Cyber Security and Resilience Bill: Updating the UK cyber security framework

At the time of writing, the Bill has passed the formality of first reading stage, with second reading due to take place on a date to be announced. Responses from regulators and industry bodies to the Bill has been positive, with both the ICO and the ABI welcoming the emphasis on increasing resilience.

The Bill is a response to the growing risk to essential public services from cyber attacks. In the year up to September 2025, the National Cyber Security Centre managed just under 430 cyber incidents, 204 of which were considered to be 'nationally significant', with almost twenty being considered 'highly significant'. The major disruptions caused to retailers and manufacturers by cyber attacks this year reflect this developing problem.

The existing Network and Information Systems (NIS) Regulations 2018 implemented the EU NIS Directive into UK law. Post-Implementation Reviews in 2020 and 2022 concluded that the Regulations were not fit for purpose due to the changing threat environment. Attempts to update the Regulations under the previous government were abandoned and, despite the Bill's announcement in the 2024 King's Speech, the text of the legislation has been long-awaited. The Bill will strengthen the UK's overall cyber security framework and align more closely with the EU's approach to network and information services, especially in light of the recent adoption and implementation of the NIS2 Directive.

What the Bill covers

Currently, the NIS Regulations impose cyber security requirements on two groups of organisations: (i) operators of essential services (“OES”) (transport, energy, water, health, and digital infrastructure sectors); and (ii) relevant digital service providers (“RDSP”) (online marketplaces, online search engines, and cloud computing services).

Those organisations are currently required to take "appropriate and proportionate technical and organisational measures" to manage risks to the network and information systems on which their service relies.

The Bill proposes directly amending the Regulations, and making the following changes:

Expansion of regulatory scope

• Medium and large relevant managed service providers (RMSPs) will be brought into scope. As organisations providing ongoing IT and cyber security services to other organisations, RMSP often are provided to direct access to their networks and systems. RMSPs will be subject to similar duties as RDSPs, including risk management, incident reporting, and regulatory oversight by the Information Commission.

• Data centres with a rated IT load of 1MW or more (or 10MW for enterprise-only data centres) will be brought into scope as OES. Since data centres are currently not subject to minimum cybersecurity standards, their critical role in the UK's digital infrastructure calls for improved cyber resilience (having also been designated Critical National Infrastructure in 2024). Ofcom and the Department for Science, Innovation and Technology (DSIT) will act as joint regulators.

• Large load controllers (organisations controlling 300MW or more of electrical load) will be designated as OES. They will be subject to joint regulation by the Department for Energy Security and Net Zero (DESNZ) and Ofgem.

Designation of 'critical suppliers'

• A new framework will be introduced for certain suppliers to OES, RDSP, or RMSP to designate them as 'critical suppliers'. The Bill's explanatory notes identify a diagnostic laboratory supplier providing pathology testing service for healthcare services (an OES) as an example. A ransomware attack on that supplier's network and digital systems could cause widespread disruption. 
• Entities will be classified as such if their network and information systems are critical to the provision of regulated services, and if any disruption could result in a substantial impact on the economy or society. The supply of goods that are in scope of the power of designation include those provided from outside the UK, as well as within in it.
• Critical suppliers will be subject to security, incident reporting and other regulatory duties; those requirements will be set through secondary regulations.

Incident reporting

• A two-stage incident reporting regime will be introduced for OES: an initial notification within 24 hours of becoming aware of a significant incident, followed by a full report within 72 hours.
• The definition of an 'incident' will be amended to include events having, or capable of having, an actual adverse effect on the operation or security of network and information systems even if not yet causing significant disruption (examples including pre-positioning for an attack or ransomware).
• Regulated entities must notify affected customers of significant incidents. This enhances transparency and enables customers to take mitigating action. Incident notifications must also be sent to the NCSC (as the UK’s Computer Security Incident Response Team).
• Data centres are subject to their own reporting regime dealing with 'data centre incidents'.

Regulatory powers and enforcement

• Regulators will be provided with additional powers to gather information, impose charges, and enforce compliance. For example, they will be given the ability to recover the full costs of their regulatory activities through periodic charges.
• Financial penalties for non-compliance will be increased, with maximum fines of up to £17 million or 4% of worldwide turnover (and up to 10% for certain breaches, subject to future regulations).
• Regulators will be required to publish guidance and coordinate with each other, especially in relation to critical suppliers.

Powers of the Secretary of State

• The Secretary of State will be empowered with a number of strategic and national security powers, including the ability to publish a Statement of Strategic Priorities, setting unified objectives for regulators across sectors. Parliament will be provided with regular 12-month reporting on the steps that the regulators have taken to meet their duties and their plans for the coming year.
• In addition, the Secretary of State will be entitled to make regulations to bring additional sectors or services into scope, update security requirements, and issue codes of practice.
• Powers will be given to issue direction to regulators or regulated entities to take specific actions in response to national security threats. Any direction given would take precedence over any conflict with existing regulatory obligations.
• The Secretary of State may issue (and later withdraw) codes of practice to assist regulated entities in complying with their duties. Regulators must have regard to these codes when issuing guidance or assessing compliance.

Where next? The UK's wider approach to cyber security

The Bill is part of the framework of legislation, regulation and guidance that underpin cyber security in the UK. Earlier this year, colleagues from our Data, Privacy and Cyber team reflected on the key cyber security laws in the UK, ranging from the UK GDPR through to sector-specific and product-specific legislation.

The UK approach to cyber security is multifaceted, but the current aims of government can be summarised in two words: building resilience. The National Cyber Strategy, published in December 2021, highlighted that there was "growing evidence of gaps in our national resilience."

However, the current approach has not been without criticism. It was announced earlier this year that a new National Cyber Strategy will be published before the end of 2025. At the time of writing, it has not been published. There has been some critique following reports that the Strategy will only be 'refreshed' and not subject to a wholesale change. Commentary from the Royal United Services Institute, issued prior to the publication of the Bill, stated that "there is a growing recognition from at least some parts of the UK cyber policy ecosystem that the current approach is not sustainable."

In recent months, the government and the NCSC have issued correspondence to both small business owners and leading UK companies, emphasising the importance of protection against cyber attacks. Small businesses have been encouraged to use the Cyber Action Toolkit and the NCSC Cyber Essentials scheme. Leading UK companies have been encouraged to use the Cyber Essentials scheme and the NCSC Early Warning service, and a number of Codes of Practice covering various issues of interest.

To ensure that cyber risk is made a board-level priority, the Cyber Governance Code of Practice formalises expectations for organisational governance of cyber security. Directed at medium and large businesses, it sets out the actions that directors and non-executive directors should be responsible for. The Software Security Code of Practice is designed to improve the security and resilience of software, with the AI Cyber Security Code of Practice setting out baseline cyber security principles to help secure AI systems. However, these codes of practice are voluntary, which is reflective of wider criticism of the UK cyber policy ecosystem identified by RUSI "as ‘busy’ without being effective." Against this background, the progression of the Bill and wider developments will be awaited with great interest.