The Cyber Security and Resilience (Network and Information Systems) Bill which is currently making its way through Parliament, represents the most significant overhaul of the UK's cybersecurity regulatory framework since the Network and Information Systems Regulations in 2018.
The Bill updates these 2018 regulations and delivers new powers enabling government to respond to new and emerging cyber threats by bringing more entities into scope, giving regulators more proportionate powers, and providing government with more agile powers to amend the framework in future to respond to imminent or actual national security threats.
The Bill, which came about as a result of a public consultation on improving the UK's cyber resilience, was introduced in the House of Commons on 12 November 2025 and has been progressing through Committee stage during January and February 2026. Whilst the government has indicated alignment with the broad principles of the EU's NIS2 Directive, this Bill represents a distinctly UK approach to strengthening cyber resilience across critical infrastructure and digital services.
Why now?
The cyber threat landscape has evolved dramatically across the world since 2018 however, latest data shows that the UK is the most targeted country in Europe for cyber-attacks. According to KPMG, the estimated annual cost of significant cyber-attacks on the UK economy is a staggering £14.7 billion.
Recent high-profile incidents affecting major UK institutions such as the NHS and the Ministry of Defence, and businesses such as Marks & Spencer and Jaguar Land Rover, have demonstrated the devastating operational and financial impact of cyber-attacks, with incidents ranging from sophisticated social engineering to ransomware deployment. The Bill expands the definition of reportable incident beyond "significant disruption" to capture incidents compromising integrity or security, including "pre-positioning" and ransomware. This reflects a growing recognition of the importance of understanding risk at preparatory stages, before attackers establish footholds within systems in order to launch attacks.
Who will be affected?
In addition to the organisations already regulated by the NIS regulations, including operators of essential services in the water, health, energy, transport and digital infrastructure sectors, and relevant digital service providers (online marketplaces, online search engines and cloud computing services), the Bill brings three new types of organisations under regulation:
- Medium and large managed service providers (MSPs, overseen by the Information Commission). MSPs are companies that provide ongoing IT support and management to other businesses by connecting to their computer systems.
- Data centres meeting certain size thresholds (overseen by Ofcom). Data centres house the servers and technology that store and process digital data. Those with IT capacity of 1MW or more are now regulated, or 10MW or more if they only serve their own organisation.
- Large load controllers managing 300MW or more of electrical load (overseen by the Department for Energy Security and Net Zero (DESNZ) and Ofgem). Large load controllers remotely manage electricity flow to smart appliances like EV chargers and heat pumps.
- Critical suppliers that provide essential services to regulated organisations, if a cyber incident affecting them could cause major disruption to the economy or society. Key suppliers will be designated under the legislation, and will receive written notice of that intention, following which they can make representations or appeal against their designation.
A key aspect of the Bill is to ensure it covers off the risk arising from the increasing interconnectivity of businesses, and the knock-on effect that an exploited vulnerability in one organisation can have to other – and sometimes a significant number of interconnected businesses, whether using the same MSP, or relying on the same data centres or suppliers.
What changes are coming?
Faster incident reporting and customer notifications
The Bill introduces two-stage reporting: initial notification within 24 hours and a full report within 72 hours, with parallel copies to the National Cyber Security Centre in its capacity as the computer security incident response team (CSIRT), accelerating coordination during incidents in alignment with NIS2.
Following full incident notification, regulated entities must identify and notify affected UK customers, explaining the incident nature and likely adverse effects.
Enhanced regulatory powers and penalties
The Bill expands powers to require information and documents and has extraterritorial reach to reflect the borderless nature of cyber threats and the need for regulators to gather information efficiently across jurisdictions.
The potential penalties for non-compliance are eye-watering, with the standard maximum being £10m or 2% of global turnover, whilst the higher maximum – for more serious breaches – will be £17,000,000 or 4% of worldwide turnover (whichever is higher). with a power to increase turnover-based penalties up to a maximum of 10% of worldwide turnover. Regulators will also have the power to impose daily fines of up to £100,000 for continuing contraventions. These substantial penalties underscore the seriousness with which government views cyber resilience obligations on organisations.
The Bill also introduces a new cost recovery framework, enabling regulators to recover full costs of their activities through a periodic fee, with safeguards including transparency and consultation requirements. The ICO has welcomed this, highlighting the importance of allowing regulators to meet the increased day to day running costs, whilst also ensuring that costs can be recovered specifically for activities such as inspections and enforcement action as necessary. Regulated entities should therefore anticipate these regulatory fees on top of compliance costs.
Future-proofing
The Bill includes a power for the Secretary of State to broaden the scope to new "essential activities" provided that they are essential to the economy or day-to-day functioning of society. This delegated power provides agility and flexibility to respond to emerging technologies and evolving threat landscapes without the burden of requiring primary legislation.
National security threats
The Secretary of State also gains the power to direct regulated persons to act where a security or operational compromise (or threat) poses a national security risk. Compliance with such a direction may even take priority over conflicting regulatory obligations in certain circumstances. These provisions grant the government significant emergency powers in situations involving national security threats.
What should organisations do now?
Whilst the Bill is not anticipated to come fully into force until 2028, organisations potentially caught by the expanded scope should begin assessing whether they meet the thresholds for managed service providers, data centre operators, or load controllers now. For those already regulated as operators of essential services or relevant digital service providers, preparing for tighter incident reporting timelines and enhanced information-sharing requirements should be the priorities.
Supply chain mapping is increasingly important. The critical suppliers regime means that businesses may find themselves regulated not because of their own classification but because of their role in supporting critical infrastructure or digital services. Understanding customer dependencies and potential designation risks will be essential.
Incident response plans must be reviewed and updated to accommodate 24-hour and 72-hour reporting obligations. This is not merely a compliance exercise but requires practical consideration of detection capabilities, internal escalation procedures, and availability of key decision-makers. Organisations should also consider customer communication protocols, particularly data centre operators and service providers who may need to notify affected customers promptly following incidents.
With the Bill progressing rapidly through parliament and the development of subordinate legislation and codes of practice to provide detailed implementation guidance on the horizon, there is much to do. The cyber risk and regulatory landscape is evolving, and staying informed will be critical to ensuring compliance whilst maintaining operational resilience.
If you would like support in understanding how the Cyber Security and Resilience Bill may affect your organisation or assistance in preparing for compliance, please get in touch with our specialist cyber team.
