HomeWebinarCard
Log in

Business Toolkit: Resilience in Practice: Strengthening Your Business Before a Disruption

March 3, 2026|9:00 AM UK Time|Past event

UK businesses face escalating cyber threats and impending stricter regulations under the Cyber Security and Resilience Bill, with significant incidents costing millions and risking widespread disruption in 2026.

Key takeaways

  • A surge in nationally significant cyber attacks—204 in the year to August 2025, up sharply from prior years—has prompted the UK government to introduce the Cyber Security and Resilience Bill in November 2025, expanding oversight to supply chains and digital services.
  • Major breaches in 2025, including attacks on retailers like Marks & Spencer and the Co-op, plus automotive giant Jaguar Land Rover, caused hundreds of millions in direct losses and an estimated £1.9 billion hit to the UK economy through supply-chain ripple effects.
  • The Bill's focus on critical suppliers and faster incident reporting creates compliance pressures for interconnected businesses, where inaction risks fines, lost contracts, and operational halts amid rising threats from ransomware and state actors.

Rising Cyber Pressures on UK Firms

The UK is confronting a markedly more hostile cyber environment as 2026 begins. The National Cyber Security Centre handled 204 nationally significant incidents in the 12 months to August 2025—a more than doubling from previous periods—reflecting intensified activity by criminals and state-backed groups targeting businesses and infrastructure.

High-profile attacks in 2025 underscored the stakes. Retailers Marks & Spencer and the Co-op suffered ransomware disruptions that halted online services and store operations for weeks, erasing hundreds of millions in profits. Jaguar Land Rover's breach alone inflicted production halts, supplier cash-flow crises, and an estimated £1.9 billion economic dent. These incidents highlight how vulnerabilities in one organisation cascade through supply chains, amplifying damage far beyond the initial target.

Against this backdrop, the Cyber Security and Resilience Bill—introduced to Parliament in November 2025 and advancing through stages in early 2026—seeks to overhaul the 2018 Network and Information Systems framework. It broadens scope to include managed service providers, data centres, and 'critical suppliers' whose compromise could trigger major economic or societal disruption. Regulated entities face tighter requirements: incident notifications within 24 hours, enhanced supply-chain risk assessments, and steeper penalties.

The tension lies in the indirect burden on smaller firms. While the Bill targets essential services and large operators, SMEs often serve as suppliers and may need to prove baseline security—like Cyber Essentials—to retain contracts. Many lack formal strategies or supplier standards, leaving gaps that attackers exploit. Government campaigns and the NCSC's supply-chain playbook push adoption, but uptake remains uneven, particularly among smaller entities.

Broader disruptions compound the urgency: severe weather, staff shortages, and geopolitical strains add layers to resilience planning. Yet cyber remains the fastest-evolving risk, with half of small businesses reporting breaches in recent surveys and average significant incident costs hitting £195,000.

Sources

You might also like

We use cookies to measure site usage. Privacy Policy