The Cyber Security and Resilience (Network and Information Systems) (the Bill) was laid before Parliament on 12 November 2025. The Bill follows on from and largely aligns with the policy statement the Government published earlier this year (see our blog), and is designed to improve the UK’s resilience to the escalating risk of cyber attacks.
In order to do so, it proposes significant changes to the existing Network and Information Systems Regulations 2018 (NIS) regime. Those include: (1) a major expansion of the scope of the NIS regime to many more businesses (such as managed IT service providers, data centres and critical suppliers); (2) stricter incident reporting obligations; and (3) higher penalties for failure to comply – as explained below.
1. Expanded Scope of the NIS regime
The Bill expands the scope of the NIS regime in four main ways:
- Managed Services: The Government is conscious of the potential cascading impacts of cyber attacks against businesses providing ongoing contracted IT services via access to customer systems (‘managed services’) eg, helpdesks or IT security management. To address this, the Bill would bring ‘relevant managed service providers’ (RMSPs) within the scope of the NIS regime, and they would be regulated by the Information Commission (currently the ICO). RMSPs are widely defined in the Bill, with some exceptions (such as for smaller businesses).
- Data Centres: Data centres were designated critical national infrastructure in 2024. However, despite this, there are currently no minimum statutory requirements regarding their cyber security or operational resilience. A stated aim of the Bill is to resolve this, which it does by providing for data centres with > 1 MW capacity (or, for enterprise data centres serving their own undertaking, a capacity of > 10 MW) to be regulated as ‘operators of essential services’ (OES) under the NIS regime. Key duties will include: (1) taking appropriate and proportionate measures to manage security risks and prevent and minimise the impact of incidents affecting the security of their network and information systems; (2) making certain notifications to the regulator (including that they are an OES); and (3) complying with incident reporting obligations and regulatory inspections.
- Large Load Controllers: Organisations with the potential to control > 300 MW of electrical load to and from certain smart appliances (electric vehicles or their charging points, battery energy storage, virtual power plants and certain electrical heating appliances) will also be regulated as OESs, to reflect their growing importance to the economy.
- Critical suppliers: The Government is cognisant that suppliers of critical goods, or services that support the delivery of key services, are attractive targets for cyber criminals given the significant impact of their disruption. As a result, the Bill would empower regulators to designate entities as ‘critical suppliers’ of goods or services to OES, RDSPs or RMSPs and thereby bring them within the scope of the NIS regime if they meet various criteria and don’t fall within certain exemptions. Those criteria include (among other things) that: (1) potential disruptions to the supplies are likely to have a ‘significant impact’ on the economy or the day-to-day functioning of society in the whole or any part of the UK; and (2) the relevant supplier provides goods or services directly to an OES, RDSP or RMSP regulated by the same regulator proposing to designate the supplier as ‘critical’. Designated critical suppliers will be a new category of ‘regulated person’ under the NIS regime and subject to various duties, including having to meet statutory cyber security obligations and to take steps to manage and reduce risks. Those security duties will be established by secondary legislation (following consultation), but the Government has said they will be no more stringent than the requirements already imposed on other regulated persons under the NIS regime. The Government will also have the power to issue directions to critical suppliers, requiring them to do, or not do, particular things in the interests of national security (as with other regulated persons).
2. Reforms to NIS regime for RDSPs
The NIS regime already applies to in-scope providers of online marketplaces, search engines and cloud computing services (known as ‘relevant digital service providers’ or ‘RDSPs’).
The Bill proposes reforms for RDSPs, including:
- Replacing the existing simplistic definition of ‘cloud computing’ with one designed to remove ambiguities, meaning some entities may have their designation changed or clarified. For example, the Bill clarifies the requirement that the service must enable access to a ‘scalable and elastic pool of shareable computing resources’ and excludes cloud services: (1) provided by a person solely for their own use; or (2) that do not provide ‘broad remote access’ to the service.
- Amending registration requirements for RDSPs, which would require them to provide some additional information.
- Expressly expanding the duty to ‘prevent and minimise the impact of incidents affecting their network and information systems with a view to ensuring the continuity of those services’ by: (1) confirming the duty applies to the RDSP’s own systems and third-party systems on which it relies; and (2) clarifying that the duty relates to ensuring the availability, authenticity, integrity or confidentiality of the digital service (rather than just incidents impacting its continuity).
- Replacing certain pre-Brexit EU legislation that sets out specific security measures that an RDSP must take with an updated set of security and resilience requirements. RDSPs will also be required to have regard to relevant guidance issued by the Information Commission.
3. Increased cyber incident reporting duties
The Bill would introduce reformed and more stringent incident reporting duties, including duties to notify regulators of additional breaches and attacks, as compared to existing requirements. Those reforms include generally amending the definition of ‘incident’ to capture not only events having an actual adverse effect on the security of network and information systems, but also events capable of having that effect.
The Bill also proposes that entities falling under the NIS regime would have to submit an initial notification to the relevant authorities within 24 hours of an attack and a full report within 72 hours, with the National Cyber Security Centre being informed of the incidents at the same time as the regulators.
Regulated entities would therefore need to update their incident reporting processes.
4. Additional powers and gateways for information exchange
The Bill would create new gateways to allow NIS regulators to exchange information with public authorities, the Government and GCHQ (alongside certain safeguards).
It would also permit the Government to: (1) set strategic priorities across various NIS regulators; (2) direct regulators or regulated entities in response to major cyber threats; (3) allow regulators to impose a new funding regime, through a combination of charges and fees; and (4) amend the NIS regime in future.
5. Revised penalties
The Bill would revise the existing NIS penalty structure to seek to create an effective and proportionate regime. This includes a simplified two-band structure backed by higher potential penalties for larger businesses.
Maximum fines under NIS are currently £17 million. The Bill proposes to increase this, capping maximum fines at the higher of £17 million or 4% of global turnover – with the result that businesses with large turnovers now face significantly higher potential penalties. The Bill also mandates that a wider set of circumstances must be taken into account when setting a penalty (eg actions taken in mitigation and patterns of non-compliance).
Next steps and key takeaways
Before the Bill comes into law, it must complete its passage through both Houses of Parliament and receive Royal Assent. Many of its provisions will be effected through secondary legislation or other steps such as the issuing of a Code of Practice for Data Centres.
Nevertheless, with the Government’s large majority in the House of Commons and increasing concern across government and society about the impact of cyber attacks, the Bill is expected to make prompt legislative progress.
If enacted, the Bill will bring some further alignment with the EU’s revised ‘NIS2’ cyber security framework (such as through regulation of RMSPs and closer alignment on incident reporting timelines), but does not simply copy the EU’s NIS2. Key aspects of the UK regime (including its scope, enforcement and terminology) will continue to diverge from the EU’s regime, which will complicate compliance for international businesses.
Businesses should act now to ensure they understand the potential impacts of the Bill on their operations and begin preparing for compliance.
Further information is available in the Bill’s factsheets.