Khushboo Kashyap is senior risk and compliance director at Vanta.

Last year (2025) was a wake-up call for security and IT leaders. As AI technologies continued to rise in prominence, so too did complex cyber threats. Some 70% of UK security leaders warn that current security risks had never been higher. From this state of flux, one area of security in particular has emerged as high-risk: supply chains.

This year, the IT industry awaits an upheaval in supply chain management via proposed changes to the Cyber Security and Resilience Bill, which is set to raise expectations for the security of network and information systems.

So, what changes can we expect when this bill comes into force and how can UK IT and security leaders get ahead of this evolving compliance landscape to de-risk their supply chain and protect customer trust?

Supply chains are a silent security threat

The rise of AI technologies has made vendor networks increasingly harder to manage. Shadow supply chains (untracked vendor networks), fast-moving subcontracting, model updates, data-sharing and embedded tooling all compound the complexities. Particularly for large enterprises with a network of tens of thousands of suppliers or more, traditional vendor management relying on legacy infrastructure and manual operations is no longer adequate.

This is where the Cyber Security and Resilience Bill comes in, forcing a shift toward continuous monitoring which should match the speed of AI threats.

This proposal of new UK laws does well to bring systemic dependencies (such as data centres and managed service providers) into scope, reflecting how outages and compromises actually affect the security posture of the businesses that rely on them. But there are risks associated with the bill.

For example, strict reporting deadlines may unintentionally slow down actual incident handling, as security teams are stifled by the rigorous reporting – needing to send an initial notification of an incident to regulators within 24 hours and a fuller follow-up report within 72 hours.

In the bill’s upcoming amendments, it’s likely that supply chain security will become a standing governance topic tied to clearer enforcement expectations and penalties. To ensure reporting requirements do not inadvertently slow incident response, the amendments should introduce a clearly defined ‘material/significant impact’ threshold and a good-faith safe harbour.

Standardising the process through a single reporting template and unified submission route to both the regulator and NCSC would balance accountability with operational agility. This way, security teams can spend the first crucial 24 hours on the work that actually protects customers and keeps services running, while the government still gets fast, consistent, and early visibility.

How businesses can regain control

To secure their vendor network, IT and security leaders need to get ahead of regulation on both the operational level and for board oversight or risk scrambling through a game of compliance catch-up.

At a board level, security leaders should implement clear, enforceable standards for security measurement and reporting that apply the same degree of board-level dread as the bill’s current penalties for non-compliance stand at 4% of turnover.

By implementing evidence-led reporting templates, automated control validation, and continuous monitoring of supplier security posture, businesses can provide the board with real-time assurance, not point-in-time attestations. This approach demonstrates that systemic supplier risk is actively managed without diverting disproportionate time away from frontline threat detection and response.

At an operational level, leaders shouldn’t wait for the bill to be finalised to find out who their ‘critical suppliers’ are. They should start a discovery project to identify every third party that has access to their network or hosts their data and segment them by risk and disruption level.

Mock security scenarios

Organisations should develop and rehearse tiered response plans aligned to supplier risk levels. This should include tabletop exercises with executive leadership, technical simulations, and coordinated incident drills with critical suppliers. Testing escalation paths, reporting timelines, and contractual obligations in advance exposes weaknesses before a real breach does.

Upcoming changes to the bill will likely encourage tighter contractual obligations. Businesses should get ahead of this mandate and implement measures such as incident notification service-level agreements, rights-to-audit and evidence provisions, continuous monitoring, and Software bill of Materials.

Supply chains have become increasingly complex and difficult to govern, emerging as one of the most significant risk vectors for enterprises. Upcoming mandates, including the Cyber Security and Resilience Bill, will provide important guardrails for IT and security leaders looking to reduce systemic exposure.

But regulation alone will not make supply chains resilient. Organisations must proactively assess their vendor ecosystems, identify critical dependencies, and implement rigorous response and reporting frameworks to reduce risk before it disrupts operations or erodes customer trust.