SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Digital illustration shield protecting interconnected computer networks uk cyber security supply chains
#
Data Protection
#
VPNs
#
DevOps

New UK cyber security bill to raise standards for all suppliers

Thu, 13th Nov 2025
Author image
By Kaleah Salmon, Journalist

The UK Government has introduced new legislation aimed at strengthening the cyber security and resilience of the nation's critical infrastructure, placing a strong focus on supplier risk and third-party security.

Bill scope

The Cyber Security and Resilience Bill introduces new regulatory scrutiny for more than 900 managed service providers (MSPs), raising the compliance bar for organisations that support public and private sector entities nationwide. The legislation responds to a rise in targeted cyber threats directed not only at critical national infrastructure (CNI) but also at their wider supply chains.

Collaboration needed

Tim Pfaelzer, General Manager & Senior Vice President, EMEA, at Veeam, said,

"The UK's Cyber Security and Resilience Bill reflects the urgency of the threats currently being faced. Attacks aren't just becoming more frequent and sophisticated, they are also becoming more targeted, going straight to CNI and their supporting supply chains to maximise damage. I'd encourage organisations to see this for what it is; not just a new compliance hoop to jump through in an already saturated regulatory landscape, but a call to work more collaboratively within their supply chains, and to embrace greater accountability."
"Ultimately, introducing regulation is only half the battle. Ensuring that organisations buy-in to the new mandate, hold themselves accountable, and embrace new requirements on third-party risk management and incident reporting, is the next major hurdle."

Supplier risk

The regulation targets supplier resilience as a fundamental component of national cybersecurity. As threat actors increasingly exploit vulnerabilities in third-party vendors, the requirement for improved risk management and reporting mechanisms has come to the fore.

Mike Smith, Partner - Security at TXP, stressed the importance of strengthening protections across the supply chain.

"Further protections for vital infrastructure cannot come soon enough. With a recent spate of high-profile cyber attacks and outages hitting key industries, third- and fourth-party security can't be ignored. With so many different companies providing IT management, IT help desk support, and cyber security to private and public sector organisations, like the NHS, attack surfaces have expanded. As a result, suppliers of all sizes must provide stronger assurances about their own security standards, so these new laws are a welcome first step."
"Ultimately, those companies that fail to meet required security levels or protect citizen data risk losing contracts. By conducting, security initiatives, such as red teaming and penetration testing, and developing robust processes around reporting, suppliers can be more proactive in safeguarding their own attack surfaces and as a consequence the security of their customer."

Access systems

The legislation also highlights the need for companies to review and update their approach to managing access to critical infrastructure. This includes addressing reliance on outdated credentials and improving audit processes.

Ev Kontsevoy, CEO at Teleport, views the Bill as a prompt to move away from legacy authentication systems in favour of more secure, identity-centric models.

"The Cyber Security and Resilience Bill is going to motivate companies to transform how they secure access to critical infrastructure. Compliance will mean navigating through accumulated audit toil, making sense of patchworks of VPNs, shared credentials, and SSH keys that never expire. The Bill is not just another box-ticking exercise, but a perfect opportunity to transition from identity and access architectures based on secrets and vaults to one that is identity-based, coupled with just-in-time access that removes audit toil, accelerates users and engineers, and defends against attacks that target secrets compromise."
"This approach eliminates the risk of credential misuse, and ensures that access is authorised only when work is being performed. Companies that take this step will meet compliance, and end up with stronger, leaner, and far more resilient security foundations that can additionally be readily extended to AI infrastructure."
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Keeper Security named Overall Leader in non-human identity management
ATEN unveils secure KVM switches with 5K video for defence use
BT launches UK-based sovereign platform for secure cloud & AI
Teleport wins AWS award for securing high-growth infrastructure
Cyber-extortion incidents surge as criminals target small firms

Top stories

DivisionHex launches new framework to streamline exposure management
HP predicts surge in AI-driven cyber threats & cookie theft by 2026
Hack The Box launches AI cyber range & unveils red team certification
Dynatrace expands AWS integrations & wins LATAM partner award
Informatica expands AWS integration to boost enterprise AI agents