You Can Be Regulated Without Knowing It

“Designation-by-Dependency”: Why You Can Be Regulated Without Knowing It

Most organisations assume regulation starts with a form, a registration process, or at least a letter telling them they are now “in scope”.
Under the UK Cyber Security and Resilience Bill, that assumption is wrong.

One of the most underappreciated features of the Bill is that regulation can attach to you because of who depends on you, not because of what you call yourself. This is not self-identification. It is designation-by-dependency.

Regulation no longer starts with your size or sector

Under the original NIS Regulations, organisations were largely regulated because they operated in clearly defined sectors: energy, transport, health, water, digital infrastructure. You generally knew where you stood.

The new Bill changes that logic.

It introduces the concept of critical suppliers: organisations whose disruption could significantly affect essential services, managed services, or relevant digital services. Crucially, there is no minimum size requirement and no obligation for a supplier to volunteer itself for regulation.

If your failure would materially impact a regulated organisation, you can be designated — regardless of whether you see yourself as “critical”.

How designation-by-dependency works in practice

Most SMEs do not sit at the top of supply chains. They sit inside them.

You might:

Provide managed IT, cloud, data, security or operational services
Support defence, infrastructure, health, energy or regulated MSPs
Be one of several suppliers whose combined failure would cause disruption
Operate tooling, platforms or access that customers cannot easily replace

In these cases, regulators don’t need you to self-declare. They can designate you because your customers rely on you.

This is where most organisations underestimate the risk:
they assess their own importance, not the impact of their failure on others.

Why this creates real discovery risk

Designation-by-dependency creates a timing problem.

You may only discover that you are considered “critical”:

when a customer is regulated and flags you,
when a regulator assesses a supply chain,
or when an incident exposes your role in disruption.

At that point, the obligations apply immediately:

24-hour incident notification
72-hour detailed reporting
mandatory customer notification
regulatory information requests
potential cost recovery charges

There is no long runway to prepare once designation happens.

The uncomfortable question boards now have to ask

The Bill forces a reframing of cyber risk from an internal control problem to a downstream impact problem.

The real question is no longer:

“Are we regulated?”

It is:

“If we failed tomorrow, who would feel it — and how badly?”

If the answer includes regulated entities, essential services, or large MSPs, then regulation may already be closer than you think.

Why traditional supplier assurance isn’t enough

Most organisations rely on:

questionnaires,
certifications,
contractual clauses,
or annual reviews.

These focus on your controls, not on how risk propagates through dependency.

Regulators care less about whether you have a policy, and more about:

how quickly incidents surface,
whether customers are informed,
whether failures cascade,
and whether risk was foreseeable.

That requires understanding how you contribute to supply-chain risk, not just how you manage your own perimeter.

What organisations should do now

You do not need to panic — but you do need clarity.

Practical first steps include:

Mapping which customers would be materially impacted by your failure
Identifying where your services aggregate risk across multiple clients
Understanding whether your customers are already regulated or likely to be
Stress-testing whether you could meet reporting and notification duties in reality

This is fundamentally a supply-chain risk problem, not a compliance paperwork exercise.

Why this matters commercially, not just legally

Under the new regime, cyber incidents become disclosed, customer-facing events.
Being unprepared doesn’t just create regulatory risk — it creates trust risk.

Organisations that can clearly explain:

how they manage dependency risk,
how they limit blast radius,
and how they would respond under pressure,

will be more attractive suppliers as regulation tightens.

Those that can’t will feel the consequences first through procurement, contracts and customer confidence — long before fines ever appear.

Call to action

The Bill is coming. Designation-by-dependency is already here.
If you want to understand how your organisation contributes to supply-chain cyber risk — and how exposed you may be without realising it — contact Cyber Tzar today to learn how we can help you assess your supply chain risk now, before regulation or incidents force the issue.

View more resources

Blogs & News

You Can Be Regulated Without Knowing It
“Designation-by-Dependency”: Why You Can Be Regulated Without Knowing It Most organisations assume regulation starts with a form, a registration process, [...]

Continue reading
Blogs & News

Are You Ready For The UK Cyber Security and Resilience Bill
The UK Cyber Security and Resilience Bill Is Coming: What Businesses Need to Know Now A significant change to the [...]

Continue reading
Blogs & News

Cyber Security for Law Firms: From Compliance to Resilience
Law firms are now high-value targets for cybercrime. From ransomware to phishing to third-party breaches, the volume and sophistication of [...]

Continue reading

View all resources