 2026. For critical national infrastructure operators it raises the baseline standard, widens scope, tightens incident reporting and increases penalties.

Who comes into scope under the Bill?

The Bill retains the existing NIS sectors - energy, transport, health, drinking water and digital infrastructure - and extends scope to bring in managed service providers, data centre operators and critical suppliers, estimated at around 1,000 additional organisations. The aim is to close the supply chain gap by regulating the third parties that essential services depend on.

What are the new incident reporting requirements?

In-scope organisations are expected to make an initial notification to both their regulator and the NCSC within 24 hours of becoming aware of a significant incident, followed by a fuller report within 72 hours. This requires the ability to detect, triage and report at speed, with a defensible record of the timeline.

What penalties does the Bill introduce?

The Bill proposes stronger enforcement, with fines of up to £17 million or 4% of global annual turnover for the most serious breaches, and up to £10 million or 2% of turnover for standard breaches. Cyber resilience becomes a material legal and financial risk at board level.

How does Fig help with NCSC CAF compliance?

Fig maps your controls to the NCSC Cyber Assessment Framework and the NIS Regulations and collects evidence continuously across assets, vulnerabilities, suppliers, incidents, policies and training. Its capabilities align with all four CAF objectives - managing security risk, protecting against attack, detecting events, and minimising impact - so you can demonstrate and maintain maturity against the framework the Bill puts on a statutory footing.

Does the Bill apply to managed service providers and data centres?

Yes. A central feature of the Bill is bringing managed service providers, data centre operators and critical suppliers into scope directly, in recognition of the role they play in delivering and protecting essential services. Providers serving CNI should prepare for the same expectations their customers face.

The Cyber Security and Resilience Bill makes the NCSC Cyber Assessment Framework the statutory benchmark for UK critical national infrastructure, widens scope to managed service providers, data centres and critical suppliers, and backs faster incident reporting with serious penalties. Meeting these duties requires genuine end-to-end risk management - from asset discovery through protection, response, assurance and resilience - kept continuously current rather than reconstructed before each audit. The Fig platform delivers that lifecycle in one place, mapped to the CAF and collecting evidence from the day you are onboarded, so CNI operators and their suppliers can comply with confidence and keep complying as the bar rises.

Explore the Fig platform | Talk to our team about CNI compliance