What You Need to Know: The UK’s New Cyber Security and Resilience Bill

Since the introduction of the NIS Regulations in 2018, the cyber landscape has shifted dramatically. Threats have grown more sophisticated and the range of services at risk has widened. To meet these challenges, Parliament has introduced the Cyber Security and Resilience (Network and Information Systems) Bill, a modernised framework that expands regulation and reinforces national defences against evolving risks.

Expansion of Scope and New Regulated Entities

The new Bill delivers a significant expansion and clarification of scope. While Digital Service Providers (DSPs), such as online marketplaces and cloud services, were already regulated under the 2018 NIS Regulations, the Bill introduces three key groups:

• Data Centres: Classified as essential services, with oversight provided jointly by the Department for Science, Innovation and Technology (DSIT) and Ofcom.
• Managed Service Providers (MSPs): Brought into scope to secure their access to customer systems, with the Information Commission (ICO) acting as the regulator.
• Large Load Controllers: Included to secure organisations managing electrical load for smart appliances (e.g. EV charging), which are vital for the UK’s Net Zero transition.
• Designated Critical Suppliers: The Bill also grants regulators the power to designate critical suppliers to essential services, a concept modelled on the financial sector’s Critical Third Parties regime.

Stronger Duties and Specific Timelines

The Bill places far stronger duties on regulated organisations to address vulnerabilities. Crucially, the legislation expands incident reporting to cover more forms of harmful cyber breaches that have the potential to cause significant impacts, even if actual disruption hasn’t yet occurred.

Regulated entities must adhere to strict timeframes: an ‘initial notification’ of a significant incident must be made within 24 hours to the regulator, followed by a fuller report within 72 hours. These obligations are designed to improve transparency and ensure that problems are addressed quickly.

Enhanced Regulator Powers and Enforcement

Another important feature is the enhanced authority granted to the Secretary of State. The Bill allows the government to set strategic priorities for cyber resilience, which is intended to drive better consistency in implementation across the 12 different sector regulators.

Furthermore, the Bill significantly tightens enforcement:

• Financial Penalties: The maximum financial penalty is being amended to enable potentially higher penalties, ensuring the regime aligns with comparable legislation like GDPR laws.
• Cost Recovery: Regulators will be empowered to recover the full costs associated with their NIS duties, meaning the cost of regulatory oversight will fall directly on the regulated entities.
• National Security Powers: The Secretary of State retains the new power to issue directions to regulated entities to take action when cyber threats pose national security risks.

Ultimately, the Cyber Security and Resilience Bill is about safeguarding the systems we all rely on, from electricity grids to cloud platforms. By modernising the law, Parliament aims to build resilience, accountability, and trust in the digital backbone of the nation. Though the Bill is in its early legislative days (with the First Reading on 12th November 2025), the message for organisations in the digital ecosystem is clear: compliance will not be optional, and preparation should begin now. Waiting is no longer a viable strategy.

If you’d like clarity on how this will impact your organisation, our experienced team is here to help, get in touch or give us a call.