Quick Access
cybersecurity compliance

Featured in Open Access Government: the Cyber Security and Resilience Bill

Our Managing Director Andrew Ingram writes for Open Access Government on the Cyber Security and Resilience Bill — and what it means for the smaller organisations that will never be regulated by it directly.

High Tide Group 4 min read

Our Managing Director, Andrew Ingram, has written for Open Access Government on the Cyber Security and Resilience Bill — the most significant overhaul of UK cyber security law since 2018, and one that reaches considerably further than most businesses realise.

Read the full article on Open Access Government →

It is the third piece Andrew has contributed to the publication, following earlier articles on the shifting cyber-threat landscape and on building resilience into the way organisations actually operate.

Why it matters to organisations the Bill doesn't name

The Bill is aimed at essential services, data centres, cloud infrastructure — and, for the first time, at managed service providers like us. On paper, that leaves most small businesses, charities and practices across the North East comfortably out of scope.

In practice, that is not how regulation of this kind lands. It travels down the supply chain. Once the organisations above you carry a legal duty to manage the risk their suppliers introduce, that duty arrives on your desk — as a security questionnaire, a contract clause, or a condition of renewal. If you sell into the public sector, into healthcare, or into any larger business that does, you will feel this Bill whether or not it names you.

The exercise that costs nothing

The question Andrew keeps returning to is one we ask every client, and it needs no budget and no technology to answer:

If every screen in the building went dark tomorrow morning, what would you actually do?

Not in theory. In practice. Is your IT provider's number stored only in the system you can no longer reach? Does anyone in the building have the authority to declare an incident and start the plan? Has anyone other than the person who wrote it ever read it?

A continuity plan that lives on the file server you have just lost is not a plan. A good one is short, printed, and known to more than one person. And it belongs to the business rather than the IT department — which is why continuity at High Tide sits with Helen, our CFO, and not with the engineers.

Backups are not resilience. Backups are one component of resilience, and an untested backup is not even that.

Where we stand

High Tide Group holds ISO 27001:2022 and Cyber Essentials Plus, and we operate our own network under AS211501. Being brought into scope by this Bill is not something we are scrambling to respond to — the duty to register and to maintain proportionate security largely describes how we already run.

That matters to our clients for a straightforward reason: when the questionnaire lands on your desk, the answers you give about your IT provider are answers we can already evidence.

Where to start

If you would like a plain view of where your organisation stands — continuity planning, backup testing, incident response, Cyber Essentials readiness — we will do that as a conversation, not a sales pitch.

Get in touch with our team, or read more about our IT security services and managed IT support in Hartlepool.

Need IT help?

Talk to our team about how High Tide can support your business. Call 01429 818332 or send us a message.

Get in touch →