The Cyber Security and Resilience Bill represents the most significant expansion of UK cyber law since GDPR arrived in 2018. For mid-sized law firms, this creates a challenge that goes beyond IT departments and compliance tick-boxes.
If your firm serves clients in banking, healthcare, energy, or local government, the Bill’s new ‘Critical Supplier’ provisions could bring you directly into regulatory scope, regardless of your firm’s size or area of specialism.
The Bill completed its first reading in November 2025 and is scheduled for second reading today, 6 January 2026. While GDPR focused on data protection, this legislation centres on operational resilience. A successful cyberattack is no longer measured solely by data loss, but by your ability to continue serving clients during and after an incident.
Three material changes for Professional Services
The ‘Critical Supplier’ designation represents perhaps the most significant shift. Under the Bill, regulators can designate service providers as ‘Critical Suppliers’ if disruption to their services would materially impact essential infrastructure. If your firm handles NHS litigation, acts for major banks, or provides ongoing legal services to energy companies, you may find yourself subject to Critical National Infrastructure-level security standards. The designation isn’t tied to firm size, but based on your role in your clients’ operations.
Mandatory incident reporting requirements have also tightened considerably. Currently, firms report breaches when personal data is compromised. The Bill requires notification of any incident affecting continuity of service within 24 hours of becoming aware of it, followed by a full report within 72 hours. This captures ‘near misses’ and preparatory activity, such as dormant malware detected before it activates. For firms serving regulated entities, this means your incident response protocols need substantial revision.
Enforcement powers have been strengthened significantly. The Information Commissioner’s Office (which will be renamed the Information Commission under the Data Use and Access Act 2025) will regulate managed service providers under this Bill while continuing its data protection responsibilities. Maximum fines reach £17 million or 4% of global turnover for serious breaches. More concerning for many firms are the daily penalties: organisations failing to comply with government directives on specific cyber threats face fines of up to £100,000 per day until compliance is achieved.
The Professional Negligence dimension
The Bill doesn’t just create regulatory exposure; it also establishes a new standard of care. When the legislation comes into force, “industry standard practice” will be defined by statute. Firms that fail to meet the Bill’s security and resilience standards may find themselves more vulnerable to professional negligence claims following a breach. Clients will reasonably expect their legal advisers to maintain cyber defences proportionate to the sensitivity of the work being handled.
This shifts cyber security from a technical concern to a risk management issue requiring senior partner oversight. The Board needs to understand not just whether systems are secure, but how long the firm can maintain operations during an incident. The National Cyber Security Centre’s Cyber Assessment Framework serves as a likely benchmark, emphasising resilience over mere defence.
Practical preparation steps
Firms should begin by mapping their client base against Critical National Infrastructure sectors. Banks, NHS trusts, energy companies, water suppliers and transport operators all fall under the existing Network and Information Systems Regulations 2018, which this Bill updates and expands. If you represent these clients in matters where service disruption would affect their operations, consider whether your firm could be designated as a Critical Supplier.
Supply chain oversight requires immediate attention. The Bill extends to managed service providers, meaning your IT suppliers will likely face regulatory obligations. Contracts should include provisions requiring suppliers to notify you of their own cyber incidents within 24 hours, and you should establish audit rights to verify their compliance. Many firms will discover their MSPs handle more sensitive access than previously appreciated.
Incident response planning needs revision to accommodate the 24-hour notification window. This requires clear escalation procedures, pre-drafted notification templates and clarity on which incidents meet reporting thresholds. The Bill captures incidents that ‘could’ disrupt service, not just those that demonstrably do, which demands rapid assessment capabilities and direct lines to decision-makers at any hour.
Technical resilience deserves board-level discussion. The Bill assumes continuous operation, not just recovery capability. Immutable backups that cannot be encrypted by ransomware, offline storage that survives credential compromise and tested failover procedures, will all become baseline expectations rather than premium investments. Annual tabletop exercises involving both IT teams and senior partners help identify gaps before regulators do.
The strategic context
The Bill reflects wider government recognition that cyber resilience underpins economic security. The National Cyber Security Centre recorded 430 serious incidents in 2024, up from 371 the previous year, with attacks on critical suppliers causing cascading disruption. Recent ransomware incidents affecting NHS diagnostics, Ministry of Defence payroll systems, and major retailers have demonstrated the economic impact of supply chain vulnerabilities.
For law firms, this legislation represents both obligation and opportunity. Firms that demonstrate robust cyber resilience position themselves favourably for work with regulated clients, who increasingly audit their suppliers’ security postures.
Those that fail to adapt, risk not only regulatory penalties but also exclusion from tenders where Critical Supplier designation or equivalent standards become prerequisites.
The Bill will progress through Parliament over the coming months, with various provisions requiring secondary legislation before coming into force. However, it would be unwise to wait for the final implementation of the Bill before making any necessary changes.
The principles are clear, the regulatory direction is set and clients serving critical infrastructure are already asking questions about their advisers’ cyber resilience. The time for preparation is now, while you can shape your response strategically rather than reactively.
Like what you read?
