What the Cyber Security Bill Means for Law Firms

The Cyber Security and Resilience Bill, introduced to Parliament in late 2025, is expected to progress through 2026. While the timetable for implementation remains uncertain, firms should anticipate a phased rollout, with detailed requirements emerging through secondary legislation and regulatory guidance.

In practice, this is unlikely to come with long lead-in periods. Given the current threat landscape and political focus on national resilience, regulators are expected to move quickly from finalised requirements to enforcement.

For law firms, however, the real pressure is not timing. It is client expectation. Many regulated clients are already aligning their supplier requirements to the anticipated direction of the Bill.

Waiting for the legislation to be finalised is likely to leave some firms exposed. Preparation should be treated as an immediate priority, not a future compliance exercise.

You may be “in scope” even if not named

The regime does not cover every UK organisation. It is mainly concerned with those services which are so essential, that their disruption would affect our daily lives. The original regulations in 2018 brought into scope services like the NHS, transport system and energy network.

Since then, cyber criminals are exploiting new routes – managed service providers, data centres and critical parts of supply chains. By bringing into scope more of the core services relied on across the economy, UK businesses and public services will be more secure and resilient.

The Bill expands beyond traditional operators of essential services to include digital service providers and critical suppliers.

Data centres. From client records to emails and financial systems, data centres are critical to nearly all economic activity and public services. Data centres will be classed as essential services. Medium and large data centres and enterprise data centres meeting the thresholds will be required to have appropriate and proportionate measures in place to manage risks. Ofcom will serve as the operational regulator.
Managed service providers. Many firms now outsource their IT services to managed service providers, who may provide IT helpdesks and cyber security services. They have unprecedented access to their customers’ systems, making them an attractive target that cyber actors increasingly exploit. Medium and large managed service providers will be brought into scope, ensuring they adhere to robust cyber security practices. The Information Commission will be the regulator.
Large load controllers. Load controllers are organisations managing electrical load for smart appliances, eg, to support electric vehicle charging during peak times.
Designated critical suppliers. In June 2024, a supplier of pathology services to the NHS was the victim of a cyber-attack which caused over 11,000 postponed appointments and procedures, and, tragically, contributed to the death of a patient.

A single supplier’s cyber vulnerability can severely affect vital public services and is now increasingly exploited by those who intend to do harm. Much like the FCA’s critical third parties regime, regulators will be able to designate critical suppliers, ensuring the most important suppliers to essential and digital services are subject to the regulatory regime.

The legal sector has already seen how this risk manifests in practice. The 2024 cyber incident affecting CTS, a widely used managed service provider in the conveyancing sector, disrupted multiple law firms simultaneously, limiting access to case management systems and delaying property transactions. Crucially, individual firms were not directly compromised. Their exposure arose from operational dependency on a single supplier. This is precisely the type of systemic risk the Bill is designed to address.

Although most law firms will not be directly regulated, some may fall within scope indirectly through their role in client supply chains.

Even where the legislation does not apply directly, firms are increasingly treated as critical third parties. This may translate into more rigorous cyber due diligence, audits, and contractual obligations.

Incident response is no longer just an IT issue

The Bill’s emphasis on rapid incident reporting, potentially within 72 hours, will cascade through supply chains.

For many firms, the most significant cyber risk does not sit in-house. It sits with their Managed Service Provider.

MSPs often have privileged access to systems and data. While they may fall within regulatory scope under the Bill, this does not reduce the law firm’s accountability.

Regulators and clients will continue to view the firm as responsible.

The CTS incident is relevant here. Many affected firms were not dealing with a breach of their own systems, but still faced client pressure, operational disruption, and difficult decisions around communication and escalation. This highlights a key reality: incident response obligations do not depend on where the breach originates, but on the firm’s ability to respond effectively.

Incident response can no longer sit solely within IT. It must be a coordinated function across technology, legal, risk, and senior leadership.

Firms should consider:

Treat MSPs as critical risk partners, not operational vendors
Strengthen contractual protections, including incident obligations and audit rights
Understand, not assume, how controls operate in practice
Align incident response processes and escalation pathways
Include MSPs in testing and tabletop exercises
Plan for scenarios where the MSP itself is compromised.

The key point is simple. You can outsource IT, but not accountability. Firms will need clear, agreed answers to:

What constitutes a reportable incident?
Who decides whether to notify clients or regulators?
How legal privilege is preserved during investigations?

This means Cyber risk can no longer sit solely within IT. Firms should expect regulators and clients to view it as a board-level responsibility, requiring:

Clear accountability at senior level
Integration into enterprise risk management
Oversight of incident preparedness and response.

In practice, firms will be judged not only on whether controls exist, but whether leadership can demonstrate informed oversight when incidents occur.

Final thought

The Cyber Security and Resilience Bill signals a shift that law firms cannot afford to treat lightly.

Even where the legislation does not apply directly, its impact will be felt through:

Client expectations
Contractual obligations
Supply chain pressure
Regulatory scrutiny.

The key question is no longer ‘Are we compliant?’ but is instead ‘can we respond quickly, decisively, and in a way that protects our clients, our reputation, and our business?’.