Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Capita (CSRB33)

Capita plc www.capita.com
Public
Written Evidence Submission
on Cyber Security and
Resilience Bill
Capita Submission

Feedback on the Cyber Security and Resilience Bill
Capita Submission
Capita plc
09.02.2026 Public
Contents
1 Executive Summary ................................ ................................ ................................ .......................... 1
Introduction ................................ ................................ ................................ ............................... 1
General Position ................................ ................................ ................................ ....................... 1
2 Specific Feedback ................................ ................................ ................................ ............................. 2
Scope and Definitions ................................ ................................ ................................ ............... 2
Incident Reporting ................................ ................................ ................................ ..................... 2
Resilience Requirements ................................ ................................ ................................ .......... 2
Implementation Considerations ................................ ................................ ................................ . 2
3 Conclusion ................................ ................................ ................................ ................................ ........ 3

Feedback on the Cyber Security and Resilience Bill
Capita Submission
Capita plc Page 1 of 3
26/11/2025 Public
1 Executive Summary

Capita strongly supports the Cyber Security and Resilience Bill’s aim to strengthen the UK’s cyber
posture and align with evolving threats. Our feedback focuses on four key areas:
• Scope and Definitions: Stronger clarification of “managed service” and critical supplier
designation criteria to avoid ambiguity in differing scenarios.
• Incident Reporting: Confirm timelines (24-hour initial, 72-hour detailed) but provide guidance on
the required level of detail and allow flexibility for complex investigations.
• Resilience Requirements: Define minimum standards for supply chain security and ensure
proportionality in Secretary of State powers.
• Implementation: Minimise duplication for organisations with existing frameworks and provide
practical guidance to accelerate compliance.

We encourage DSIT to maintain industry engagement and publish clear, actionable guidance to ensure
effective and proportionate implementation.
Introduction
As Chief Information Security Officer, I welcome the intent of the Cyber Security and Resilience Bill to
strengthen the UK’s cyber posture and align with evolving threat landscapes. The proposed measures
reflect the critical need for resilience across essential services and supply chains.
General Position

• We support the Bill’s objectives to enhance incident reporting, improve supply chain security, and
provide flexibility for future regulatory updates.

• The alignment with NIS2 principles is a positive step towards harmonising UK and EU standards.

Feedback on the Cyber Security and Resilience Bill
Capita Submission
Capita plc Page 2 of 3
26/11/2025 Public
2 Specific Feedback
Scope and Definitions
• Managed Service Providers (MSPs): Greater clarity is needed on the definition of “managed
service” and designation criteria for critical suppliers. Ambiguity may lead to inconsistent
interpretation across sectors and unnecessary time and effort in attempting to satisfy ambiguous
requirements.
• Critical Supplier Designation: Recommend publishing clear thresholds and examples to ensure
transparency and predictability.
Incident Reporting
• Timelines: The proposed 24-hour initial notification and 72-hour detailed report are reasonable;
however:
* Guidance should specify what constitutes “sufficient detail” at each stage.
* Consider flexibility for complex investigations where root cause analysis may exceed 72 hours.
• Reporting Channels: A single, secure reporting portal would streamline compliance and reduce
duplication.
Resilience Requirements
• Supply Chain Security: Support the inclusion of security duties for suppliers but request:
- Clear minimum standards for contractual obligations.
- Practical guidance for SMEs to avoid disproportionate compliance burden.
• Secretary of State Powers: While necessary for national security, recommend safeguards to
ensure proportionality and industry consultation before issuing directions.
Implementation Considerations
• Impact Assessment: For organisations already operating under robust frameworks (e.g., NCSC
guidance, ISO 27001), the Bill should minimise duplication.
• Support for Industry: Provision of templates, FAQs, and sector-specific guidance will accelerate
adoption and reduce compliance costs.

Feedback on the Cyber Security and Resilience Bill
Capita Submission
Capita plc Page 3 of 3
26/11/2025 Public
3 Conclusion
Capita is committed to supporting the UK’s cyber resilience objectives. We encourage DSIT to:

• Provide clarity on definitions and thresholds.
• Offer practical guidance for incident reporting and supply chain obligations.
• Engage industry in ongoing consultation to ensure measures remain proportionate and effective.

All photographic images used in this presentation are under license – please do not copy, reuse or redistribute.

The trade and service marks represented in this collateral are the property of the respective owners. The information contained in this material is
for general information only and subject to change.
Public