New Guidance: The Cyber Security and Resilience Bill

TL;DR – In Summary

The Cyber Security and Resilience Bill, introduced to Parliament in November 2025, will become UK law in 2026 and introduces mandatory incident reporting, stricter supplier oversight, and proactive risk management requirements for schools. Schools must report cyber incidents (ransomware, breaches) within 24 hours initially, then provide full reports within 72 hours. The Bill emphasises early measures and robust detection systems.

Action needed:

Run a cyber health check, create or update your incident response plan, check your IT supplier’s security credentials and work out who reports what, when something goes wrong.

The Cyber Security and Resilience Bill isn’t on the radar of most schools yet, but it should be.

This legislation was introduced to Parliament on 12 November 2025 and scheduled for second reading on 6 January 2026. It represents the first major overhaul of UK cybersecurity legislation in nearly a decade and when it becomes law (expected spring/summer 2026), schools will face new mandatory requirements that fundamentally change how they approach cyber security.

This won’t be another set of optional guidelines. These will be legal obligations with regulatory control and potential enforcement actions.

 

What the Bill Means…

The Cyber Security and Resilience Bill is an update to the existing Network and Information Systems Regulations 2018 (UK NIS), and according to the House of Commons Library briefing, the Bill:

  • extends direct regulation to organisations delivering essential services
  • expands mandatory incident reporting obligations
  • significantly enhances enforcement powers of regulators
  • introduces stricter oversight of IT service providers and suppliers

As the government’s policy statement explains, the legislation aims to “strengthen UK cyber defences, ensuring that the critical infrastructure and digital services which companies rely on are secure.”

 

Mandatory Incident Reporting

The Bill’s most immediate impact on schools will be mandatory incident reporting requirements.

Current situation: Schools report cyber incidents voluntarily or when required by specific regulations like GDPR.

New requirement: Schools must notify the NCSC of incidents initially within 24 hours, followed by a full report within 72 hours. This is a tightening of the current requirement whereby organisations are currently required to report an event no later than 72 hours after becoming aware of an incident.

Reportable incidents include:

  • Ransomware attacks
  • Data breaches exposing sensitive information
  • Service outages caused by cyber threats
  • Unauthorised access to systems or data
  • Significant malware infections
  • Supply chain compromises affecting school systems

 

“But we haven’t had an incident, so this doesn’t apply to us…”

Many schools believe they’re not at risk because they haven’t experienced a major cyberattack. This shows a clear misunderstanding of both threat levels and detection capabilities as government data reveals that 60% of secondary schools, 85% of further education colleges, and 44% of primary schools experienced cyber-attacks in the last 12 months alone. So the question is no longer “if” but “when” your school will face a cyber incident.

But how many incidents occur that aren’t detected? Without proper monitoring and detection systems, schools simply don’t know their actual threat exposure.

 

Requirement: Proactive Supplier Management

The Bill introduces significantly stricter requirements for IT service providers, managed service providers, and data centres that schools rely on, which means schools will have to:

  • audit their IT suppliers’ security credentials
  • potentially, renegotiate contracts to ensure regulatory compliance
  • request evidence of suppliers’ cybersecurity measures
  • manage supplier non-compliance risk

For schools: your managed IT service provider’s compliance will directly affect your regulatory standing.

 

Requirement: Proactive Risk Management 

The Bill emphasises pre-emptive measures over reactive responses. According to School Supply Store, “The bill emphasises pre-emptive measures, meaning schools must assess and address vulnerabilities in their digital infrastructure.” This means schools need:

Comprehensive Risk Assessments

Regularly, documented assessments identifying:

  • Critical systems and data
  • Potential vulnerabilities
  • Impact analysis for different attack scenarios
  • Mitigation strategies for identified risks

Documented Cyber Security Policies

Clear, current policies covering:

  • Password requirements and multi-factor authentication
  • Access controls and user permissions
  • Device security standards
  • Acceptable use guidelines
  • Patch management procedures
  • Backup and recovery protocols

Incident Response Plans

Detailed, tested plans specifying:

  • Detection protocols and triggers
  • Initial response procedures
  • Escalation pathways
  • Communication strategies (internal and external)
  • Recovery procedures
  • Evidence preservation requirements
  • Regulatory notification procedures

 

Requirement: The “Tabletop Exercise” 

Having an incident response plan isn’t enough. Schools need evidence that the plan actually works.

Tabletop exercises (TTX) are group discussions designed to identify your potential responses to an unfolding cyber incident.

It’s like a fire drill for cyber threats, focusing on strategy and coordination between IT and leadership teams in a low-stress, non-technical environment, identifying gaps before real incidents occur.

The National Cyber Security Centre provides free resources specifically for this purpose through their “Exercise in a Box” programme. These guided scenarios help schools test response procedures without requiring technical security expertise.

According to NCSC’s 2022 Audit data, 50% of schools don’t have an effective Cyber Response Plan. Where they do, they usually miss:

  • clear procedures for accessing admin passwords and encryption keys during incidents
  • specific guidelines for system restoration
  • documentation of who to notify (including cyber insurance providers)
  • communication templates for parents, staff, and regulators

 

Does this align with the DfE Standards?

The Department for Education has been proactive in supporting schools ahead of the Bill’s implementation.

With updates to cyber security standards and mandated compliance by 2030 on 6 core standards, clear time and guidance has been provided to help schools meet the requirements of the Bill.

The DfE’s Cyber Security Standards already align closely with the Bill’s objectives, covering:

  • Governance and senior leadership accountability
  • Risk assessment and management
  • Staff awareness and training
  • Technical security controls
  • Incident response and recovery

This means that schools already working towards DfE Cyber Security Standards are building the foundation needed for Bill compliance.

 

What 50% of Schools Are Missing

The NCSC’s 2022 Audit revealed that 50% of schools lack an effective Cyber Response Plan. And through our own delivery of cyber security audits in schools, we’ve found that even where plans exist, common gaps include:

 

➡️ Missing Element 1: Admin Access During Incidents

Plans often don’t document how to access admin passwords, encryption keys, or critical system credentials when primary IT staff are unavailable or when systems are compromised.

➡️ Missing Element 2: Recovery Procedures

Generic statements like “restore from backup” aren’t sufficient. Effective plans specify:

  • Which backups to use and in what order
  • Step-by-step restoration procedures
  • Testing requirements before going live
  • Fallback procedures if primary restoration fails

➡️ Missing Element 3: Communication Protocols

Who communicates what to whom, when, and through which channels? Plans need:

  • Internal notification processes
  • Parent communication templates
  • Staff guidance scripts
  • Regulator notification procedures
  • Media handling protocols

➡️ Missing Element 4: External Contact Information

Plans must include immediately accessible contact details for:

  • IT support providers (with out-of-hours contacts)
  • Cyber insurance providers
  • Regulatory bodies (DfE, ICO, NCSC)
  • Legal advisors
  • Communications support

These details must be accessible even if school systems are completely offline, meaning printed copies in secure but accessible locations.

 

School Leadership Responsibility

We already know that cyber security is everyone’s responsibility, and under the Bill’s framework, it is made clear that cyber security governance sits with senior leadership and governors, not just technical staff. This means:

Governing Body Requirements:

  • Understanding cyber risks at governance level
  • Regular cyber security reporting in board meetings
  • Oversight of incident response planning
  • Budget allocation for security measures
  • Accountability for compliance

Senior Leadership Team Requirements:

  • Designated senior leader responsible for cyber security
  • Regular security standing assessments
  • Integration of cyber considerations into strategic planning
  • Liaison with IT providers on security matters
  • Authority to activate incident response procedures

Designating a senior leadership team member to oversee incident reporting, ensuring swift escalation to relevant authorities, will ensure school compliance with the Bill’s mandatory reporting requirements.

 

“How do we afford this?”

Of course, the Bill’s requirements have cost implications and school budgets are already under considerable strain. However, non-compliance costs significantly more.

It doesn’t have to be done all at once.

Start with the basics. Prioritise your compliance plan by your highest areas of risk and make your way through the list, for example:

  • Staff training and awareness because human error is your biggest risk
  • A comprehensive cyber security audit, so that you know exactly what’s in place, and what needs improvement
  • Implementing solutions that will deliver proactive monitoring and vulnerability detection
  • Setting up your 3-2-1 backup procedure
  • Reviewing suppliers and contracts

Don’t wait for the inevitable to happen, “prevention is better than cure.”

 

Your 2025/26 Planning Window

The Bill was introduced in November 2025, received second reading in January 2026, and is expected to pass into law by spring/summer 2026.

This gives schools a narrow window to prepare before requirements become mandatory.

➡️ Immediate Actions (January – March 2026):

  • Conduct baseline cyber security health check
  • Audit existing incident response capabilities
  • Review IT supplier contracts and security credentials
  • Identify and fill critical gaps in detection and monitoring

➡️ Short-term Actions (April – August 2026):

  • Develop or significantly update incident response plans
  • Conduct tabletop exercises
  • Establish senior leadership reporting structures
  • Train designated response personnel
  • Document all procedures and contacts

➡️ Ongoing Requirements (From September 2026):

  • Regular vulnerability assessments
  • Quarterly supplier security reviews
  • Annual incident response plan testing
  • Continuous monitoring and detection
  • Regular governance reporting

 

How Dataspire Can Help…

We help schools prepare for Cyber Security and Resilience Bill requirements through:

Comprehensive Cyber Health Checks: Independent assessments identifying current security posture, gaps against Bill requirements, and prioritised action plans.

Incident Response Plan Development: Practical, tested plans specific to education environments, including all required elements that have been identified as commonly missing.

Ongoing Compliance Support: Regular assessments, monitoring, and governance reporting that demonstrate continuous compliance.

More importantly, we understand education. School cyber security needs differ significantly from corporate requirements, and we design practical solutions that fit your budget, your staffing, and how schools actually operate.

 

The Strategic Advantage

Schools that prepare now for the Cyber Security and Resilience Bill aren’t just avoiding future compliance problems. They’re building genuinely more secure environments that protect learning, safeguard data, and demonstrate professional governance.

When the Bill becomes law and requirements are mandatory, you’ll already be compliant. While other schools scramble to meet basic requirements, you’ll be focused on education, which is exactly where your attention should be.

 

Not sure where your cyber security actually stands?

Contact us using the form below and we’ll audit your current security, show you the gaps, and give you a practical roadmap with realistic costs. No obligations, just clarity on where you stand.

 

 

 

 

 

Sources:

Get in touch