There’s a new Bill on the horizon – and it’s one legal teams can’t afford to sleep on. Set to land in Parliament later this year, the UK’s Cyber Security and Resilience Bill is part of a wider push to toughen up national digital defences. Think stronger risk controls, stricter breach reporting, and sharper supply chain scrutiny

It’s early days – the draft legislation hasn’t dropped yet – but the message from government is loud and clear: more accountability, broader scope, and zero tolerance for weak links. If you’re in-house, now’s the time to start laying the groundwork. Here’s how to get ahead.

Scope it out – even if the scope isn’t final yet

While the Bill will likely focus on providers of essential and digital services, the ripple effect will travel further – especially through supply chains. Start mapping where your business might be in scope or exposed by third parties. The sooner you get a handle on this, the smoother things will be when the requirements crystallise.

Give your supplier contracts a cyber-health check

Now’s a good time to review (and possibly renegotiate) your commercial contracts, particularly with critical vendors. Look out for: incident reporting duties – are roles and timelines clearly defined? Liability and indemnity clauses – do they reflect a world of heightened cyber risk? Audit rights and cooperation – will you get the access and collaboration you need when it counts?

Test your breach response plan – for real

If a cyber incident hits tomorrow, are you ready? Work with IT, risk, and compliance to dust off (or draft) your incident response plan, define who does what when the alarm bells ring, and run a mock breach or “war game” – nothing sharpens process like a dry run.

Create a paper trail regulators will love

Demonstrating compliance is half the battle – and it starts with clear evidence. You’ll want to refresh internal cyber and data policies, roll out staff training on roles, risks, and responsibilities, and keep audit logs of your supplier due diligence and risk assessments. Show your working – and make it easy to find.

Get leadership on board early

Cyber resilience isn’t just a tech issue – it’s a board-level priority. Help your leadership team understand the legal and reputational risks the Bill brings, see the commercial upside of investing in resilience, and align on risk appetite and what “good” looks like for your business. This is your moment to position legal as a strategic enabler – not just a backstop.

Get ahead of the curve

The Cyber Security and Resilience Bill won’t just introduce new legal requirements – it will set a new bar for how businesses manage digital risk. In-house teams have a real opportunity to lead from the front. A few proactive steps now could save a lot of firefighting later.