What's the issue?
The government announced its plans for a new Cyber Security and Resilience Bill in the July 2024 King's Speech. It said the Bill would protect public services and infrastructure by expanding the remit of existing regulation, putting regulators on a stronger footing and increasing reporting requirements.
What's the development?
On 1 April 2025, the government set out its plans in more detail, publishing a policy statement. The Cyber Security and Resilience Bill will largely expand and update the scope of the current 2018 NIS Regulations which implemented the EU NIS Directive, now replaced in the EU by the NIS2 Directive which was enacted after Brexit. This means the focus of the planned UK Bill is on operators of essential services (OESs), relevant digital service providers (RDSPs), and related supply chains.
The Bill will:
Bring more entities into scope of the regulatory framework
Proposed changes to the 2018 NIS Regulations will be largely in line with NIS2. This means managed service providers will be brought into scope. In addition, the government will be able to set stronger supply chain duties for OESs and RDSPs in secondary legislation. Regulators will get new powers to identify and designate specific high-impact suppliers as "designated critical suppliers" (DCS) with obligations equivalent to those of OESs and RDSPs. This regime may also cover certain small and micro RDSPs which play a pivotal role in supporting essential services.
Empower regulators and enhance oversight
The government intends to establish the NCSC Cyber Assessment Framework principles and objectives on a firmer footing. Technical standards and methods put on a statutory footing under the 2018 NIS Regulations will be updated under secondary legislation to bring them into closer alignment with NIS2 and, where appropriate, also extended to OESs. The Secretary of State (SoS) will have powers to tailor these to specific sectors as appropriate and proportionate.
The Bill will update and enhance current incident reporting requirements for regulated entities, both in terms of what must be reported and when. Transparency requirements for digital services and data centres will be enhanced. This will be complemented by the government's work on ransomware (currently under consultation). The government will work to ensure frameworks are aligned and avoid duplication.
Reporting requirements will expand to cover incidents capable of having a significant impact on the provision of an essential or relevant digital service and incidents that significantly affect the confidentiality, availability and integrity of a system provided by a regulated entity.
The Bill will introduce a two-stage reporting structure requiring regulated entities to notify their regulator and the NCSC of a significant security incident no later than 24 hours after becoming aware, followed by an incident report within 72 hours. The reporting regime will be similar to and no more onerous than that in the NIS2 Directive. Firms that provide digital services, and data centres that experience a significant incident, will also be required to alert customers who may be affected.
The ICO's information gathering and enforcement powers will be enhanced and regulators will be empowered to set up new fee and cost recovery regimes.
Ensure regulatory agility
The Bill will seek to introduce powers for the SoS to update the regulatory framework without the need for primary legislation subject to certain safeguards. This will allow the SoS to cover new sectors and sub-sectors and make changes to the responsibilities of the regulators. The government will also be able to introduce new obligations on regulated entities after appropriate consultation.
Additional measures under consideration
In addition to the previous measures which had been widely expected or already announced, the government is also considering the following:
- Bringing data centres into scope by classifying data infrastructure as a relevant sector and data centres as essential services at certain thresholds (above 1MW capacity unless they are enterprise data centres, in which case it would be 10MW capacity).
- A new power for the SoS to publish a Statement of Strategic Priorities (as for other regulatory regimes such as telecoms)
What does this mean for you?
The government plans to introduce the Cyber Security and Resilience Bill later this year. The reform of the 2018 NIS Regulations has been on the horizon for some time. Since NIS2 was proposed, successive UK governments have talked about updating the 2018 NIS Regulations in a similar fashion and there have been two previous consultations on the issue. This now looks set to be done in the upcoming Bill, as expected. To what extent the UK version will mirror the EU's remains to be seen but businesses will welcome the government's focus on streamlining reporting requirements and ensuring the regime is no more onerous than that under NIS2.
Perhaps more controversial will be the significant expansion in the powers of the SoS, particularly if the government goes ahead with elements that are currently under consideration to give itself new executive powers. The EU will, no doubt, be watching closely for any 'scope creep' impacting its own businesses or citizens, even though the legislation will not be targeted at personal data.
Potentially, in-scope organisations will need to keep track of incoming obligations, and some EU cross-border organisations may have to integrate these into an already complex regulatory framework beyond NIS2. For more on this, see our edition of Global Data Hub which focuses on cyber security and digital resilience in the EU and UK.
