Insights

The United Kingdom is the most targeted country in Europe for cyberattacks. In its Annual Report published in October 2025, the National Cyber Security Centre (NCSC) recorded 204 nationally significant cyber incidents in the year to September 2025, up from just 89 the previous year, equivalent to roughly four major attacks every week. The costs to the UK economy are estimated at almost £15 billion per year.

High-profile incidents have brought the issue into sharp relief. The June 2024 ransomware attack on NHS blood testing provider, Synnovis, disrupted critical health services across London. Attacks have also struck local authorities, utilities, the Ministry of Defence’s payroll system, and in 2025, major retailers including Marks & Spencer and Jaguar Land Rover.

Against this backdrop, the UK Government introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament on 12 November 2025 which is the most significant update to UK cyber law since the Network and Information Systems (NIS) Regulations 2018.

Why was new legislation needed?

The NIS Regulations 2018 were the UK’s primary cross-sector cyber legislation, applying to operators of essential services in energy, transport, health, drinking water, and digital infrastructure. Two post-implementation reviews identified critical shortcomings:

• Only half of operators of essential services had updated or strengthened their policies since 2018 which has been considered insufficient.
• The framework did not cover managed service providers, data centres, or supply chain risks in any meaningful way.
• The Regulations were made under the European Communities Act 1972, which has since been repealed following Brexit, removing the Government’s ability to update them via a secondary legislation.

With this in mind, a primary legislation was therefore required.

What is the Cyber Security and Resilience Bill?

The Cyber Security and Resilience (Network and Information Systems) Bill amends and significantly expands the NIS Regulations 2018. Its stated aims are to:

• Strengthen the UK’s cyber defences and resilience to hostile attacks
• Protect critical infrastructure and essential services from disruption
• Expand the regulatory perimeter to bring more organisations into scope
• Empower regulators with greater authority and resources
• Improve the quality and timeliness of incident reporting
• Give the Government more agility to respond to emerging threat

The Bill applies across the whole of the United Kingdom. Once enacted, many of its substantive provisions will be brought into force through secondary legislation, with full implementation expected by 2028.

Who does this apply to?

One of the Bill’s most significant features is the substantial expansion of who falls within the regulatory perimeter.

• Operators of Essential Services (OES)
• Relevant Digital Service Providers (RDSPs)
• Relevant Managed Service Providers (RMSPs)
• Data Centres
• Large Load Controllers
• Designated Critical Suppliers (DCS)

What are the key points of the Cyber Security and Resilience Bill?

Incident Reporting
The Bill introduces a faster, two-stage reporting model. Regulated entities must:

• Submit an early warning notification to both their sector regulator and the NCSC within 24 hours of becoming aware of a significant incident.
• Submit a full incident report within 72 hours.
• Take reasonable steps to notify affected UK customers as soon as reasonably practicable after regulator notification.

This is a significant tightening of the existing NIS 2018 regime, which required notification “without undue delay and in any event no later than 72 hours.”

Supply Chain Risk Management
Supply chain resilience is a central theme. The Designated Critical Suppliers framework gives regulators the power to impose security and incident reporting obligations on specific third-party suppliers. Detailed supply chain duties will be set out in secondary legislation following consultation.
Strengthened Regulatory Powers
The Bill significantly enhances the powers available to the 12 sector-specific regulators, including:

• Powers to proactively investigate vulnerabilities in systems and supply chains.
• Enhanced inspection and audit capabilities.
• The ability to issue compliance notices and directions.
• A new cost-recovery framework enabling regulators to charge regulated entities for supervision and enforcement activities.

Secretary of State Emergency Powers
The Bill grants the Secretary of State specific powers to direct regulated entities and their regulators to take mandatory steps where a cyber or operational threat poses a risk to national security. Obligations imposed under such directions can take precedence over other legal or regulatory requirements.

Mandatory Registration
New mandatory registration requirements are introduced for RMSPs and certain data centre operators with the ICO. Providers established outside the UK that fall in scope must also register and nominate a UK representative.

Enforcement

The Bill replaces the previous NIS penalty regime (capped at £1 million or £8.5 million) with a substantially tougher, tiered structure.

These penalties are comparable to GDPR enforcement and represent a dramatic increase in potential liability for non-compliant organisations.

NIS2 or CS&R Bill?

The Cyber Security and Resiliency Bill is broadly similar to the EU’s NIS2 Directive, but represents a distinctly UK approach. NIS2 covers 18 sectors, which include manufacturing and the food sector, whereas the CS&R Bill’s scope is narrower. The Bill is also less prescriptive about the specific security measures organisations must implement, preferring a risk-based, outcomes-focused approach.

The CS&R Bill is also distinct from the EU’s Cyber Resilience Act, which governs the security of hardware and software products placed on the market, rather than the resilience of services and infrastructure.

What is the timeline for this?

What do you need to do to prepare?

Although full implementation is not expected until 2028, organisations that may fall within scope are advised to begin preparation now:

• Conduct a scoping exercise to determine whether your organisation meets the thresholds for OES, RDSP, RMSP, data centre, or critical supplier status.
• Map existing security controls against the NCSC Cyber Assessment Framework (CAF).
• Build 24-hour and 72-hour incident reporting playbooks and review detection and escalation capabilities.
• Audit supply chain contracts and obligations, particularly with downstream critical suppliers.
• Ensure board-level governance reflects the Cyber Governance Code of Practice.
• Budget for regulatory fees, potential audits, and security capability investment.