Quick Answer
This guide is for security, technology, and compliance leaders at UK organizations operating essential services or digital infrastructure.
The Cyber Security and Resilience Bill is upcoming UK legislation that will significantly expand cybersecurity requirements beyond the current NIS Regulations 2018. It brings Managed Service Providers, Data Centres, and Critical Suppliers into scope, introduces stricter incident reporting timelines, and empowers regulators with stronger enforcement powers.
Why certificates matter: The Bill requires demonstrable security controls for critical systems. Certificate lifecycle management—ensuring encryption, authentication, and secure communications across your infrastructure—directly supports compliance with the Bill's security requirements.
💡 Key Takeaway: Organizations should prepare now. The Bill is expected to receive Royal Assent by mid-2026. Early preparation for certificate inventory, monitoring, and automation will ease compliance when requirements take effect.
Start with our PKI Maturity Assessment to understand your current posture.
What is the UK CSR Bill?
The Cyber Security and Resilience Bill is a UK Government legislative proposal designed to strengthen the UK's cyber defences and protect critical national infrastructure. It updates and expands the Network and Information Systems (NIS) Regulations 2018, aligning the UK with the EU's NIS2 Directive while maintaining an independent regulatory approach post-Brexit.
Current Status
Introduced to the House of Lords on November 12, 2025. Second Reading held January 6, 2026. Currently proceeding through Parliamentary stages.
Expected Timeline
Royal Assent expected mid-2026. Secondary legislation and detailed regulations will follow, with compliance requirements phasing in through late 2026.
Relationship to Existing Frameworks
| Framework | Relationship to CSR Bill |
|---|---|
| UK NIS Regulations 2018 | Current UK framework. CSR Bill will replace and significantly expand these regulations. |
| EU NIS2 Directive | UK-equivalent approach. CSR Bill aligns with NIS2 concepts but maintains UK-specific implementation. |
| NCSC Cyber Assessment Framework | Expected to remain the core assessment methodology for compliance demonstration. |
Key Legislative Milestones
Scope & Coverage
The CSR Bill significantly expands the scope of UK cyber security regulation. Most notably, it brings Managed Service Providers (MSPs), Data Centres, and designated Critical Suppliers into regulatory scope for the first time.
| Sector | Current NIS 2018 | Under CSR Bill |
|---|---|---|
Energy | Electricity, Oil, Gas | Expanded scope + hydrogen |
Transport | Air, Rail, Water, Road | Full coverage retained |
Health | NHS Trusts | Broader NHS + private providers |
Water | Drinking water, Wastewater | Full coverage retained |
Digital Infrastructure | DNS, IXPs, TLD registries | Expanded definitions |
Managed Service ProvidersNEW | Not covered | NEW: IT MSPs in scope |
Data CentresNEW | Not covered | NEW: Critical data centres |
Critical SuppliersNEW | Not covered | NEW: Designated suppliers |
MSPs: Major New Requirement
Managed Service Providers have been explicitly called out in the Bill. If your organization provides IT services (including certificate management, security services, or infrastructure management) to entities in scope, you may now have direct regulatory obligations. MSPs must demonstrate security controls equivalent to those expected of their clients.
Regulatory exposure: Unlike purely contractual obligations, MSPs may face direct engagement and audits from the regulator—not just scrutiny via their client relationships. Plan for independent compliance evidence rather than relying solely on customer-facing attestations.
Security Requirements Relevant to Certificates
The CSR Bill requires organizations to implement "appropriate and proportionate" security measures. While specific technical requirements will be detailed in secondary legislation, alignment with the NCSC Cyber Assessment Framework (CAF) is expected to remain the primary compliance pathway. Note that algorithm/key-length baselines and detailed CAF outcome mappings may be refined in secondary legislation—the guidance below represents a best-guess alignment based on current CAF practice and ministerial statements.
NCSC CAF Alignment: Certificate-Relevant Objectives
| CAF Objective | Description | Certificate/PKI Relevance |
|---|---|---|
| B3: Data Security | Protect data at rest and in transit | TLS certificates, encryption key management, certificate-based access control |
| B4: System Security | Protect network and systems from cyber attack | Certificate-based authentication, mTLS, code signing certificates |
| A2: Risk Management | Identify, assess, and manage security risks | Certificate inventory, expiry monitoring, CA trust management |
| A3: Asset Management | Know and manage all assets | Complete certificate discovery, ownership tracking, lifecycle documentation |
| C1: Detection | Detect security events | CT log monitoring, anomaly detection, unauthorized certificate alerts |
| D1: Response & Recovery | Respond to and recover from incidents | Emergency certificate replacement, revocation procedures, CA compromise response |
Cyber Essentials Alignment
While Cyber Essentials is not explicitly mandated by the CSR Bill, regulators may reference it as a baseline expectation for smaller organizations. Certificate management supports several Cyber Essentials requirements:
- Secure Configuration: Proper TLS/SSL certificate deployment
- Access Control: Certificate-based authentication (client certs, mTLS)
- Patch Management: Timely certificate renewal (treating expiry as a "patch")
Incident Reporting Requirements
The CSR Bill introduces stricter incident reporting timelines, aligning with EU NIS2 requirements. Certificate-related incidents may trigger reporting obligations depending on their impact.
Reporting Timeline
| Timeline | Requirement | Details |
|---|---|---|
| 24 Hours | Initial notification (early warning) | Notify competent authority of significant incident. Preliminary assessment of impact. |
| 72 Hours | Incident notification | Detailed report with severity assessment, affected systems, initial root cause analysis. |
| 1 Month | Final report | Complete root cause analysis, remediation actions, lessons learned. |
Certificate-Related Reportable Incidents
Likely Reportable
- Private key compromise affecting critical systems
- Unauthorized certificate issuance in your domain
- Certificate expiry causing service outage (>4 hours)
- CA compromise affecting your certificates
Context-Dependent
- Certificate expiry causing brief service degradation
- Weak algorithm certificate discovered (SHA-1, etc.)
- Internal CA security events
- Failed certificate validation during authentication
Penalties & Enforcement
The CSR Bill grants regulators significantly enhanced enforcement powers compared to the current NIS Regulations. Penalties are designed to be "effective, proportionate, and dissuasive."
| Penalty Tier | Amount | Applicable To | Notes |
|---|---|---|---|
| Maximum Fine (Severe) | £17M or 4% global turnover | Major breaches, willful non-compliance | Whichever is higher |
| Standard Fine | £10M or 2% global turnover | Significant security failures | Proportionate to harm |
| Daily Penalty | £100,000/day | Continuing non-compliance | After enforcement notice |
| Cost Recovery | Actual costs | Regulatory investigations | Recoverable from entity |
Director Liability
The Bill introduces provisions for personal liability of directors and senior officers in cases of willful neglect or consent to non-compliance. This elevates cybersecurity—including certificate management—to a board-level governance issue.
Board-level metrics: Directors should expect periodic briefings on certificate posture, such as percentage of critical services with monitored certificates, mean-time-to-renew, and number of expired or weak-algorithm certificates outstanding.
CSR Bill → CLM Controls Mapping
This table maps expected CSR Bill requirements to specific certificate lifecycle management (CLM) controls and capabilities.
| CSR Bill Requirement | CLM Control/Capability | Resource |
|---|---|---|
| Asset identification & management | Certificate discovery & inventory | Certificate Discovery Guide |
| Risk identification & assessment | Expiry monitoring, weak key/algorithm detection | Failure Scenarios Demo |
| Security of network and systems | TLS configuration, certificate-based auth | mTLS Guide |
| Supply chain security | CA vendor management, multi-CA strategy | CA Hierarchy Guide |
| Incident detection | CT log monitoring, anomaly alerting | Certificate Transparency Guide |
| Incident response & recovery | Emergency replacement, revocation procedures | Emergency Replacement Runbook |
| Business continuity | Automated renewal, failover testing | Certificate Lifecycle Guide |
| Encryption & cryptography | Modern algorithms, key strength requirements | RSA vs ECC Guide |
| Third-party risk management | CA contracts, CLM vendor assessment | CLM Vendor Guide |
Implementation Checklist
Prepare for CSR Bill compliance with this phased approach to certificate management readiness.
Immediate Actions (Now)
- Complete certificate discovery across all environments (network scan + CT log search)
- Establish certificate inventory with ownership and business context
- Implement expiry monitoring and alerting (>90/60/30/7 day warnings)
- Identify and remediate any SHA-1 or weak key certificates
- Document current CA relationships and certificate sources
Pre-Legislation (H1 2026)
- Map certificate estate to NCSC CAF objectives
- Develop certificate-specific incident response procedures
- Implement automated certificate renewal where possible
- Conduct tabletop exercises for certificate compromise scenarios
- Evaluate CLM tooling requirements and vendor options
- Brief board/senior leadership on certificate governance
Post-Royal Assent (H2 2026)
- Align policies and procedures with final regulatory text
- Implement formal certificate governance program
- Conduct gap assessment against CSR Bill requirements
- Establish reporting procedures to competent authority
- Document compliance evidence and audit trail
- Plan for crypto-agility and post-quantum readiness
Cross-References & Resources
Related FixMyCert Guides
Ready to Assess Your Certificate Posture?
Use our PKI Maturity Assessment to understand your organization's readiness for CSR Bill compliance. It evaluates your certificate discovery, monitoring, automation, and governance capabilities.