
Most of the attention on the Cyber Security and Resilience Bill has focused on the organisations that run essential services — energy, water, healthcare, digital infrastructure. But one of its quietest provisions may prove the most consequential for the wider economy: the power to designate an individual supplier as "critical" and bring it directly under regulation, even if it would otherwise sit entirely outside the rules.
For thousands of UK businesses that have never thought of themselves as regulated entities, this is the provision to understand. And for the organisations that depend on those suppliers, it is a signal about where scrutiny is heading.
What "designated critical supplier" actually means
The Bill — which had its Lords second reading on 14 July 2026 and is now at committee stage — gives regulators the power to designate specific suppliers as critical. The test is one of consequence rather than size. A supplier can be designated where its goods or services are so important that their disruption could cause a significant disruptive effect on the essential or digital service it supports, and where those goods or services themselves rely on network and information systems.
Three features of this mechanism matter.
First, it is individual, not categorical. Unlike managed service providers — which the Bill brings into scope as an entire class, regulated by the Information Commissioner's Office — critical suppliers are assessed and designated case by case. There is no automatic list; a regulator makes a judgement about a particular supplier's importance to a particular service.
Second, it is expected to be narrow. Government commentary suggests designation will apply to only a small percentage of suppliers — the genuinely load-bearing ones, not every vendor in a supply chain. Being small or obscure is no protection, however: what matters is criticality, not profile. A little-known specialist whose software underpins a hospital's systems can be far more "critical" than a household-name supplier of something easily replaced.
Third, there are carve-outs. Suppliers already regulated under other regimes — for example, under the Communications Act 2003 — are excluded from this designation process, to avoid double regulation.
The precise obligations that will attach to designated suppliers are still being worked out, and the Bill anticipates that the government may use secondary legislation to set out further supply-chain duties. But the direction is unmistakable: designation will bring security requirements and, in all likelihood, incident-reporting duties to organisations that have never carried them before.
Two questions, depending on who you are
This provision lands differently depending on where you sit in the chain.
If you are a supplier, the question is: could we be designated? Any organisation that provides goods or services that an essential-service operator or digital provider genuinely could not function without — and that depend on IT systems — should assume this is a live possibility. Law firms holding sensitive matter data, specialist software vendors, logistics and payment providers, and niche technical suppliers to regulated sectors are all plausible candidates. Designation would not be something you opt into; it would be decided about you.
If you rely on suppliers — which is to say, if you are one of the essential-service operators or digital providers the Bill regulates — the question is: do we know which of our suppliers are critical, and can we prove they are secure? Even where a supplier is not formally designated, your own obligations and due-diligence expectations are rising. Regulators increasingly expect you to understand and manage the security of the third parties your service depends on. The critical-supplier concept is, in effect, the law drawing a line around exactly the relationships you should already be watching most closely.
Are you a critical supplier? Four questions to ask
There is no published list, so organisations will need to make their own honest assessment. Four questions help:
Does an essential-service operator or a digital service provider rely on what we do? Think healthcare, energy, water, transport, financial market infrastructure and large digital platforms.
If we went down, would their service be significantly disrupted? Not merely inconvenienced — materially degraded or halted.
Do our goods or services depend on network and information systems? Almost all modern services do.
Are we already regulated elsewhere for cyber security? If not, the designation power could reach you.
If the answer to the first three is yes and the fourth is no, you should be preparing as though designation is possible — regardless of your size or public profile.
What to do now
The Bill is not yet law, and the detail will firm up as it moves through the Lords and into secondary legislation. But the organisations that prepare early will treat any future designation as a formality rather than a shock.
If you could be designated, start by understanding your own security posture the way a regulator — or a nervous customer — would. Get a clear, evidence-based view of your external security, close obvious exposures, and make sure you could demonstrate good practice on request. Establish who would own incident reporting and how quickly you could notify a customer or regulator. Being able to show maturity is fast becoming a commercial advantage as well as a compliance one; your regulated customers will increasingly ask.
If you depend on critical suppliers, identify them now. Map which third parties would cause you significant harm if disrupted or breached, and move those relationships from periodic, questionnaire-based checks to continuous, outside-in monitoring of their security posture. Tighten the security and incident-notification terms in their contracts. When the designation framework is live, you will already know who your critical suppliers are and how secure they are — rather than scrambling to find out.
The underlying shift
The critical-supplier provision is a small piece of a large Bill, but it captures the whole direction of travel. Cyber regulation is no longer content to stop at the boundary of the obvious, headline organisations. It is reaching into the supply chain to find the suppliers that quietly hold essential services together — and asking whether anyone can actually see how secure they are.
For suppliers and their customers alike, the answer to that question should not be left to a regulator to discover first. The organisations that come through this well will be the ones who already know where their critical dependencies lie, and can show — with evidence, continuously — that those dependencies are secure.
RiskXchange gives organisations continuous, outside-in visibility of their own security posture and that of their entire supply chain. To see where your critical dependencies and exposures sit today, get in touch.
Done reading? See it on your vendors.
Book a 30-minute call and we'll have NOVA, ARIA and REX produce a complete posture report on a vendor of your choice inside 24 hours.