Preparing for the Cyber Security and Resilience Bill (CSRB): Compliance Insights from the Field

I've spent the last few months talking to partners and prospects across EMEA about the upcoming Cyber Security and Resilience Bill, and there's a common theme: everyone knows it's coming, but most aren't sure where to start.

The conversations usually begin with "Is this just another compliance checkbox?" and end with "How do we actually implement this without ripping out our entire infrastructure?"

Here's what I've learnt from these discussions.

Not Your Standard Compliance Framework

The first thing prospects usually ask about are the Bill’s deadlines and fines.

But as we dig into their actual environment, it becomes clear that compliance with the Bill is less about avoiding penalties, and more about forcing a fundamental reconsideration of how organisations approach infrastructure access.

In conversations with prospects, the Bill frequently comes up in four main areas:

1. Supply chain security — One partner told me they have 47 third-party vendors with some level of infrastructure access. When I asked how they manage that access, the answer was "VPNs and shared credentials." That's exactly one of the problems the Bill is trying to address.
2. Incident response planning — The Bill will require initial notification within 24 hours and a full incident report within 72 hours. Most organisations have some plan, but when I ask, "Can you tell me within 72 hours who accessed what before a breach?" — the answer is usually silence.
3. Risk management frameworks — I've seen everything from Excel spreadsheets to sophisticated tools, but very few can actually demonstrate continuous risk assessment of access across their entire stack.
4. Enhanced reporting — The Bill will require detailed incident reporting, including notifying affected customers. The challenge? Most customers can't even tell me who has standing access to their production databases right now, let alone reconstruct what happened during an incident.

The Real Challenge: Legacy Access Models

Here's what I see in almost every environment: a mix of SSH keys (sometimes many years old), database passwords in configuration files, VPN credentials shared across teams, and Kubernetes service account tokens that never expire.

"We found SSH keys in our systems from employees who left three years ago,” one prospect told me candidly.

This isn't negligence. It's the result of infrastructure that's grown organically over years, with access controls bolted on as an afterthought. The Cyber Security and Resilience Bill is forcing everyone to confront this reality.

How Teleport Fits into CSRB Requirements

To be clear: Teleport isn't a magic compliance button. But after walking dozens of customers through their Bill requirements, I've found it solves many of the actual problems they're facing, including:

1. Certificate-based authentication — Those SSH keys from three years ago? They're replaced with certificates that expire after hours, not years. Database passwords? Gone, replaced with short-lived certificates issued based on the user's identity, grounded in physical-world attributes like biometrics.

2. Unified access management — Instead of managing SSH keys across 500 servers, VPN access for contractors, database credentials in vault systems, and Kubernetes RBAC separately, everything is controlled through one system — Teleport. This helped one customer reduce their access management tools from seven different systems to just one.

3. Identity-based third-party access — Remember those 47 vendors? With Teleport, each one is issued just-in-time, short-lived access based on their SSO identity for exactly the task at hand — which then expires automatically. No shared credentials, no VPN configurations, no SSH keys to rotate.

4. Just-in-Time (JIT) access — Teleport simplifies JIT access to eliminate the standing privileges that become the initial attack vector. For the incident response component of the CSRB, customers are using this to implement access requests where engineers request access for a specific duration, get approval via Slack, and access automatically expires.

5. Actual audit trails — The Bill will require comprehensive logging and 72-hour incident reporting. Teleport records every command, every database query, every kubectl command and traces it to the identity responsible. One customer showed their auditor a complete session replay of a contractor's access six months prior.

The auditor's response? "This is the first time I've actually seen what someone did, not just that they logged in."

A Real-World Example

Let me share a concrete example from a recent proof of concept.

A financial services company needed to give their managed security provider access to investigate alerts. Previously, this would have involved:

1. Creating a VPN account
2. Generating SSH keys
3. Sharing credentials via "secure" email
4. Manually revoking everything later (maybe)

With Teleport, all they needed to do was:

1. Send the provider a link
2. Provider authenticates via their own SSO
3. Gets time-limited access to specific systems
4. Everything they do is recorded
5. Access automatically expires

This took access provisioning time from days to minutes, giving their engineers valuable time back and significantly strengthening their security posture. These are the kinds of outcomes the Bill is pushing everyone towards.

How I'm Telling Customers to Approach CSRB

When prospects ask where to start, here's my advice based on what's worked:

1. Audit your current access: You can't secure what you don't know about. Most organisations are shocked when they actually inventory who has access to what.
2. Start with your crown jewels: Don't try to solve everything at once. Pick your production databases or your critical applications and get those under proper access control first.
3. Think about your supply chain: Third-party and contractor access is where most organisations are most vulnerable and least compliant with the Bill's requirements.
4. Plan for the audit trail: The Bill requires comprehensive reporting. If you can't demonstrate who accessed what and when, you're not compliant. Full stop.

Final Thoughts

The Cyber Security and Resilience Bill isn't going away, and the deadline will approach faster than most organisations think.

Here's the thing: every customer I've helped through this has ended up with better security, not just better compliance. They've reduced their attack surface, eliminated credential sprawl, and gained visibility they never had before.

The Bill is forcing a conversation that should have happened years ago: how do we control access to our infrastructure in a way that's secure, auditable, and doesn't drive our engineers mad?

If you're grappling with these same challenges, I'm happy to talk through your specific situation.

→ Get in touch with Sami & our team of experts

Further reading:

• Cyber Security and Resilience Bill - Policy Statement
• Learn how Teleport works