MOVEit Hit Again, CISA Said Isolate: The Compound Lesson UK Mid-Market Cannot Ignore in 2026
CVE-2026-5174 in MOVEit Automation and the CISA isolation-first directive land in the same week. For UK SMEs and charities, the message is one: breach is inevitable, isolation and recovery readiness are not.
Bottom line up front. In the same week, two stories converged. Progress disclosed CVE-2026-5174, a critical authentication-bypass vulnerability in MOVEit Automation. CISA published guidance making network isolation and recovery-readiness practical expectations rather than optional posture for critical-infrastructure operators. Together the two stories tell one operational message for UK mid-market organisations: regulators have shifted the bar from breach prevention to breach containment, and the supplier-questionnaire flows from EU customers reflect the shift. This article walks through what the two headlines actually require, three concrete actions that can be taken inside two working weeks, and how the work maps to NIS2 Article 21 and Article 23 supplier-questionnaire expectations.
The Two Headlines
Progress Software disclosed CVE-2026-5174 in MOVEit Automation in May 2026. This is the latest in a multi-year sequence of high-impact disclosures affecting MOVEit products — the 2023 MOVEit Transfer mass-exploitation incident remains one of the most-cited supply-chain compromise events of recent years, with the Cl0p ransomware group exploiting CVE-2023-34362 against several thousand organisations downstream. The 2026 disclosure does not change the procurement reality but does reinforce the pattern: managed file transfer and B2B file-exchange platforms are a sustained target class.
In the same period, CISA issued updated guidance on network segmentation, isolation-readiness, and recovery-mastery expectations for organisations operating critical infrastructure or supplying critical infrastructure. The guidance is non-binding for non-US organisations directly, but it sets the international benchmark for what cyber-mature procurement teams expect from their suppliers. UK and EU customers reading the same guidance flow the expectation downstream through supplier questionnaires.
The combined message: regulators and large customers have stopped expecting prevention of every intrusion, and have started expecting demonstrable containment. The supplier questionnaire that asks "describe your network segmentation strategy" is the procurement-side reflection of the same shift.
Why This Combination Matters for UK Mid-Market Specifically
The UK does not transpose NIS2 directly. UK SMEs are not classified as "essential" or "important" entities under the EU NIS2 directive; that classification applies inside EU member states. The UK is preparing a separate regime — the Cyber Security and Resilience Bill — with commencement expected in late 2026 or early 2027. In the interim, UK mid-market organisations are exposed to NIS2-style expectations primarily through two channels:
- EU customer supplier questionnaires. EU-headquartered customers classified as NIS2 essential or important entities flow Article 21(d) supply-chain security expectations to their UK suppliers. The questionnaires ask UK suppliers to describe their incident-response capability, isolation readiness, and supplier-of-supplier risk management — irrespective of whether the UK supplier is in NIS2 scope directly.
- Sector regulators with cyber-resilience mandates. The FCA, the PRA, Ofcom and the ICO have all published guidance during 2024-2026 raising expectations around incident response and recovery for the regulated entities they oversee, with downstream effects on the suppliers those entities use.
The UK mid-market band — organisations from approximately 50 to 500 employees — historically under-invested in network isolation, segmentation and tabletop-exercise practice. That band sits below the largest enterprises (which already have segmentation programmes) and above the small SMEs (where the question rarely surfaces). The combined headlines this month remove the deferral excuse for that band.
The CISA Isolation Guidance — What It Actually Expects
Without quoting the guidance verbatim, the practical expectations CISA has signalled across the past twelve months can be summarised as a set of testable capabilities rather than a list of products to buy. The capabilities are:
- Network segmentation that separates production, administrative, database, and third-party-tunnel zones — with documented choke points where traffic between zones is inspected or denied by default.
- The ability to isolate a specific segment in under thirty minutes during an active incident — by either firewall rule, switch ACL, or network-access-control (NAC) policy change, with a documented runbook and a named on-call owner.
- Recovery testing on a documented cadence — restoring critical systems from backup into a clean environment, with measured recovery time and verification of data integrity.
- Documented criteria for declaring an incident "contained" — so that the organisation can communicate that status to customers and regulators with evidence rather than assertion.
The supplier questionnaires UK organisations receive from EU customers now routinely include questions on each of those capabilities. Producing credible answers requires more than a written policy; the assessor or procurement reviewer typically asks for evidence of a recent tabletop exercise or recovery test, not just the document that describes how one would be run.
Three Concrete Actions for the Next Two Working Weeks
The sequence below is designed for an organisation that does not yet have an isolation runbook, has a written incident-response plan but has not tested it, and uses one or more managed file transfer or B2B-integration platforms. The full programme of work to mature these capabilities runs longer than two weeks; the actions below are the productive opening moves.
- Action 1: MFT and file-transfer inventory and patch sweep. List every managed file transfer or automated B2B file exchange platform in use — MOVEit, GoAnywhere, Cleo, Aspera, SFTP servers, vendor-specific exchange portals. For each, confirm the patching responsibility (in-house IT, MSP, or vendor SaaS) and the most recent applied patch level. Where MOVEit Automation is in use, confirm CVE-2026-5174 remediation status against the Progress security advisory. Where applicable, raise the patching status as a board-level note in the next governance review.
- Action 2: Network segmentation map and 30-minute isolation tabletop. Sketch the network on one page: production, administrative, database, third-party-tunnel, and guest segments. Mark the choke points between segments and the controls that enforce them. Run a 30-minute exercise: "An attacker has authenticated as a developer; we need to isolate the developer subnet from production in under thirty minutes." Time the steps. Record the gaps. The gaps usually surface either as a missing runbook step, an unclear on-call ownership, or a firewall rule that exists but has not been tested under load.
- Action 3: Incident-notification templates and Article 23 alignment. Locate the existing incident-notification template — or write one if it does not yet exist. Verify the template captures the data required for NIS2 Article 23 early-warning (within 24 hours of awareness) and formal incident notification (within 72 hours of awareness): the affected service, the suspected vector, the initial impact assessment, and the early containment actions taken. The template is the artefact that goes into the supplier-questionnaire response when the customer asks "have you tested your notification process?"
Mapping to NIS2 Article 21 and Article 23
For organisations whose EU customers flow NIS2 expectations downstream, the three actions above map directly onto Annex I measures and Article 23 reporting:
- Action 1 (MFT patch sweep) — Annex I measure (e) supply-chain security including supplier-relationship security, alongside Annex I measure (i) policies and procedures concerning the use of cryptography.
- Action 2 (segmentation and isolation tabletop) — Annex I measure (b) incident handling, including detection, analysis, containment and recovery. Article 21(2)(b) explicitly requires incident-handling capability; the tabletop is the evidence that the capability has been tested.
- Action 3 (notification template and Article 23 alignment) — Article 23 of the NIS2 directive sets the 24-hour early-warning and 72-hour formal-notification windows. The template is what enables the organisation to meet those windows under pressure rather than improvising.
For UK mid-market organisations preparing for the forthcoming Cyber Security and Resilience Bill, the same evidence base supports the regime when it commences. The Bill is expected to mirror much of the NIS2 measure set, adapted to the UK regulatory landscape; investing in the artefacts now allows them to be reused rather than rebuilt.
What This Article Does Not Cover
This article is a practical opening guide and is not a substitute for either an incident-response retainer, a managed detection and response service, or a cyber-insurance policy. Organisations seriously exposed to the supply-chain attack vector — particularly those handling regulated data, payments, or critical-infrastructure-adjacent services — should pair the three actions above with a longer-term cyber-resilience programme. The three-action programme aims to make the organisation a credible respondent to EU supplier questionnaires while the longer programme is built out, not to replace it.
Where SummitBridge Horizon Fits
The Incident Response Toolkit gives a small team the scaffold for Actions 2 and 3 above: a NIS2-aligned playbook, the 24-hour and 72-hour notification templates, an isolation-procedure checklist, and a tabletop-exercise format suitable for a 90-minute team session. It is not a substitute for an incident-response retainer ahead of a real incident, but it aims to make the organisation's first 24 hours documented and methodical rather than improvised.
The BCP Builder covers the continuity dimension, with the resulting business-continuity plan structured to align with ISO 22301 and NIS2 Article 21(2)(c) expectations on business-continuity planning. The two together produce an evidence pack that responds to most supplier-questionnaire questions in the incident-management and continuity sections, leaving the organisation to fill in the operational specifics.
Information disclaimer
This article is for information only and is not legal or regulatory advice. CVE-2026-5174 remediation guidance is defined by Progress Software in the security advisory accompanying the disclosure; verify the applicable patch level for your deployment with the vendor. NIS2 Article 21 and Article 23 obligations are defined in Directive (EU) 2022/2555, transposed into individual EU member state law; UK organisations are exposed via supplier flows rather than directly. The Cyber Security and Resilience Bill is at the legislative stage at time of writing and the final measures and commencement date may differ from current draft expectations. Verify specific obligations applicable to your organisation with qualified counsel before acting.
Need help with this?
Our team can help you assess where you stand and build a practical remediation plan. Free 30-minute consultation — no obligation.
Book a Free Consultation