The Cyber Security and Resilience (Network and Information Systems) Bill (the Bill) was introduced to Parliament on 12 November 2025. Once it becomes law, it will bring significant change to the UK's cyber legislative framework. This landmark reform aims to strengthen national security, protect critical infrastructure and address the escalating threat of cyberattacks that cost the UK economy an estimated £14.7 billion annually.

Cyberattacks have surged by 50% in the past year, according to the UK National Cyber Security Centre (NCSC) Annual Review 2025, with high-profile incidents disrupting essential services and supply chains. Recent ransomware attacks on major brands and businesses have highlighted systemic vulnerabilities and the real-world consequences of cyber resilience gaps.

The Bill seeks to modernise the UK’s only cross-sector cyber regulations, the Network and Information Systems Regulations 2018 (NIS Regulations), aligning the UK's regulatory framework with the EU’s NIS2 Directive while introducing tougher enforcement powers and a broader scope.

Following on from our insight earlier in the year on the government's policy statement for the Bill, this article now outlines the key legislative provisions set out in the Bill and what they will mean for businesses.

Key features of the Bill

1. Expanded regulatory scope

The Bill significantly widens the net of regulated entities. In addition to operators of essential services (OES) in the healthcare, energy, drinking water, transport and digital infrastructure sectors, as well as relevant digital service providers (RDSPs) (online marketplaces, online search engines, cloud computing services), the following will now fall under direct regulation:

  • Managed Service Providers (MSPs): Some medium and large MSPs, referred to as Relevant Managed Service Providers (RMSPs) in the Bill, will be brought into scope. The Information Commissioner's Office (ICO) (soon to be the Information Commission) will regulate.
  • Data centre infrastructure: UK data centres at or above 1MW capacity will be brought into scope. Data centre services provided on an enterprise basis (which serve its own undertaking only) will be brought into scope if they are at or above 10MW capacity. Whilst designated as OESs, there may be some differences in applicable duties (e.g. for incident reporting) compared to other OESs.
  • Large load controllers: Organisations that control 300MW of electrical load or more to remotely control consumer appliances will be designated as OESs. The Department for Energy Security and Net Zero and Ofgem will act as the joint regulator. This will bring large load controllers in line with other energy infrastructure.

This expansion reflects the growing recognition that supply chain vulnerabilities are a prime target for attackers.

2. Enabling critical suppliers to be designated and regulated

Regulators will be granted powers to designate and regulate organisations as "critical suppliers". Regulators will be able to designate a supplier of goods or services to OES, RDSPs or RMSPs as critical, if set criteria apply. This will address situations where an incident disrupts a supplier from delivering goods or services and that disruption is likely to have a significant impact on the economy or day-to-day functioning of society in all or part of the UK. Often this will be because the supplier's systems are used as a route for attackers to target an essential or digital service provider. Requirements for duties and incident reporting will be set through regulations.

3. Strengthening incident reporting

One of the most impactful changes is the introduction of stricter reporting timelines.

A two-stage reporting structure is introduced. For a significant incident, in-scope organisations must give:

  • Initial notification within 24 hours
  • Full report within 72 hours

In parallel with reporting to their regulator, a copy of the incident notifications and a full report must be sent to the NCSC.

This requirement aims to give regulators and the NCSC a clearer picture of emerging threats. Failure to comply could result in daily fines of up to £100,000 or penalties linked to annual turnover (see 4).

The definition of a reportable incident is expanded to capture a broader range of incidents. Currently the threshold for reporting an incident is if it is causing significant disruption to an essential and digital service. This does not capture attacks that have compromised the integrity or security of a system in a way which could have significant impacts in the future, such as pre-positioning (where attackers gain access or presence within networks for future significant disruption) and ransomware incidents (where malicious software infects a victim's computer system, preventing or impairing access to IT systems, and facilitating the theft of personal or sensitive data – then demanding payment.) The Bill puts forward measures which will require those incidents to also be reported.

Transparency requirements will be enhanced. RDSPs, RMSPs and data centre operators will need to alert customers likely to be affected by a significant incident.

4. Tougher enforcement and penalties

Regulators will gain enhanced powers to investigate and enforce compliance.

There will be a new cost recovery framework which will allow regulators to recover the full costs associated with their NIS activities through a periodic fee.

Penalties for non-compliance will be linked to annual turnover, ensuring fines are proportionate to the size of the organisation. Detail on defining the calculation of turnover for penalties will be set out in secondary legislation.

The Bill sets out a revised penalty structure. The new maximum penalties proposed are:

  • For more serious breaches: up to £17 million, or 4% of the regulated entity's worldwide turnover, whichever is higher.
  • For less serious breaches, up to £10 million, or 2% of worldwide turnover, whichever is higher.
  • For ongoing breaches, the Bill proposes fines of up to £100,000 per day (for entities that are not "undertakings" or for non turnover-based penalties) in specified circumstances.

The Bill also introduces information notice and non-disclosure penalties of up to £10 million, or for continuing non-compliance - up to £50,000 per day.

5. Enabling the Secretary of State to designate a statement of strategic priorities

The NIS Regulations apply across multiple sectors and are enforced by 12 regulators (13 when the new law comes into force). Regulators will have a duty to seek to achieve objectives which will be set out in a statement of strategic priorities.

6. Emergency powers

The Secretary of State will have authority to direct regulators and organisations to take specific, proportionate steps during major cyber incidents. This could include enhanced monitoring or temporary network isolation to protect national security. Proportionate safeguards will be implemented.

The Secretary of State will also have power to bring more sectors into scope of the NIS Regulations and update and introduce security and resilience requirements for organisations within scope including in relation to supply chain risk management, via secondary legislation.

Implications for businesses

The Bill is not just a compliance exercise - it is a strategic wake-up call. Organisations should act now to:

  • Audit supply chains and identify critical dependencies, updating agreements to cascade cyber duty obligations, enhance incident-reporting triggers and include indemnities.
  • Update incident response plans to meet the 24-hour reporting requirement and regularly test the response plan.
  • Implement ransomware-specific protocols, including clear decision-making frameworks taking account of prospective payment disclosure obligations.
  • Continue to invest in monitoring and detection capabilities, such as Security Operations Centre (SOC) maturity and rapid triage processes.
  • Strengthen staff training on cyber vigilance, reporting duties and escalation procedures.

In-scope entities should expect increased scrutiny of security posture and contractual obligations, as organisations seek assurance that business partners meet industry standards.

Preparation is key

The Bill will progress through Parliament over the coming months, with the law due to come into force in 2026. Secondary legislation and a code of practice will follow, providing further information on key definitions. Early preparation is essential to ensure cyber governance and incident response testing and training is mature and contract reviews are carried out in readiness for modernisation of the UK cyber enforcement regime.

If you have questions about how the Cyber Security and Resilience Bill will affect your organisation, or if you need assistance in developing a governance plan, please contact our Cyber Security and Resilience team.