On 12th November 2025, the Cyber Security and Resilience (Network and Information Systems) Bill was introduced to Parliament.
Earlier in the year, the government set out what it wanted this Bill to do in a policy statement, and most of that has made it through more or less intact.
The Bill arrives after a run of high-profile incidents. JLR, M&S, Co-op and others have all had to deal with serious cyber-attacks that quickly turned into operational problems: factories pausing production, supply chains under pressure, online services going down – all with a major impact on the organisations involved. That mix of real-world disruption and a more aggressive threat landscape is what sits behind this Bill.
Our aim here is to explain, in practical terms, what is changing and what you can do if you think you’ll be in scope.
Why is reform needed?
The threat landscape has evolved.
Over the last year, the UK has been one of the most targeted countries in Europe for cyber-attacks. More than 40% of UK businesses, over 6,000 organisations, reported a cyber-attack in that period. The estimated cost is about £14.7 billion each year, equivalent to 0.5% of UK GDP.
The pressure on essential services looks similar. An independent report found that 95% of the UK’s critical national infrastructure organisations experienced a data breach in 2024.
Behind those numbers sit very familiar scenarios. Water companies worried about treatment and control systems. Parts of the power network at risk. Hospitals unable to get into digital patient records. Retailers and manufacturers locked out of the systems they need to operate. Customer data compromised and sensitive information out in the wild.
As attacks have become more frequent, more serious and more sophisticated, the UK’s regulatory framework has not kept pace. The new Bill is a step towards closing that gap. It reflects how attacks actually unfold today, identifying the services and suppliers that matter most.
The aim of the Cyber Security and Resilience Bill
The starting point for the Bill is the NIS Regulations 2018. These already apply to operators of essential services in sectors like energy, transport, drinking water, health and digital infrastructure, and to some digital services such as online marketplaces, search engines and cloud platforms.
The new Bill does not replace that framework. It builds on it. In simple terms it:
- brings more organisations into scope, especially managed service providers and data centres;
- allows regulators to treat certain high impact suppliers as critical suppliers, with their own obligations;
- tightens incident reporting and information sharing;
- strengthens the powers and resources of regulators;
- increases the potential financial penalties for serious failures.
The effect is that the focus stays on essential and digital services, but the net is cast wider into the supply chain that keeps them running.
Who is likely to be impacted by this?
You are likely to be affected if any of the following feels familiar.
You already fall under NIS 2018. For example, you
- operate energy, transport, drinking water, health or core digital infrastructure;, or
- provide certain large scale online or cloud services.
You are a managed service provider with ongoing access to your customers’ systems or data, and you are above SME scale. The Bill makes MSPs one of its central pieces. They are treated much more like critical infrastructure than before.
You run a data centre above the defined thresholds. For most data centres that means around one megawatt of capacity or more. For enterprise data centres that only serve their own group, the threshold is higher, at around ten megawatts.
Load control will be brought into scope as an essential service under the NIS Regulations. In practice, this means organisations that can control 300 megawatts or more of electrical load to and from relevant smart appliances will be designated as large load controllers. The intention is to reduce the risk of grid disruption by placing stronger cyber security requirements on these services.
Or you are a supplier that a regulated operator simply cannot function without. Regulators will be able to label specific high impact suppliers as critical suppliers and then apply NIS style duties to them. You may not see your sector named anywhere in the legislation and still find yourself in scope because of how important you are to your customers.
The Bill also makes it clear that operators of essential services can be designated even if they are not established in the UK. Location on its own is not a way out.
What changes day to day?
The legal wording is detailed, but the everyday impact comes down to a few themes.
Security duties are tightened and can be expanded later
The core idea of “appropriate and proportionate” security measures remains, but the Secretary of State gains broad powers to add sectors, adjust scope and introduce new obligations through secondary legislation. This means the regime can evolve more quickly as threats change. Realistically, the bar is likely to rise over time, not fall.
Incident reporting becomes faster and broader
The current NIS rules focus on incidents that significantly disrupt services. The Bill widens this to include incidents that could have a significant impact, and those that seriously affect the confidentiality, availability, authenticity or integrity of relevant systems, even if the full impact hasn’t landed yet.
There is also a new two-stage reporting model:
- an initial notification to the regulator within 24 hours of becoming aware of a significant security incident
- a more detailed report within 72 hours.
For data centre operators, there is an extra step, where they experience a significant incident, they will be expected to alert customers who may be affected. This is likely to shift how organisations balance containment with early communication.
Regulators and government gain more tools
The Secretary of State will set out a Statement of Strategic Priorities and a Code of Practice, which regulators must take into account. Government will also be able to direct regulators and regulated entities to take specific action where there is a national security concern.
Regulators themselves get stronger powers to gather information, share it with other bodies where appropriate, carry out inspections and recover their costs through fees. For regulated organisations, that means more structured and ongoing engagement, rather than a purely reactive relationship.
Penalties move up to a different level
The Bill introduces higher maximum fines, including turnover-based penalties. For most organisations, the standard maximum fine can be the higher of £10 million or 2% of global turnover. A higher tier allows fines up to the greater of £17 million or 4% of global turnover. Where a national security direction is breached, penalties can be up to £17 million, and where additional regulations are in place, up to the higher of £17 million or 10% of global turnover.
If you think you’ll be in scope, where to start
If you believe you’re likely to fall under the new regime whether as an existing NIS operator, a digital service provider, an MSP, a data centre, a large load controller or a likely critical supplier we’d recommend doing some structured work now rather than waiting for the detail of every regulation.
A useful place to begin is with scope.
Be clear with yourself about how you are likely to be viewed: which services you provide that others depend on, what scale you operate at, and where you sit in your customers’ critical supply chain. Capture that in a simple note that executives can understand.
Next, carry out a gap analysis against a framework that regulators already recognise, such as the NCSC’s Cyber Assessment Framework or existing sector guidance. The aim isn’t to produce a glossy document; it’s to see, in plain terms, where you stand on governance, technical controls, incident response and supply-chain risk. Pay particular attention to whether your current incident process could realistically support a 24-hour notification and a 72-hour report with enough detail to be useful.
It also helps to run one or two short, focused exercises. Take a scenario such as a ransomware attack on a key system, a compromise at your MSP, or a major data centre outage and walk through who would spot it, who would decide that it was reportable, what you could actually say within the new timeframes, and how you would involve customers and regulators. The gaps that emerge from those conversations are usually very practical, which makes them easier to fix.
Finally, look at this across IT, OT, physical security and suppliers together, rather than as separate projects. The Bill talks about “network and information systems”, but recent incidents have shown that the real impact lands when cyber, operations and supply chains intersect. If your factories stop, your clinics can’t access records, or your retailers can’t sell, nobody much cares whether the root cause started in IT, OT, a supplier or a facility.
Final thoughts
The Bill reflects what recent attacks have already shown in real life, that weaknesses in IT, OT and the supply chain quickly turn into operational and financial problems. It makes sense to look at your environment as one connected system – technology, sites, cloud and key suppliers together rather than treating each piece in isolation.
The new regime also gives you a clear reason to push for the investment and supplier assurances you may have struggled to secure before. You don’t need a huge programme to begin with; a simple scoping exercise and an honest gap analysis are enough to get started, and you can refine your approach as the legislation and guidance develop.