UK Cyber Security and Resilience Bill – What You Need to Know

Recent months have seen a series of high-profile cyber security breaches that have affected UK companies and disrupted supply chains. Against this backdrop, the Cyber Security and Resilience (Network and Information Systems) Bill (Bill) was introduced to Parliament last month (12 November 2025). First announced in the King’s Speech last year, the Bill intends to update the Network and Information Systems Regulations 2018 (NIS Regulations) by expanding its scope, increasing requirements and enhancing regulators’ powers. We have previously reported on the Bill here and here. 

The NIS Regulations place security and resilience requirements on organisations involved in the delivery of critical services (including some digital services), and are based on the EU’s NIS Directive. The EU replaced the NIS Directive with the NIS 2 Directive (NIS2) post-Brexit. Many elements of the Bill align with NIS2, with some UK-specific differences.

Expanded Scope

Currently, the NIS Regulations apply to “operators of essential services” (OES) and “relevant digital service providers” (RDSP) in critical infrastructure sectors such as energy, transport, health, drinking water and digital infrastructure. 

Under the Bill, obligations will be expanded to cover more sectors and entities, including:

1. Data Centres – data centres above 1MW capacity and enterprise data centres above 10MW capacity, with the Department for Science, Innovation and Technology and Ofcom acting as joint regulators. However, unlike NIS2, the UK government would exempt companies operating in a broader set of sectors, such as postal services, waste management, chemical, food, manufacturing and research.
2. Managed Service Providers (MSPs) – companies providing outsourced IT services, such as IT helpdesks and cyber security services other than those classified as micro or small enterprises. The UK government estimates there will be an additional 900 to 1,100 in-scope MSP entities.
3. Large Load Controllers – organisations managing electrical load for smart appliances (such as electric vehicle charging) with potential electrical control equal to or greater than 300MW.
4. Designated Critical Suppliers – the Bill will introduce new powers for the relevant regulators, including the power for the ICO to designate certain suppliers as “critical suppliers”, bringing suppliers to essential services (such as the NHS) into the regime. Under the current proposals, organisations will only be designated as critical suppliers after a consultation between the designating authority and the organisation concerned.

Incident reporting 

Under the current NIS regulations, OES and RDSPs are required to report cyber incidents within 72 hours. The new regime will expand reporting requirements to include incidents that are capable of having a significant impact on the provision of essential and relevant digital services, consequently capturing ransomware attacks within reporting requirements. 

The Bill also introduces a two-stage reporting process for significant cyber incidents, where businesses are required to notify regulators within 24 hours and provide an incident report within 72 hours. Organisations will also be required to notify their customers directly as soon as reasonably practicable where customers are likely to be adversely affected, rather than the regulator doing so under the current regime.

Sanctions 

The Bill also plans to increase financial penalties for non-compliance, like the UK GDPR, introducing two bands for penalties: a standard maximum amount of the higher of £10 million or 2% of global turnover, or the higher of £17 million of 4% of global turnover for more serious failures. Regulators will also be empowered to recover the full costs of enforcement.

What should businesses be doing?

As this is the first reading of the Bill, changes may occur before it is enacted, and it is anticipated that once in force (likely to be next year) it will be supplemented by further secondary legislation and guidance. Businesses falling within the scope of the NIS Regulations and those who are likely to be brought in-scope should monitor developments closely and assess their cyber security resilience strategy. 

In particular, organisations operating in regulated sectors should consider the following practical steps:

1. Conducting a gap analysis of their existing cyber and physical security measures and business continuity plans against the anticipated changes.
2. Review internal reporting processes and policies to ensure that they can meet the enhanced reporting requirements in the new shorter timeframe.
3. Examine their existing supply chains to identify critical suppliers and ensure that contracts with suppliers contain sufficient controls, including notification requirements.
4. Ensure that cyber insurance coverage is sufficient to cover exposure.

For advice on the Bill and how these changes may affect your business, please contact Hamish Corner, Madelin Sinclair McAusland, Amanda Leiu or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Harriette Alcock and Amanda Leiu.