CSRB Radar — April 2026: Report Stage Underway, the Preparation Window Is Open
Share
Where the Bill stands now
As of April 2026, the Cyber Security and Resilience Bill has cleared Committee Stage in the Commons and is now progressing through Report Stage. Royal Assent is widely expected in the Q3–Q4 2026 window, but timelines can move. UK MSPs should treat the current period as a finite preparation window, not as a wait-and-see phase.
What changed since March
Three signals have hardened in the last month. First, supplier dependency language continues to land — meaning your subcontractors, third-party tooling and managed providers are in scope of evidence reviews, not just your own infrastructure. Second, the Operator of Essential Services (OES) reclassification framework is becoming clearer, and a meaningful share of mid-market MSPs sit close to the threshold once aggregated client impact is considered. Third, harmonisation around the £17M maximum fine ceiling — aligned in spirit with GDPR Article 83 upper-tier penalties — has not weakened in committee, and ICO is still flagged as the primary enforcement authority for the MSP-relevant clauses.
None of this is final until Royal Assent. But the direction of travel is consistent enough that boards are starting to ask their MSPs for evidence work now.
What MSPs should action this month
There are four evidence streams worth opening this month so they are not all opened in the final quarter before commencement.
Scope assessment. Document, in writing, which of your client engagements would put you in direct or indirect scope under the current Bill drafting. Aggregated client count, sector exposure (healthcare, finance, critical national infrastructure adjacency), and managed-incident volume all feed this. A one-page scope memo per major client is more defensible than a single firm-wide statement.
24-hour and 72-hour incident reporting process. The Bill's reporting cadence — initial notification at 24 hours, fuller assessment at 72 hours — is operationally demanding for most MSPs. Pressure-test your runbook now: who detects, who decides it is reportable, who notifies the client, who notifies the ICO, who logs the timestamps. If you cannot rehearse this end-to-end this month, you are not ready for it under live pressure.
Supplier dependency mapping. List every third party whose failure could trigger a reportable incident on your side: identity providers, EDR vendors, RMM platforms, backup providers, communications. For each, capture contract status, sub-processor disclosure, and incident notification SLA. This is the artefact regulators and client boards are most likely to ask for first.
Board-level evidence. Cyber Essentials certification is useful but does not, on its own, satisfy what the Bill is moving towards. Boards (yours and your clients') will want a written CSRB readiness position covering scope, controls, incident response, supplier risk and a named accountable owner. A short standing paper, refreshed quarterly, is enough to start.
The honest position
Nobody — not law firms, not the NCSC, not industry bodies — can tell you the exact final shape of the obligations until the Bill receives Royal Assent and the Secretary of State publishes the underlying regulations. Anyone presenting today's drafting as final is overclaiming.
What is reasonable to say is this: the cost of starting evidence work now is small, the cost of starting it after commencement is large, and the clients who are already asking the question are not going to wait. The MSPs that handle April–June 2026 as preparation months — rather than as quiet months — are the ones their clients will turn to when their own boards start asking what their cyber position actually is.
We will publish the next CSRB Radar update once Report Stage closes, or sooner if there is a material change to the supplier dependency or OES clauses.
