The Cyber Security and Resilience Bill: Understanding the UK's Legislative Response to Digital Threats
Cyber incidents affecting the UK have increased significantly, with the National Cyber Security Centre (NCSC) reporting 204 nationally significant incidents in the past 12 months, more than double the 89 incidents recorded in the previous year. In response to this evolving threat landscape, 2026 has already seen a coordinated legislative and policy response: the Cyber Security and Resilience (Network and Information Systems) Bill (the Bill) underwent its second reading on 6 January 2026, the Government published its Cyber Action Plan on the same day, and the Information Commissioner’s Office issued its detailed response to the Bill at the end of last year. Together, these developments represent a significant strengthening of the UK’s approach to protecting critical infrastructure against cyber-attacks and digital disruption.
Background
Introduced in Parliament on 12 November 2025 following public consultation and engagement with regulators including the ICO, the Bill aims to improve the UK's security in respect of critical infrastructure, preventing it from being stopped or slowed by cyber-attacks or other digital disruption.
As Secretary of State for Science, Innovation and Technology Liz Kendall put it: "Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I'm sending them a clear message: the UK is no easy target."
The Bill underwent its second reading on 6 January 2026 and is available to read here.
The Rationale for Reform in the UK
The substantial increase in cyber incidents demonstrates the challenges faced by both public and private organisations. The current Network and Information Systems (NIS) Regulations 2018, whilst providing an important foundation for cyber resilience, have been subject to review in light of rapidly changing technological and threat environments. Post-implementation reviews conducted in 2020 and 2022 identified opportunities for greater consistency across sectors and highlighted that the legislation would benefit from updating to address evolving threats and technological changes.
Announced as part of the King’s Speech in 2024, the Bill forms part of the Government’s ‘Plan for Change’, seeking to improve economic growth through enhanced confidence in the UK’s digital services. The legislative reform represents a natural evolution of the existing NIS framework, designed to address the changing nature of cyber threats whilst building upon established regulatory foundations.
It is important to note that the Bill does not replace the NIS Regulations in the UK but amends and extends them. This is a different approach to the EU, whereby NIS2 wholly replaced the NIS Directive (Network and Information Systems (NIS) Directive (2016/1148)), which was the origin for the original NIS Regulations in both the UK and EU.
Key Provisions and Organisational Implications
The Bill introduces reforms across three principal areas:
The Bill expands the scope of the 2018 NIS Regulations to include organisations previously outside its reach: eligible data centres, medium and large managed services providers, large load controllers and designated critical suppliers (who will be designated as ‘critical’ by regulators).
Eligibility for data centres is determined by rated IT load (RITL) which is a metric that quantifies the electrical power supplied to operational IT infrastructure under standard conditions. Facilities with a RITL of one megawatt (MW) or above fall within the Bill’s scope. Enterprise facilities, those operated exclusively to support the IT requirements of their owner, are subject to regulation only when their RITL reaches or exceeds 10 MW.
‘Critical suppliers’ are entities whose products or services are deemed so essential that any compromise to their network and information systems could trigger substantial economic disruption.
The criteria for designation include: providing goods or services directly to an Operator of Essential Services, Relevant Digital Service Providers (RDSPs) or Relevant Managed Service Providers (RMSPs); depending on network and information systems to deliver those supplies; having a credible possibility of disrupting service provision; and the likelihood of causing considerable economic or societal consequences across all or part of the UK. Obligations for designated suppliers will be established through secondary legislation, with the aim of implementing fundamental security and incident reporting requirements in a proportionate manner.
Managed service providers deemed to be “relevant” will be brought into scope by the Bill. These are the providers that are medium and large, providing a service in the UK. The Bill defines RMSPs as a person that provides a managed service in the UK, under a contract which connect to network and information systems of a customer. RMSPs will have to conduct risk management against network and information systems and will have to take appropriate measures to manage these risks. RMSPs will also have to register with the ICO and take into account any guidance issued by the body in respect of their obligations.
Large load controllers are also captured by the Bill as Operators of Essential Services. These are entities with a potential electrical control of 300 MW or more in respect of the Energy Smart Appliances (such as electric vehicles, charging points, and virtual power plants) that they manage.
Entities falling within these newly defined categories will become subject to regulatory obligations under the Bill, regardless of whether they were previously subject to the 2018 Regulations. Organisations should conduct a thorough scope assessment to determine their regulatory status.
For organisations falling within the scope of the Bill, the Bill introduces mandatory initial reporting within 24 hours for harmful cyber breaches, with the full report due within 72 hours. This closely aligns with the requirements of the EU’s NIS2. Following the submission of a comprehensive report, data centres, RDSPs (defined in the NIS Regulations as online marketplaces, cloud computing services and online search engines), and RMSPs are required to determine which UK customers are likely to be negatively impacted and inform them, accordingly, setting out the particulars of the incident and its underlying causes. This requirement to notify customers introduces a substantial new compliance obligation, potentially necessitating revisions to organisations' existing incident response protocols.
The Secretary of State will publish a statement of strategic priorities for regulators to improve consistency between them. A report will also have to be published every 5 years in respect of whether the Bill has achieved its intended objectives.
Regulators also gain cost recovery powers, clear information sharing protocols with law enforcement and financial penalties for non-compliance, bringing them more in line with GDPR level sanctions, which can reach up to £17 million or 4% of annual global turnover, whichever is higher.
The regulatory landscape will become more stringent and consistent. The 24-hour initial reporting requirement represents a significant reduction in response time, necessitating robust incident response procedures. Enhanced penalty provisions create material financial risk for non-compliance, whilst cost recovery powers may result in organisations bearing the costs of regulatory investigations.
The Bill includes provisions for future updates to introduce requirements or bring additional organisations within scope. The Government will also be empowered to direct regulators to take ‘proportionate and targeted action’ in response to threats to the UK.
The Secretary of State can also mandate requirements to act or refrain from acting in a specific way, if there is a risk to national security due to cyber or operational issues.
The regulatory perimeter is not static. Organisations must develop compliance frameworks capable of adapting to evolving requirements rather than implementing fixed solutions. This necessitates ongoing monitoring of regulatory developments and flexible governance structures.
The ICO's response to the Bill
On 23 December 2025, the ICO published its full response to the Bill (UK Information Commissioner John Edwards having issued an initial welcome on 12 November 2025). The timing is noteworthy: the ICO's detailed position arrived shortly before the Bill's second reading, providing important regulatory perspective at a critical juncture in the legislative process.
The ICO's response demonstrates qualified support whilst identifying areas requiring further clarification:
Areas of Support from the ICO:
The ICO supports the Bill and believes it represents a necessary update to the UK's ability to respond to cyber-attacks and outages. The ICO welcomes the expanded information-sharing powers as enabling a more streamlined approach and also supports the cost recovery framework as a means of resourcing the proposed changes.
Areas Requiring Clarification:
The ICO has identified several areas requiring clarification in the proposed secondary legislation, including: how "significant impact" will be defined for incident reporting purposes, how "critical suppliers" will be assessed, and further detail on the ICO's enhanced information-gathering powers.
Ongoing Engagement:
The ICO will continue to engage with Government and other regulatory bodies to support implementation and will seek to align its approach with these bodies. However, the ICO notes it is limited in providing guidance on the proposed legislation whilst it remains under discussion.
The ICO's response signals both regulatory endorsement and areas where the Bill may be refined during parliamentary scrutiny. Organisations should monitor these developments closely, as clarifications regarding definitions and assessment criteria will determine the practical compliance requirements.
The ICO response is available here.
Government Cyber Action Plan
On 6 January 2026, coinciding with the Bill’s second reading, the Government published its Cyber Action Plan, setting out a comprehensive strategy for responding to the critically high cyber threat level facing the UK. The Plan focuses on strengthening the security of public services as they undergo digital transformation through clearer risk management and enhanced resilience measures.
Key elements of the Plan include:
- Government Cyber Unit: A new centralised unit, supported by £210 million in investment, will drive coordinated change across Government and assume overall responsibility for managing cyber risk. The unit will provide specific departmental directions and establish a cross-government Cyber Profession aimed at improving collaboration and attracting and retaining specialist talent.
- Software Security Ambassador Scheme: This initiative aims to adopt a Software Security Code of Practice to reduce software supply-chain attacks. Cisco, Palo Alto Networks and Santander have already joined as founding ambassadors, signalling industry commitment to raising security standards.
- Strategic Significance: The Cyber Action Plan elevates cyber risk from a purely technical issue to a core and operational priority across Government. This shift signals that even organisations without direct regulatory mandates should develop practical, resilient cyber strategies, as the Government’s approach will likely influence broader market expectations and private sector standards.
Recommended Organisational Response
Organisations are advised to commence preparation in advance of Royal Assent. The following steps are recommended:
Conduct a comprehensive assessment to determine whether your organisation falls within the Bill's proposed scope. This assessment should consider whether your organisation operates as a data centre, medium or large managed service provider, or may be designated as a critical supplier.
Review and where necessary, strengthen your existing security measures. Enhanced regulatory scrutiny and compressed reporting timelines necessitate robust security controls and monitoring capabilities.
Establish or refine incident response processes to ensure compliance with the potentially mandatory 24-hour initial reporting requirement and 72-hour full reporting deadline. This should include clear escalation procedures, designated responsible individuals, and pre-established communication channels with relevant regulators.
Maintain awareness of regulatory guidance as it develops. Given the ICO’s current limitations on providing guidance whilst the Bill remains under discussion, organisations should anticipate detailed practical guidance following Royal Assent.
Implement staff training programmes to ensure relevant personnel understand the Bill’s requirements and their responsibilities. Cyber resilience requires organisational awareness extending beyond technical teams to encompass governance, legal and operational functions.
The Bill represents a significant evolution in the UK's regulatory approach to protecting critical infrastructure. With regulatory support, enhanced enforcement mechanisms, and an expanding scope of application, organisations should treat preparation as a strategic priority rather than a compliance exercise. Proactive engagement with the Bill's requirements will position organisations to respond effectively when the legislation receives Royal Assent.
It is important for organisations to recognise that the Bill should not be considered in isolation when ensuring cybersecurity compliance. The Bill sits within a complex layered legal environment relating to cyber-security and ransom in the UK, along with related EU law that has extra-territorial effect. It is also notable that while the Bill primarily targets private sector operators of essential services (energy, healthcare, digital infrastructure), its impact will ripple across the entire economy - particularly businesses supplying the public sector.
As the Bill progresses through Parliament, we will be monitoring developments closely and will provide further updates on any significant amendments or implementation guidance. If you have any questions in the meantime about how the Bill may affect your organisation, please contact Gareth Oldale or Georgía Philippou.
Authors: Gareth Oldale, Georgía Philippou and Monica Murray
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at January 2026. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Get in touch
Get in touch
Insights & events
The Cyber Security and Resilience Bill: Understanding the UK's Legislative Response to Digital Threats
Eight enforcement cases and a hundred warnings: The CMA's new consumer enforcement era begins
Tackling non-financial misconduct in financial services; did the FCA seize the opportunity to finalise its position?
