If You’re in Someone Else’s Supply Chain, This Law Applies to You
The most dangerous misunderstanding about the Cyber Security and Resilience Bill is the belief that it only applies to “critical” organisations.
It doesn’t.
If you sit in someone else’s supply chain — especially someone regulated, essential or nationally significant — this law can apply to you, regardless of your size, sector or intent.
That is not a loophole.
It is the point.
The old mental model is dead
Under previous regimes, organisations asked:
-
Are we in scope?
-
Do we self-identify?
-
Are we explicitly listed?
The new Bill replaces that model entirely.
Scope is now driven by dependency and impact, not by self-declaration.
If your failure could materially disrupt:
-
an essential service,
-
a managed service provider,
-
a regulated digital service,
-
or a critical supply chain,
you can be designated — whether you planned for it or not.
This is designation-by-dependency
The Bill introduces a formal category of critical suppliers and gives regulators the power to designate organisations whose disruption would have outsized consequences.
That means:
-
suppliers become regulated because customers depend on them,
-
MSPs become regulated because they aggregate risk,
-
niche providers become critical because there is no easy substitute.
This is not about blame.
It is about systemic risk.
Why SMEs are especially exposed
SMEs often assume regulation is something that happens to other people.
In reality:
-
SMEs are deeply embedded in supply chains,
-
they provide specialist, high-impact services,
-
and they often operate with minimal redundancy.
That combination makes them disproportionately likely to become critical through dependency — even when their own footprint is small.
Why this catches organisations by surprise
Most organisations do not track:
-
who depends on them,
-
how many customers share the same access or service,
-
or how their failure would cascade.
They manage incoming supplier risk, not outgoing risk.
The Bill makes that asymmetry visible — often for the first time.
What changes the moment you’re designated
Once designated, organisations face:
-
mandatory incident reporting within 24 and 72 hours,
-
customer notification obligations,
-
broad information-gathering powers,
-
potential cost recovery charges,
-
and, in rare cases, national security directions.
None of this waits for perfect readiness.
The clock starts when the incident starts — not when you feel prepared.
Why “we didn’t know” is no defence
Designation is not punitive.
But ignorance is not mitigating.
Regulators will ask:
-
Could your failure cause harm?
-
Did you understand your dependencies?
-
Were your decisions reasonable under the circumstances?
Not knowing you were critical does not make you non-critical.
The uncomfortable truth
You may already be regulated — just not formally designated yet.
The Bill turns implicit dependency into explicit obligation.
What was once informal trust is now enforceable expectation.
The practical takeaway
If you:
-
supply regulated organisations,
-
provide managed or digital services,
-
or support critical operations,
you should assume this law applies to you until proven otherwise.
Waiting for formal designation is the most expensive way to find out.
Call to action
If others depend on your services, systems or access, your cyber risk is no longer just your problem — it becomes theirs, and then the regulator’s.
Contact Cyber Tzar today to assess how your organisation sits in supply chains, what dependency risk you create, and whether this law already applies to you — before designation, incidents or enforcement make the decision for you.
