Let's start with the question most business owners are quietly thinking:
"We have antivirus software, our IT person handles the passwords, and we haven't been hacked yet. Aren't we already cyber resilient?"
It's a fair question. And the answer, according to the UK Government, is: probably not — and definitely not in the way the law is about to require.
The Cyber Security and Resilience (Network and Information Systems) Bill was introduced to the House of Commons on 12 November 2025. It represents the most significant overhaul of the UK's cybersecurity regulatory framework since the Network and Information Systems Regulations back in 2018.
This isn't a niche piece of technical legislation buried in a committee room. It was announced as part of the King's Speech in 2024 and forms part of the Government's 'Plan for Change', seeking to improve economic growth through enhanced confidence in the UK's digital services.
Why now? Because the threat landscape has changed dramatically. The latest data shows that the UK is the most targeted country in Europe for cyber-attacks, and according to KPMG, the estimated annual cost of significant cyber-attacks on the UK economy is a staggering £14.7 billion. Recent high-profile incidents — the NHS, the Ministry of Defence, Marks & Spencer, Jaguar Land Rover — have made it impossible for Government to look the other way.
Here's where most business owners switch off — and that's understandable. The Bill's primary focus is on critical national infrastructure: energy, healthcare, digital infrastructure. But here's the part that should make you sit up:
While the Bill primarily targets private sector operators of essential services, its impact will ripple across the entire economy — particularly businesses supplying the public sector.
Supply chains are the story here. Even technology vendors that are not directly in-scope could still need to provide contractual commitments and meet relevant security requirements demanded by their in-scope customers. A certain standard of cyber security compliance will be needed to service key customers and maintain competitive advantage.
In short: if you supply, support, or even loosely connect with any in-scope organisation — you will feel this. Your customers will ask questions you haven't been asked before.
It dramatically expands who is in scope. One of the most significant changes to the 2018 legislation is expanding the existing regulations to bring more entities into scope, including digital services, managed service providers, data centres and critical suppliers.
It introduces mandatory incident reporting with teeth. Initial notification of a cyber incident must be made within 24 hours, with a full report within 72 hours. Gone are the days of quietly managing a breach and hoping no one notices.
It brings eye-watering penalties. The standard maximum penalty is £10 million or 2% of global turnover, whilst the higher maximum for more serious breaches will be £17 million or 4% of worldwide turnover — whichever is higher. Regulators will also have the power to impose daily fines of up to £100,000 for continuing contraventions.
And it doesn't stop at UK borders. The new Bill does not require organisations to be established in the UK to fall within its scope — marking a key consideration for international organisations.
This is where the conversation gets locally interesting — and where many island businesses are not yet paying attention.
Let's be clear about Guernsey's legal position: although the Channel Islands are closely tied to the UK and the EU through trade and finance, they are not part of the EU, nor does the UK lawfully govern them directly. UK legislation does not automatically extend to Guernsey. We have our own laws, our own regulators, our own framework.
But here's the reality of operating as an international financial centre:
1. The GFSC already has its own cyber requirements. The Guernsey Financial Services Commission published Cyber Security Rules and Guidance to ensure that the Bailiwick's regulatory regime continues to be compliant with international standards. If you operate in financial services here — investment, banking, fiduciary, insurance — you are already under principles-based cyber obligations. The UK Bill raises the bar internationally, and Guernsey regulators historically align with evolving global standards.
2. Your UK counterparts and clients will hold you to UK standards. If your business has clients, counterparties, or group companies in the UK — and most Channel Islands finance, legal, and professional services businesses do — they will increasingly require you to demonstrate compliance with frameworks equivalent to the UK Bill. The contractual pressure will flow downhill to you.
3. Supply chain security is explicitly targeted. Supply-chain resilience becomes a statutory obligation under the Bill, with regulators gaining new powers to identify and designate specific high-impact suppliers as 'designated critical suppliers'. If you provide managed IT services, data hosting, payroll processing, or any form of digital service to UK-regulated entities, your clients will be legally obligated to assess and manage the cyber risk you represent.
4. The Bill explicitly has extra-territorial reach. Information sharing powers include the ability to share with relevant authorities in the EU under NIS2 in certain cases, as part of a wider trend towards cross-border collaboration on cyber threats. Guernsey's strong data adequacy relationships with both the UK and EU mean we are increasingly intertwined in this regulatory fabric — whether the legislation formally applies to us or not.
5. This will reshape what "good" looks like for due diligence. If you're raising investment, selling your business, or onboarding institutional clients, expect cyber posture to become a standard part of the due diligence checklist — just as GDPR compliance became non-negotiable in the years after 2018.
Another question I hear often. And it's worth addressing directly.
Cyber insurance is evolving rapidly in response to this legislation. The Bill is expected to prompt greater focus on demonstrable compliance with enhanced risk management and governance standards. There will also be a continuing emphasis on disclosure at the time of placement and incident reporting, particularly within cyber policies. Insurers are already tightening what they'll cover and at what premium — and failure to meet regulatory standards could affect the validity of a claim at exactly the moment you need it most.
Insurance is not a substitute for resilience. It's a backstop for when resilience fails.
The Bill is expected to receive Royal Assent in 2026. Although not expected to fully enter into force until 2028, there are steps to start thinking about now, including to help reduce duplication of effort for businesses that also need to comply with NIS2 in the EU.
That gives Channel Islands businesses a window — but not a long one.
Start by asking yourself honestly:
If the answer to any of these is "I'm not sure" — that's your starting point.
Cybersecurity is no longer a technology issue sitting in an IT department. The Bill could elevate cybersecurity as a board-level priority and sets the stage for a more resilient digital economy.
For Guernsey and the wider Channel Islands — jurisdictions built on trust, reputation, and the confidence of international clients — that's not just regulatory compliance. It's competitive positioning.
The question isn't whether to take this seriously. The question is whether you want to do it reactively when a client asks, or proactively because it's the right thing for your business.
I'd love to hear from other Channel Islands business owners — how are you thinking about cyber resilience in light of developments like this? Drop a comment below or get in touch directly.