UK Government Introduces Landmark Cyber Security and Resilience Bill
New legislation expands digital defence laws ahead of rising cyber-threats and cracks down on supplier chain vulnerabilities
The United Kingdom’s government formally introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament on 12 November 2025, signalling a major overhaul of the country’s cyber-defence framework.
The Bill builds on the existing NIS 2018 regulations and is designed to modernise protections for essential services as the digital threat landscape intensifies.
Key features of the Bill include a significantly expanded scope that brings operators of data centres, large load controllers and medium-to-large managed service providers within the regulated perimeter.
The legislation clarifies the definition of digital service providers and extends duties to cover third-party systems on which those services rely.
Regulators will gain new powers, including the authority for the Secretary of State to issue directions to subject entities where cyber incidents pose a national-security risk.
Other major changes include a shift to a cost-recovery regime for enforcement, permitting regulators to impose fees and charges rather than merely recover ‘‘reasonable costs’’ under the old regime.
The maximum financial penalty for serious breaches will rise from £17 million under NIS to either £17 million or four per cent of worldwide annual turnover, whichever is higher.
The Bill mandates incident reporting within 24 hours of awareness and full reports within 72 hours for certain categories of organisations.
Government sources estimate that cyber-attacks cost the UK economy around £14.7 billion per year, and that in the past 12 months regulators have handled over 429 nationally significant incidents.
The Bill aims to bolster national resilience and economic stability by forcing greater accountability across the supply chain and expanding regulatory reach into sectors flagged as key vulnerabilities.
While the legislation has been welcomed as a ‘‘step-change’’ in the UK’s cyber posture, some industry voices caution that the focus remains too narrow—excluding entire sectors such as retail despite major attacks affecting them—and that many organisations will need help meeting the new burdens of compliance.
The government has acknowledged that sector-specific guidance and secondary legislation will follow once the Bill passes through Parliament.
The introduction of the Bill marks the opening of its parliamentary journey, including readings, committee stages and eventual Royal Assent.
If enacted, it will represent the most significant update to the UK’s cyber-resilience framework in years and will have wide-ranging implications for boards, risk management and supply-chain governance across the economy.
The Bill builds on the existing NIS 2018 regulations and is designed to modernise protections for essential services as the digital threat landscape intensifies.
Key features of the Bill include a significantly expanded scope that brings operators of data centres, large load controllers and medium-to-large managed service providers within the regulated perimeter.
The legislation clarifies the definition of digital service providers and extends duties to cover third-party systems on which those services rely.
Regulators will gain new powers, including the authority for the Secretary of State to issue directions to subject entities where cyber incidents pose a national-security risk.
Other major changes include a shift to a cost-recovery regime for enforcement, permitting regulators to impose fees and charges rather than merely recover ‘‘reasonable costs’’ under the old regime.
The maximum financial penalty for serious breaches will rise from £17 million under NIS to either £17 million or four per cent of worldwide annual turnover, whichever is higher.
The Bill mandates incident reporting within 24 hours of awareness and full reports within 72 hours for certain categories of organisations.
Government sources estimate that cyber-attacks cost the UK economy around £14.7 billion per year, and that in the past 12 months regulators have handled over 429 nationally significant incidents.
The Bill aims to bolster national resilience and economic stability by forcing greater accountability across the supply chain and expanding regulatory reach into sectors flagged as key vulnerabilities.
While the legislation has been welcomed as a ‘‘step-change’’ in the UK’s cyber posture, some industry voices caution that the focus remains too narrow—excluding entire sectors such as retail despite major attacks affecting them—and that many organisations will need help meeting the new burdens of compliance.
The government has acknowledged that sector-specific guidance and secondary legislation will follow once the Bill passes through Parliament.
The introduction of the Bill marks the opening of its parliamentary journey, including readings, committee stages and eventual Royal Assent.
If enacted, it will represent the most significant update to the UK’s cyber-resilience framework in years and will have wide-ranging implications for boards, risk management and supply-chain governance across the economy.
