4 May 2026 Retrospectives Timothée

CSRB: Why External Exposure Management Is Now Mandatory

In brief: The UK Cyber Security and Resilience Bill is the biggest update to UK cyber law since 2018. It brings MSPs, data centres and designated critical suppliers under direct regulation. It mandates 24-hour incident reporting — stricter than NIS2. Non-compliance costs up to £17 million or 4% of global turnover. For organisations in scope, continuous external exposure monitoring is now a legal requirement in practice.

Why the UK Updated Its Cyber Security and Resilience Framework?

The Network and Information Systems (NIS) Regulations 2018 were built for a different era. Reviews in 2020 and 2022 confirmed they were no longer fit for purpose.

Cyber attacks cost the UK economy around £14.7 billion each year. The 2024 Synnovis ransomware attack disrupted over 11,000 NHS appointments. The National Cyber Security Centre warned of a growing gap between the evolving cyber threat and the UK's defences.

The Department for Science, Innovation and Technology introduced the Cyber Security and Resilience Bill (CSRB) as the government's answer. It expands the NIS Regulations 2018 — bringing the full digital supply chain into scope for the first time.

Who Is in Scope: Operators of Essential Services and Beyond

The original NIS Regulations covered operators of essential services (OES) in five sectors: energy, transport, water, health and digital infrastructure. The CSRB adds three new categories.

Relevant managed service providers — MSPs managing IT systems or networks for UK clients now face direct duties. Around 900 to 1,100 MSPs must register with the ICO.

Data centres — The Bill classes facilities above 1MW rated IT load as essential services.

Designated critical suppliers (DCS) — Regulators can name any supplier as critical to national infrastructure (CNI). Size does not matter. Disrupt a regulated entity, and regulators can bring you into scope.

Incident Reporting: 24 Hours — Tougher Than NIS2

The Bill creates a two-stage process for reporting cyber incidents.

Organisations send an initial notification to their sector regulator and the National Cyber Security Centre within 24 hours. A full incident report follows within 72 hours — to both bodies.

This dual reporting is a UK-specific requirement — stricter than NIS2 at every stage. Any incident affecting the security of network and information systems must be reported, not just outages. Under the old NIS regime, only low double-digit incidents reached regulators each year. The NCSC handled hundreds of major cyber attacks in the same period.

The NCSC Cyber Assessment Framework (CAF): The New Standard

The Cyber Assessment Framework (CAF) sets the technical standard for CSRB compliance. It covers four areas: managing security risk, protecting against cyber attacks, detecting cyber security events, and minimising the impact of incidents.

The CAF is outcome-based. Regulators want evidence, not policies: asset logs, monitoring records and fix histories must be dated and stored.

NIS2 or ISO 27001 alignment gives a head start. But dual notification, DCS designation and CAF alignment add UK-specific duties. Key thresholds — including what counts as a significant cyber incident — come from secondary legislation. Build continuous monitoring now and you stay compliant wherever the line is set.

Why This Bill Makes External Exposure Management Essential

You cannot report what you have not detected. The 24-hour window requires fast detection. Quarterly scans cannot support this. Real-time monitoring is the only way to meet the deadline.

Your asset list must cover what you do not know about. The CAF requires organisations to identify all network and information systems used to deliver essential services. That includes cloud tools, APIs and shadow IT. A static list updated once a year is not enough.

Supply chain exposure is your risk to manage. An attack on your supplier can become your problem under the DCS mechanism. 70% of security professionals rate supply chain cyber risks as high priority (ISC2, 2025). The CSRB makes it a legal duty.

CSRB vs NIS2: Key Differences

The CSRB aligns with NIS2 in spirit. It differs on points that matter for teams working across the UK and EU.

Criterion CSRB (UK) NIS2 (EU)
Initial notification 24 hours 24 hours
Full incident report 72 hours 72 hours
Where to report Regulator + NCSC (dual) Single authority
MSPs in scope Direct — regulated Via supply chain
Critical suppliers DCS Yes — new mechanism No equivalent
Director liability No Yes — personal
Compliance standard NCSC CAF Member state frameworks
Max penalty £17M or 4% turnover €10M or 2% turnover

NIS2 compliance covers most CSRB requirements. Dual notification, DCS designation and CAF alignment still require UK-specific action.

Penalties: Up to £100,000 Per Day

The CSRB brings in a much tougher penalty regime.

  • Serious failures — such as a breach or failure to report — carry fines up to £17 million or 4% of global turnover.

  • Standard failures — such as late registration — carry penalties up to £10 million or 2% of turnover.

  • Daily fines of up to £50,000 apply while a breach continues.

MSPs and data centres face daily fines of £100,000 or 10% of turnover for each day they fail to fix a security gap after a government order. Regulators also gain cost-recovery powers — they fund enforcement from regulated entities themselves.

5 Steps to Take Before Royal Assent

Royal Assent is expected in 2026. Compliance deadlines follow in 2027 and 2028. Start now.

1 — Find out if you are in scope before the Bill passes. Check whether you are an operator of essential services (OES), a managed service provider, a data centre, or a supplier to any of these. The DCS mechanism pulls in organisations that do not see themselves as part of critical national infrastructure.

2 — Switch to live monitoring — quarterly scans will not meet the 24-hour window. You need real-time visibility into your external exposure, with dated detection logs.

3 — Audit your supply chain now, not after an incident. List critical suppliers. Check their external exposure. Update contracts to cover notification, audit rights and security duties.

4 — Test your incident response against the 24 and 72-hour windows. Who sends the initial notification? Who contacts the NCSC? Define what counts as a significant cyber incident. Run drills.

5 — Align with the NCSC Cyber Assessment Framework before regulators ask. Run a gap review. Fix issues by real risk level. Keep records of every fix.

How Patrowl Helps Organisations Prepare for CSRB

Patrowl is a French EASM and continuous security testing platform, built for organisations that need to demonstrate — not just claim — regulatory compliance.

What sets Patrowl apart in a CSRB context: every security alert is manually reviewed by an in-house CERT analyst before it reaches your team. No alert floods, no time wasted on noise. Only what actually requires action — with the context to act on it.

Concretely: an MSP or data centre operator preparing for CSRB can deploy Patrowl and receive, within 48 hours, a mapped view of their external attack surface — exposed assets, shadow IT, third-party exposure — with dated logs aligned to CAF evidence requirements. Exactly what a regulator or NCSC review will ask for.

Patrowl enables you to:

  • Discover assets continuously — exposed assets, shadow IT and supplier exposure, with dated logs for CAF evidence

  • Detect security flaws in real time — each finding reviewed by a CERT analyst before any alert is sent

  • Monitor supply chain exposure — tracks third-party external exposure to support DCS risk duties

  • Run continuous penetration testing (PTaaS) — automated tests based on real exposure, with retest records for fix evidence

  • Produce audit-ready reports — structured outputs mapped to NCSC CAF principles for regulatory reviews

Conclusion: Resilience Must Be Proven, Not Just Claimed

The NCSC recorded a high number of nationally significant cyber incidents in 2025. The CSRB is the legislative response. Continuous monitoring, documented asset lists and evidence-based fixes are now the baseline — not best practice.

  • Scope is wider than expected. The DCS mechanism pulls in MSPs, data centres and their suppliers.

  • Speed of detection drives compliance. Live monitoring of your network and information systems is the only way to meet the 24-hour window.

  • Evidence is what counts. The CAF is outcome-based. Regulators ask for proof, not promises.

Take Action

Request a free external attack surface assessment with Patrowl. Within 48 hours, receive a report of your exposed assets and security gaps, mapped to NCSC CAF principles and CSRB requirements.

Request information

FAQ

Is my organization affected by NIS2 if it’s not in the financial sector?
Yes, if you have more than 50 employees or €10M in revenue and operate in one of the 18 sectors covered by NIS2: energy, transport, healthcare, water, digital infrastructure, postal services, agri-food, manufacturing, digital providers, or public administration. NIS2 applies to over 100,000 organizations in Europe — compared to 15,000 under NIS1. If in doubt, your national cybersecurity authority provides eligibility tools.
Do DORA and NIS2 overlap, or does one replace the other?
They overlap if you operate in the financial sector. Banks, insurers, and payment institutions are subject to both frameworks simultaneously — and their requirements are cumulative, not interchangeable. DORA is an EU regulation with direct applicability, while NIS2 is a directive transposed into national law. In practice, your compliance program must satisfy both frameworks at the same time.
Does an annual pentest count as proof of continuous resilience?
No. An annual pentest reflects a fixed scope at a single point in time — it says nothing about the remaining 364 days. Both DORA and NIS2 require regular, documented testing based on continuous exposure. Auditors expect timestamped reports, documented retests after remediation, and a clear trend of improvement over time. An 11-month-old PDF report will not pass an audit.
What is a “living” asset inventory — and how do you prove it to an auditor?
A living inventory is continuously updated — not manually refreshed twice a year. It includes all internet-exposed assets: domains, subdomains, IPs, APIs, cloud services, SaaS, shadow IT, and third-party-related assets. To satisfy an auditor, you need a dashboard with timestamped history, traceability of asset additions and removals, and the ability to reconstruct your attack surface at any point in time. A manually maintained spreadsheet does not meet this requirement.
What actually happens if my organization is not compliant during an audit?
Regulators typically start with a formal notice and a remediation deadline. If non-compliance persists, financial penalties apply: up to 1% of global daily turnover under DORA for critical ICT providers, and up to €10M or 2% of global turnover under NIS2. Beyond fines, NIS2 also introduces personal liability for executives, including temporary bans from management roles — a risk that is increasingly taken seriously at the executive level.
Should we monitor SaaS vendors or only our own assets?
Both. DORA and NIS2 explicitly make you responsible for the security posture of your critical third-party providers. This includes your CRM, hosting providers, software vendors, and any partner with access to your systems or data. According to ENISA Threat Landscape reports, around 60% of major incidents involve third-party compromise. Monitoring only your own assets covers less than half of the real risk.

Sources

  1. UK Parliament — Cyber Security and Resilience Bill (Bill 329), 12 November 2025 — bills.parliament.uk

  2. GOV.UK — Cyber Security and Resilience Bill policy documents — gov.uk

  3. The Register — "UK threatens £100K-a-day fines under new cyber bill", April 2025 — theregister.com

  4. ICO — Information Commissioner's response to the CSRB, December 2025 — ico.org.uk

  5. ISC2 — Supply Chain Risk Survey 2025 — isc2.org

  6. NCSC / Slaughter and May — CSRB insights for critical suppliers, January 2026 — thelens.slaughterandmay.com

Our latest news

See more news