The UK's Cyber Security and Resilience (Network and Information Systems) Bill was presented to Parliament on 12 November 2025. Much of what the Bill contains was trailed in the government's April 2025 policy statement.
The Bill will largely expand and update the scope of the current 2018 NIS Regulations which implemented the EU NIS Directive, now replaced in the EU by the NIS2 Directive which was enacted after Brexit. This means the focus of the planned UK Bill is on operators of essential services (OESs), relevant digital service providers (RDSPs), relevant Managed Service Providers (RMSPs) and related supply chains.
More entities in scope of the regulatory framework
Proposed changes to the 2018 NIS Regulations will be largely in line with the EU's NIS2. The Bill covers transport, energy, drinking water, health and digital infrastructure (including marketplaces, online search engines and cloud computing services).
Managed service providers are brought into scope (with exemptions for SMEs). Certain data centres will also be brought into scope with data infrastructure classed as a relevant sector and data centres as essential services at certain thresholds (above 1MW capacity unless they are enterprise data centres, in which case it would be 10MW capacity). In addition, large load controllers are designated as OESs with a threshold requirement of potential electrical control equal to or greater than 300 megawatts in relation to relevant smart appliances, and the definition of cloud service providers is revised.
Regulators will get new powers to identify and designate specific high-impact suppliers as "critical suppliers" and impose security obligations on them equivalent to those of other regulated entities.
The Bill explicitly states that OESs may be designated whether or not a person is established in the UK.
Security duties
These are amended, but arguably of more significance, are the powers of the Secretary of State to further expand the regime under secondary legislation.
Incident reporting and transparency
The Bill updates and enhances current incident reporting requirements for regulated entities, both in terms of what must be reported and when. Transparency requirements for digital services and data centres will be enhanced and amendments are made to information sharing provisions.
Reporting requirements will expand to cover incidents capable of having a significant impact on the provision of an essential or relevant digital service and incidents that significantly affect the confidentiality, availability, authenticity and integrity of a system provided by a regulated entity.
The Bill introduces a revised two-stage reporting structure requiring regulated entities to notify their regulator of a significant security incident no later than 24 hours after becoming aware, followed by an incident report within 72 hours. Data centre OESs are required to make a notification where aware a data centre incident has occurred or is occurring, and data centre OESs that experience a significant incident will also be required to alert customers who may be affected.
Powers of the Secretary of State and regulators
The Secretary of State (SoS) will issue a Code of Practice and set out a Statement of Strategic Priorities in relation to the security and resilience of network and information systems, to which regulators are required to have regard. The SoS has powers to update the regulatory framework without the need for primary legislation subject to certain safeguards. This will allow the SoS to cover new sectors and sub-sectors and make changes to the responsibilities of the regulators. The government will also be able to introduce new obligations on regulated entities after appropriate consultation.
The Secretary of State also has powers to instruct regulators and the organisations they oversee to take specific steps to prevent cyber attacks where there is a threat to national security.
Regulators' information gathering and enforcement powers will be enhanced and regulators will be empowered to set up new fee and cost recovery regimes. Provision is made for a cost recovery scheme whereby periodic charges may be imposed by a NIS enforcement authority, and there are also revised information gathering, information sharing and inspection powers for regulators as well as obligations to produce specified guidance.
Sanctions
Sanctions for non-compliance have been significantly increased. The "standard maximum amount" for penalties where the person is an undertaking is the greater of £10,000,000 or 2% of the undertaking's turnover (both inside and outside the United Kingdom); in any other case, it's £10,000,000. The "higher maximum amount" is, where the person is an undertaking, the greater of £17,000,000 or 4% of the undertaking's turnover (both inside and outside the United Kingdom); and in any other case, £17,000,000.
Penalties for non-compliance with national security directions can be up to £17,000,000, or where regulations are in force, the greater of £17,000,000 and 10% of the turnover of the undertaking (both inside and outside the United Kingdom).
What does this mean for you?
While for certain essential and digital services like healthcare, energy and transport, the proposals build on the existing requirements under the UK NIS Regulations, the enhanced compliance burden could be significant, including in relation to security requirements, incident preparedness, incident reporting, and supply chain compliance.
Other organisations will be brought in-scope and regulated for the first time, in particular MSPs and data centres. A focus on the wider technology supply chain means providers of IT services like IT management, IT help desk support and cyber security to private and public organisations like the NHS will be regulated where they meet certain size thresholds, and need to meet clear security and incident management duties.
Enhanced incident reporting requirements, additional powers for the SoS and regulators, and a stronger enforcement regime, including turnover-based penalties, send a clear message of the government's intent in bolstering the UK's cyber resilience.
