- What is the NHS Data Security and Protection Toolkit (DSPT)?
- What is the UK Cyber Security And Resilience Bill (CP 848)?
- Cyber Resilience Bill vs. NIS Regulations: What's changing?
- Why the Cyber Security And Resilience Bill matters to NHS trusts
- Challenges NHS IT teams face with compliance
- How ManageEngine AD360 enables NHS cyber resilience and compliance
- What comes next for NHS trusts?
- FAQs
Cybersecurity is now a top priority for NHS trusts. As digital health systems become integral to care delivery, they also become prime targets for cyberthreats. To address these risks, the United Kingdom (UK) government introduced the Cyber Security and Resilience Bill (CP 848). This critical UK cyber legislation mandates faster breach response and ensures robust security protocols across essential services like healthcare, impacting NHS cybersecurity policy significantly.
High-profile attacks on London hospitals and the Ministry of Defence have exposed vulnerabilities in essential NHS systems—resulting in thousands of cancelled outpatient appointments and compromised services for UK citizens. The message is clear: NHS trusts must elevate their cybersecurity posture and align with the new cybersecurity and resilience policy statement.
This guide breaks down the Bill’s key mandates, outlines the compliance challenges specific to NHS IT teams, and explains how ManageEngine AD360 helps NHS trusts meet these regulatory expectations effectively, ensuring compliance with the Cyber Security and Resilience Bill 2025.
What is the UK Cyber Security And Resilience Bill (CP 848)?
Released on Apr. 1, 2025, the Cyber Security and Resilience Bill (CP 848) from the Department for Science, Innovation and Technology (DSIT) replaces the outdated NIS Regulations 2018. This UK Cyber Security and Resilience Bill aligns UK law with evolving cyberthreats and mirrors the broader goals of the EU NIS2 Directive. Healthcare, now recognized as part of the UK's Critical National Infrastructure (CNI), is central to the bill, making the Cyber Security and Resilience Bill highly relevant to NHS operations.
Key provisions of the Bill include:
- Expanded coverage: Includes managed service providers (MSPs), data centers, and critical suppliers to strengthen third-party risk management.
- Mandatory incident reporting: NHS trusts must notify regulators within 24 hours and submit a detailed breach report within 72 hours.
- Increased regulatory oversight: Grants bodies like the ICO and NCSC the authority to audit, enforce, and proactively address vulnerabilities.
- Agile policy updates: Allows the government to update compliance requirements swiftly via secondary legislation.
Cyber Resilience Bill vs. NIS Regulations: What's changing?
Compared to the NIS Regulations 2018, the Cyber Security and Resilience Bill introduces stricter compliance requirements and broader oversight.
| Area | NIS Regulations 2018 | Cyber Security and Resilience Bill (CP 848) |
|---|---|---|
| Scope | Focused on NHS IT infrastructure | Covers NHS supply chains, including MSPs and third-party vendors |
| Incident reporting | Basic reporting framework | Mandatory 24-hour notification and 72-hour impact assessment |
| Regulatory powers | Limited audit investigations | Enables proactive audits, enforcement, and designation of critical suppliers |
| Incident scope | Primary service outages | Covers data breaches, integrity loss, and confidentiality risks |
These changes ensure NHS trusts not only improve their cybersecurity posture but also maintain higher accountability and resilience under the new UK cyber legislation.
Why the Cyber Security And Resilience Bill matters to NHS trusts
The Cyber Security and Resilience Bill is a transformative development for NHS trusts. Here's why adherence to this new NHS cybersecurity policy is crucial:
- NHS trusts are high-value targets: Healthcare systems hold vast amounts of sensitive data—from patient records to administrative operations—making them prime targets for financially and politically motivated cybercriminals.
- Real-world consequences of breaches: The 2024 ransomware attacks on London hospitals led to thousands of postponed appointments and disrupted services. Such attacks highlight the critical need for enhanced protection and rapid recovery measures as outlined in the Cyber Security and Resilience Bill.
- Cybersecurity becomes mandatory, not optional: The Bill reclassifies healthcare under the CNI) placing legal obligations on NHS trusts to secure their digital services and maintain cyber hygiene. This is a fundamental shift for NHS cybersecurity policy.
- Stricter compliance and oversight: NHS trusts will face greater scrutiny from regulatory bodies like the ICO and NCSC, who will have authority to investigate vulnerabilities and enforce corrective actions proactively under the Cyber Security and Resilience Bill 2025.
- Third-party accountability: The Bill extends its scope to include NHS suppliers and partners such as MSPs and data center providers, meaning NHS trusts must ensure their entire ecosystem is compliant with the UK Cyber Security and Resilience Bill.
- Public trust and patient safety: Compliance isn’t just about avoiding penalties. It protects the continuity of care, preserves public confidence, and ensures patient data remains secure, reinforcing the importance of the Cyber Security and Resilience Bill.
Ignoring these mandates can lead to penalties, service disruptions, and reputational damage—making cybersecurity a top priority for NHS IT teams.
Challenges NHS IT teams face with compliance
Despite best intentions, many NHS IT environments remain complex and fragmented, making compliance with the Cyber Security and Resilience Bill a considerable challenge.
- Outdated legacy systems: Many NHS trusts still rely on legacy IT infrastructure incompatible with modern security protocols, making it difficult to apply essential patches and updates promptly. These gaps expose critical systems to vulnerabilities and increase the risk of breaches.
- Manual identity management: Relying on manual processes to manage user identities and permissions increases the risk of human error, privilege escalation, and orphaned accounts. This lack of automation complicates the enforcement of access policies and audit requirements.
- Siloed infrastructure: NHS IT environments are often spread across on-premises servers, cloud platforms, and third-party applications with limited interoperability. This fragmented structure hampers centralised visibility and consistent policy enforcement.
- Inadequate incident response capabilities: Most NHS IT environments lack the automated alerting or centralised threat detection needed for rapid response to cyberattacks.This gap increases the likelihood of breaches going undetected for extended periods—something the new Bill explicitly aims to address.
- Resource constraints: NHS IT teams are often overextended, underfunded, and understaffed. Without automated tools and centralised management platforms, meeting new compliance mandates becomes a significant operational burden.
- Lack of centralised reporting: Demonstrating compliance requires consistent audit logs, access reports, and cyber maturity assessments. Disparate logging mechanisms make this difficult and time-consuming, especially when regulators demand timely submissions.
To address these gaps, NHS trusts need to adopt unified identity governance and cybersecurity solutions that automate compliance and improve visibility across the board. ManageEngine AD360 delivers these capabilities—eliminating manual tasks, reducing risk, and helping NHS teams build long-term resilience.
How ManageEngine AD360 enables NHS cyber resilience and compliance
ManageEngine AD360 is a unified identity and access management solution designed to help NHS trusts and their suppliers address the core requirements of the Cyber Security and Resilience Bill (CP 848).
| Bill requirement | How ManageEngine AD360 helps |
|---|---|
| Identity resilience and least privilege enforcement | Role-based access control, and automated provisioning and deprovisioning across AD, Microsoft Entra ID, and M365 |
| Privileged account governance | Time-bound access, approval workflows, privileged activity tracking, and just-in-time access management for critical NHS systems |
| Incident detection and 24/72-hour reporting | Real-time alerting for risky logins, failed attempts, and privilege misuse as well as export-ready audit logs to ensure rapid breach reporting requirements are met |
| Third-party and contractor access control | Temporary and policy-based access for vendors, with monitoring and revocation |
| Compliance audit readiness | Prebuilt compliance reports for DSPT, CAF, and CP 848 as well as audit log centralisation for easy demonstration of adherence to NHS cybersecurity policy |
| Hybrid environment support | Supports NHS trusts operating across cloud, on-premises, and hybrid infrastructure |
What comes next for NHS trusts?
With the Cyber Security and Resilience Bill coming into effect in 2025, NHS trusts must urgently upgrade their cybersecurity strategies. Ensuring compliance, breach readiness, and identity protection will be critical in navigating the evolving threat landscape and adhering to the new UK cyber legislation.
ManageEngine AD360 simplifies NHS cybersecurity compliance—helping NHS trusts stay ahead of regulatory changes and safeguard patient data, ensuring full alignment with the Cyber Security and Resilience Bill 2025.
FAQs
CP 848 is the Cyber Security and Resilience Bill published in April 2025 by the DSIT. It replaces NIS Regulations 2018 to expand cybersecurity obligations for NHS trusts and other CNI sectors.
Yes, AD360 provides report templates and log management for DSPT, CAF, and the new Cyber Resilience Bill (CP 848), streamlining overall NHS cybersecurity policy compliance.
Yes. AD360 delivers real-time alerts and consolidated audit logs that help NHS teams meet 24-hour notification and 72-hour reporting deadlines.
AD360 uses temporary, policy-based access provisioning for contractors, with automatic deprovisioning and session expiration.
Yes. AD360 integrates with Microsoft Entra ID, Microsoft 365, and on-premises AD, offering a single view across hybrid infrastructures.