The Cyber Security and Resilience Bill is still progressing through Parliament, but public sector suppliers should already be paying attention. The Bill is designed to strengthen the UK’s cyber defences by reforming the existing Network and Information Systems Regulations 2018, with a stronger focus on essential services, digital infrastructure and the suppliers they rely on.
For many organisations, the practical impact may not be direct regulation straight away. The bigger and more immediate change is likely to be buyer behaviour. Public sector bodies are already paying closer attention to cyber risk, business continuity and supply chain resilience. As the Bill moves forward, suppliers should expect those questions to become more detailed, more consistent and more important in procurement.
Cyber security is increasingly being treated as a supply chain issue. That matters for any supplier bidding into public services, especially where their work supports health, energy, water, transport, digital systems, managed services, data processing or critical infrastructure.
Cyber Is Now a Supply Chain Issue
Public sector cyber risk does not sit neatly inside an IT department. A weakness in one supplier’s systems can affect service delivery across a wider contract, framework or public body. That is why cyber resilience is now being discussed alongside operational continuity, national security, data protection and supplier assurance.
This is particularly important in public procurement because buyers are not only assessing whether a product or service works. They are assessing whether the supplier can deliver safely, reliably and securely over the life of the contract.
That affects a wide range of suppliers. A managed service provider may be directly responsible for networks or systems. A software supplier may handle sensitive data or integrate with public sector platforms. A facilities management provider may depend on connected systems, building management technology or subcontracted digital services. A consultancy, training provider or professional services firm may still hold confidential information, access shared systems or support service-critical activity.
The level of scrutiny will vary by contract. However, suppliers should assume that cyber assurance is becoming a more regular part of public sector tendering, especially where contracts involve essential services or sensitive data.
What the Bill Proposes
The Cyber Security and Resilience Bill has now reached the House of Lords, but it is not yet law. It is intended to update the UK’s cyber security framework by reforming the Network and Information Systems Regulations 2018. These regulations already apply to certain operators of essential services and relevant digital service providers. The Bill would expand and strengthen that regime.
The government’s Cyber Security and Resilience Bill guidance highlights several areas that are particularly relevant to suppliers, including:
- bringing more managed service providers into scope
- creating a route for regulators to designate critical suppliers
- strengthening cyber security and resilience duties
- improving incident reporting requirements
- giving regulators stronger tools to oversee compliance
- improving information sharing across the cyber resilience system
For public sector suppliers, the critical supplier proposal is especially important. The government’s position is that some suppliers are so important to essential or digital services that a serious cyber incident affecting them could have wider consequences. Under the Bill, regulators would be able to designate critical suppliers, bringing them under mandatory cyber requirements.
This does not mean every public sector supplier will suddenly become directly regulated. The most immediate relevance is for suppliers whose services are important to the continuity, security or resilience of essential services. However, once a regime like this exists, its influence often extends beyond the organisations formally in scope. Buyers may start asking tougher questions of all suppliers, particularly where subcontractors, data flows or connected systems create risk.
Why Public Sector Suppliers Should Care
Even if your organisation is not directly regulated under the Bill, your customers may be. NHS bodies, energy organisations, water companies, transport operators, digital service providers and other essential service providers are likely to be more focused on the resilience of their suppliers.
That changes the procurement conversation. A buyer may need to understand whether you have suitable cyber controls, how you manage incidents, whether your subcontractors introduce risk and how you would maintain service if your systems were disrupted. These points may appear in selection questionnaires, method statements, quality questions, framework applications and contract management meetings.
Suppliers that can answer these questions clearly will be in a stronger position. Suppliers that treat cyber security as a generic compliance statement may find it harder to satisfy buyers, especially where the contract is connected to essential services.
This is also relevant to SMEs. Smaller suppliers are not necessarily expected to have the same cyber governance structure as a large technology provider, but they still need credible evidence. That may include Cyber Essentials, Cyber Essentials Plus, ISO 27001, internal policies, staff training records, incident response plans, access control processes and supply chain checks. Our guide to Cyber Essentials in government frameworks explains why certification is increasingly important for suppliers pursuing public sector work.
The important point is that cyber evidence needs to be proportionate, current and specific to the service being delivered.
Critical Suppliers and Subcontractor Risk
The critical supplier proposal should encourage suppliers to look beyond their own organisation. Public sector buyers increasingly want assurance across the full delivery model, including associated companies, delivery partners and subcontractors.
This is because cyber incidents often enter through third parties. A buyer may have strong internal controls, but still face disruption if a key supplier, software provider or managed service partner is compromised.
Suppliers should therefore be ready to explain how they manage cyber risk across their own supply chain. That could include:
- how subcontractors are selected and checked
- whether suppliers have minimum cyber standards
- how access to systems and data is controlled
- how incidents are reported and escalated
- whether business continuity arrangements cover digital disruption
- how supplier performance is monitored during the contract
These points are likely to matter most where the supplier supports critical operations, handles sensitive information, provides software or digital infrastructure, or delivers a service that cannot easily stop without affecting public users.
They may also become more important on frameworks. Central purchasing bodies and public sector buyers often use frameworks to reduce risk and speed up procurement. If cyber assurance becomes more central to buyer confidence, framework applications may ask for stronger evidence at the selection stage.
What Buyers May Ask For
Cyber-related tender questions are likely to become more detailed over time. In some cases, buyers may ask for formal accreditations. In others, they may want practical evidence of how cyber risk is managed in day-to-day service delivery.
Suppliers should be ready for questions covering:
- cyber security policies and governance
- staff training and awareness
- access control and authentication
- data handling and storage
- incident response and reporting
- business continuity and disaster recovery
- subcontractor assurance
- secure software development, where relevant
- vulnerability management and patching
- previous incidents and lessons learned
- alignment with recognised standards or certifications
The strongest responses will not simply list policies. They will explain how those policies apply to the contract, who is responsible for managing the risk, what evidence is available and how the buyer will be kept informed.
For example, a supplier providing software should be able to explain how vulnerabilities are identified and resolved. A managed service provider should be able to explain how it protects customer environments and reports incidents. A consultancy handling confidential information should be able to explain access control, data storage and staff training. A facilities or infrastructure supplier using connected equipment should be able to explain how digital systems are protected and monitored.
That level of detail helps buyers understand whether cyber resilience is embedded in delivery, rather than treated as a separate compliance exercise.
How This Connects to Wider Procurement Trends
The Bill sits alongside a broader shift in public procurement. Buyers are increasingly expected to think about resilience, supply chain risk, national security, transparency and long-term contract performance.
The Procurement Act 2023 has already changed the language of public procurement, with greater emphasis on transparency, public benefit and effective contract management. Recent guidance on the Procurement Act’s national security exemption has also reinforced the importance of security and resilience in selected markets.
The Cyber Security and Resilience Bill adds another layer to that environment. It signals that suppliers supporting important services may need to prove not only that they can deliver, but that they can continue delivering securely during disruption.
This does not mean every tender will become a cyber tender. It does mean suppliers should expect cyber assurance to appear more frequently as part of wider quality, risk and resilience evaluation.
For some businesses, this will be a challenge. For others, it will be a useful differentiator. Suppliers that already invest in cyber resilience, staff training, continuity planning and supply chain assurance should make sure that evidence is visible in bids.
What Suppliers Should Do Now
The Bill is not yet law, so suppliers should avoid panic. However, waiting until new requirements are fully in force is rarely the best approach. Public sector buyers are already asking more detailed questions about cyber resilience, and suppliers can prepare now without overcomplicating the process.
A sensible first step is to audit your current cyber evidence. Look at the policies, certifications, procedures and records you already have, then consider whether they are easy to use in a tender response.
Suppliers should also review their standard bid content. Generic statements about taking cyber security seriously are unlikely to be enough where the buyer is assessing risk. Good bid content should explain what controls are in place, how they are managed, how incidents are handled and how the approach protects the buyer’s service.
It is also worth reviewing subcontractors and delivery partners. If your bid depends on third parties, you need to understand the cyber assurance they can provide. Buyers may not accept a strong statement about your own controls if a critical part of the service is delivered by an unchecked subcontractor.
Finally, suppliers should connect cyber resilience to business continuity. A cyber incident is not only a technical problem. It can affect staffing, service availability, customer communication, reporting, mobilisation and contract performance. Strong tender responses should show that cyber risk has been considered as part of the wider delivery model.
Cyber Evidence Is Becoming Bid Evidence
The Cyber Security and Resilience Bill is still moving through Parliament, but its procurement relevance is already clear. Public sector buyers are likely to place more weight on cyber assurance, particularly where suppliers support essential services, digital systems or sensitive operations.
For suppliers, this creates a practical task. Review your cyber evidence, strengthen your bid library, check your subcontractors and make sure your responses explain how resilience is managed in real delivery conditions.
Thornton & Lowe works with suppliers across public sector markets to strengthen bid strategy, tender responses and framework applications. If you need help reviewing how your cyber resilience, supply chain controls or continuity planning are presented in bids, get in touch with our team.
