As an EMEA CISO based in the UK, I’ve had my head buried in the new Cyber Security and Resilience Bill since it was tabled. And my primary takeaway is this: if your first question is “what’s the new fine?”, you’re asking the wrong question.

Yes, the shift to GDPR-style turnover-based penalties is a headline-grabber, with serious failures expected to attract fines of up to 4 percent of global turnover and an overall legal cap that can go higher. It gives security leaders a powerful new financial lever for justifying investment. But the real, substantive change isn’t in the punishment, it’s in the scope and speed the Bill demands.

This legislation redraws the UK’s cyber-regulatory map. The 2018 NIS Regulations focused on Operators of Essential Services, with only a narrow band of digital services in scope. The government is now looking directly at their suppliers. Medium and large Managed Service Providers and data centres become directly regulated entities. More significantly, regulators gain a new power to designate critical suppliers across the ecosystem.

For fellow CISOs, this makes our world both simpler and more complex. Simpler, because our critical IT suppliers will finally be held to the same standards we are. More complex, because we now need far greater visibility into our own supply chains to understand which partners may be brought into the regulatory net.

The Bill’s most immediate operational shock is the new incident response doctrine. A 24-hour initial notification followed by a 72-hour full report demands a near-frictionless detect-to-report pipeline. Add to that the new duty for data centres and relevant managed or digital service providers to notify customers who may have been affected, and incident response becomes a whole-business exercise, not a security-only drill. Within 24 hours of detecting a major incident, you’ll need Legal, Comms and your Account Teams in the room if you want to meet these obligations without creating new problems for yourself.

So, how do we prepare?

The question I’m already hearing is: “Will our ISO 27001 certification be enough?”

The answer is no. But it is the essential start.

ISO 27001 is the “how”. It gives you the ISMS machinery: risk registers, controls, audits and continual improvement. It proves you have a process for managing security. We’ll continue to build our GRC programmes on that foundation.

But regulators will not be auditing your ISO certificate. They will be assessing you against NIS obligations, almost certainly using the NCSC’s Cyber Assessment Framework as their yardstick. CAF is the “what”: four objectives, fourteen principles and thirty-nine contributing outcomes that define what good looks like for UK critical services. ISO 27001 gives you wide latitude on risk appetite; CAF narrows that latitude by stating specific outcomes regulators expect to see in place. And ISO does not prescribe a 24-hour reporting cycle; the Bill does.

The Bill’s new code of practice is very likely to be the mechanism that places the CAF, or something extremely close to it, on a binding footing.

My advice is simple: start now. Put your ISO 27001 certificate on the wall but put the NCSC CAF on your desk. Your new compliance journey begins today.