The Cyber Security and Resilience Bill passed its second reading, and has progressed through to the committee stage. This fast-moving legislation marks a significant step forward in the government’s efforts to strengthen national cyber defences.

The legislation is designed to modernise existing cyber laws to reflect the scale of today’s digital threats, improve resilience across businesses, and to better help protect the public.

Rob Rees, Divisional Director at Markel Direct, the business insurance specialist, explains what the Bill is proposing, how this will affect UK SMEs and what actions should be taken in 2026.

What does the Cyber Security and Resilience Bill propose?

The Cyber Security and Resilience Bill’s primary aim is to strengthen the UK’s cyber security framework by expanding who is expected to manage cyber risk, tightening incident reporting and giving regulators stronger enforcement powers.

It looks to build on existing Network and Information Systems (NIS) regulations and brings additional sectors, such as data centres and managed service providers, into scope, placing greater emphasis on supply chain security.

While the Bill is primarily targeted at larger organisations whose disruption could have widespread economic or societal impact (such as the NHS and transport operators), it signals a broader shift in cyber resilience expectations, making cyber security awareness and action a basic requirement for doing business rather than a “nice to have”.

Does the Bill directly impact SMEs?

Largely, if this Bill becomes law, it will not directly impact most SMEs in a regulatory way. The Bill is not designed to impose the same proposed compliance burden on small businesses as it does on operators of essential services or large digital providers. However, SMEs could instead feel the impact of the Bill indirectly in several different ways:

• Increased scrutiny of supply chains: The large organisations and regulated entities that will be impacted by the Bill will be required to assess and manage cyber risk across their suppliers, meaning SMEs are more likely to be asked to demonstrate ‘reasonable cyber security’ to win or retain contracts.

• Stricter requirements within contracts: There will likely be an increase in cyber security clauses, assurance questionnaires and minimum-security standards within contracts, becoming more common in commercial agreements with larger clients.

  
  

  Higher expectations around resilience: Even where there is no formal compliance requirement, SMEs will face a knock-on effect of rising expectations around data protection, incident response and business continuity. This means that if cyber security hasn’t been a consideration by SMEs to date, it will need to become so.

  
  

• Commercial risk of non-compliance: For SMEs that cannot show evidence of having cyber security measures or considerations in place, it may be that they are at risk of exclusion from tenders, experience delayed onboarding, or be viewed as higher-risk partners.

  
  

• Greater reliance on third-party IT providers: As larger organisations face tougher cyber rules, many SMEs will need to rely more on external IT support to meet basic security expectations without the cost of building or hiring in-house expertise.

  
  

What ‘reasonable cyber security’ looks like for SMEs

One of the biggest challenges for SME owners is uncertainty about what is expected of them and the potential attached cost. ‘Reasonable cyber security’ means taking sensible, practical steps that match the size of the business, what it does, and the type of data it works with. For most SMEs, this simply includes:

• Keeping systems and devices updated with the latest security patches

• Using strong passwords and multi-factor authentication

• Regularly backing up critical data and testing recovery

• Restricting access to sensitive systems

• Training staff to recognise phishing and social engineering attacks

• Having a basic incident response plan

  
  

These measures help to significantly reduce SME exposure to common threats and demonstrate a responsible approach to cyber risk.

How soon do SME owners need to act?

Despite the fast pace of this legislation (moving from a first reading on November 12th 2025 to a second reading on January 6th), there is no ask of SMEs to invest in expensive, enterprise-grade security tools or in-house cyber specialists; the only request is that there is an awareness of risk and evidence of reasonable effort and preparation to mitigate cyber threats.

Small and medium-sized businesses that can demonstrate an understanding of the risks that could affect their operations and the proportionate steps they have taken to manage them are far better placed to meet client expectations and withstand disruption.

Practical next steps for 2026

With the Bill moving quickly through Parliament, now is a sensible time for SMEs to stay ahead of the curve.

Simple actions include:

• Carefully reviewing contracts for any cyber security obligations

• Identifying what data is held by your business and where it is stored, making improvements where necessary

• Checking backups, access and updating your own data protection policies

• Arranging cyber insurance to protect against the impact of a targeted cyber-attack on your business

• Assigning responsibility for cyber risk at leadership level

• Carrying out a basic cyber security review and considering the ‘reasonable cyber security’ steps, implementing anything that is currently missing.

  
  

For more information and tips on cyber security for SMEs, visit the Markel Direct website.