This article was first published by Estates Gazette on 8 April 2026 (here).


As buildings become smarter, they are also becoming more vulnerable. Connected entry systems, remote monitoring, smart HVAC and AI-driven controls are now commonplace across commercial and infrastructure projects. These technologies bring efficiency and insight, but they also expose buildings to new forms of disruption – not only from cyber-attacks, but from operational failures across the supply chain. 

The proposed Cyber Security and Resilience Bill (CSRB) will increase the obligations on those who fail to secure infrastructure facilities. This article considers the flow down impact on building owners, developers and the construction industry.

NIS Regulations

The UK's Network and Information Security Regulations ("NIS Regulations") already require providers of critical national infrastructure (like power, water, and transport) to maintain "appropriate technical and organisational measures" to protect the IT systems that underpin essential services. What is often overlooked is that these obligations go far beyond cyber security and preventing hacking. They expand to operational resilience against a wide range of events that could disrupt IT systems, such as fire, flooding, extreme weather, power outages, telecoms failures, staff shortages, and even vandalism. 

That distinction matters for the construction industry, because the UK government is now preparing to strengthen and expand this regime through the proposed Cyber Security and Resilience Bill (CSRB). While the bill is primarily framed as cyber legislation, its practical impact will be felt far beyond IT teams – and in some cases, far beyond the infrastructure operators it directly regulates.

Supply chains under the spotlight

A critical part of the NIS framework is supply chain resilience. If a critical IT system depends on a third-party data centre, IT vendor or service provider, the failure of that supplier can disrupt essential services, just as surely as a cyber-attack. Recent incidents have made that risk tangible. A cyber-attack on Advanced Software, a healthcare software supplier, led to widespread disruption on NHS services, including NHS 111, and resulted in a £3 million fine by the ICO for security failures [1]. The lesson was clear: resilience is only as strong as the weakest link in the supply chain.

The CSRB is designed to respond to that risk. It will increase potential fines to up to 4% of global turnover (from the current maximum of £17m), expand the list of regulated entities to include electricity load controllers, data centres and managed IT service providers, and ,crucially, give regulators new powers to designate critical suppliers to infrastructure providers and apply NIS Regulations to them directly. This extends beyond IT services – the supplier of any goods or services that are essential to the operation of critical infrastructure IT systems may be caught. For construction companies, developers and building owners, this is where the legislation starts to bite.

Smart buildings, real-world consequences

As buildings incorporate more connected systems, the boundary between a building and the IT systems within it is becoming blurred. Cyber-attacks are no longer limited to data theft; they can cause physical disruption. Attacks on access controls, remote building monitoring systems, or HVAC services can render a building unusable, with immediate commercial consequences. Sometimes the most innocuous connected system can be a risk. In 2017, a vulnerability in a smart thermostat in a fishtank was used to hack into a Las Vegas casino and extract a high-roller database.

As more building systems are connected, similar weaknesses can be introduced during design, installation or commissioning. Infrastructure suppliers, conscious of their regulatory exposure, are likely to insist that building technologies meet their cyber and operational resilience standards. Those requirements will increasingly be flowed down through contracts – from building owners to developers, property managers and construction contractors.

What construction companies should be thinking about now

For many in the construction sector, the CSRB will not create new risks so much as expose existing ones. Questions that were once treated as technical detail are becoming matters of regulatory and contractual responsibility.

At the design and procurement stages, depending on the nature of the project or relevant technologies being incorporated into it, contracts could clearly allocate responsibility for selecting smart technologies and verifying their security and resilience. Installation is equally a critical time to be vigilant. Many cyber-attacks occur during system upgrades or integration, when normal security controls are temporarily weakened to connect new services.

For construction companies that are major suppliers to infrastructure providers, there is a further issue to consider: could your goods or services be regarded as essential to the operation of a critical infrastructure IT system? That risk increases where a supplier is hard to replace, provides a sole or primary service, or where failure would cause immediate disruption. Those factors may become relevant if regulators begin designating critical suppliers under the new regime.

A shift that should not be ignored

To date, enforcement under the NIS Regulations has been relatively restrained. That is expected to change. The CSRB reflects a broader shift towards tougher regulatory action across cyber and operational resilience, driven by growing concern about the disruption of essential services.

For construction companies involved in smart buildings or infrastructure projects, this is not a distant compliance issue. It is a signal that resilience, security and continuity are becoming core commercial considerations, not optional extras.

Cyber law is no longer confined to data centres and server rooms. Increasingly, it is shaping how buildings are designed, built and operated.


Footnotes:

[1] Although this penalty was under the General Data Protection Regulation, the security obligation is similar to that found in the NIS Regulations, with the two regimes designed to work alongside each other.

This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.