Cyber Security & Resilience Bill: Broader Scope, Tougher Obligations

The Cyber Security and Resilience Bill, introduced in November 2025 and presently at Committee stage in the House of Commons, aims to strengthen the UK’s defences against rising cyber threats by modernising and expanding the existing Network and Information Systems Regulations 2018 ("NIS 2018").

Its purpose is to protect essential public services and the wider economy by improving the security and resilience of critical infrastructure.

The Bill broadens the scope of NIS 2018 to include more sectors (such as managed service providers and data centres), introduces stricter incident reporting, and gives regulators stronger enforcement powers to ensure the UK can better withstand cyberattacks.

1. Background

The Bill forms part of a wider, deliberate government effort to strengthen the UK’s cyber resilience in response to the rapidly escalating threat landscape.

UK Government analysis published in November 2025 describes the UK as the most targeted country for cyber attacks in Europe. The National Cyber Security Centre ("NCSC") reports that it dealt with 204 "nationally significant" incidents in the 12 months to August 2025, including 18 "highly significant" incidents. This represented a 50% year-on-year increase. Government briefings and press reporting estimate the annual cost of cyber-attacks to the UK at almost £15bn. Recent high-profile incidents affecting M&S, Harrods and Jaguar Land Rover have reinforced the urgency.

In October 2025, the Government wrote directly to FTSE 350 chief executives and set out three requests:

• Make cyber risk a board-level priority using the Cyber Governance Code of Practice.
• Sign up to the NCSC Early Warning service to detect malicious activity sooner.
• Require Cyber Essentials in supply chains as a minimum baseline.

In January 2026, the Government Cyber Action Plan announced a Government Cyber Unit backed by over £210 million in central investment.

2. New In-Scope Entities

The Bill expands the scope of NIS 2018 to include the following entities if they offer services into the UK even if they are established overseas.

Data centres

Data centres are brought into scope as operators of essential services ("OESs") where their rated IT load is at least 1MW (for non-enterprise data centres) or 10MW (for enterprise-only data centres i.e. those that are owned and operated by an organisation to support only the business of that organisation). "Rated IT load" means the maximum electrical power available to operate the IT equipment housed in the data centre.

Data centres include both the physical structure containing an area for housing, connecting, operating IT equipment, and the supporting infrastructure, including, power supply, environmental controls, security and resilience systems.

Large load controllers

Large load controllers are brought into scope as OESs where they have the potential to control 300MW or more of electrical load to and from relevant electrical smart appliances. These appliances include electric vehicles, EV charge points, electrical heating appliances, battery energy storage systems and virtual power plants.

Load controllers are organisations that manage the flow of electricity to energy‑smart appliances, such as supporting electric vehicle charging during off‑peak times. They are an important tool for optimising the electricity system by reducing electricity use during peak periods, which minimises the amount of generation and network infrastructure needed to meet peak demand.

Managed service providers

Managed service providers who meet the definition of a "relevant managed service provider" ("RMSP") are brought into scope.

A business qualifies as an RMSP if:

• it provides a "managed service" in the UK; and

• it is not a micro or small enterprise (a small enterprise is a business with fewer than 50 employees and annual turnover or an annual balance sheet total not exceeding €10 million).

"Managed services" are ongoing IT management services provided under contract, involving support, maintenance, monitoring, or administration of a customer’s systems, where the provider accesses the customer’s network or information systems either on‑site or remotely.

The Government's policy paper on RMSPs states that a managed service can include services such as IT outsourcing (for example, IT remote support or helpdesks, and management of applications, such as emails and IT infrastructure management) and managed security services, such as security operations centre, and security information and event management.

Designated critical suppliers

Regulators will, for the first time, be able to designate certain businesses as "critical suppliers" where they provide goods or services directly to an OES, a relevant digital service provider ("RDSP") or an RMSP, provided specific conditions are met – particularly whether disruption from an incident affecting a system the supplier relies on is likely to have a significant impact on the UK’s economy or the day‑to‑day functioning of society.

Government examples include businesses supplying healthcare diagnostics to the NHS or chemicals to a water company, where the criteria are met.

Designated critical suppliers will be required to meet statutory cyber security requirements and take appropriate steps to manage and reduce risks.

These changes reflect growing supply‑chain cyber risk, with suppliers to essential and digital services increasingly targeted by attackers seeking to cause widespread disruption.

If your organisation is likely to be brought within the scope of NIS 2018 as a result of the Bill, you should assess the obligations you will need to meet under NIS 2018 (together with the amendments introduced by the Bill – see further details below) and begin planning how you will comply. You should also continue to monitor the Bill’s progress through Parliament, as further changes may still be introduced.

3. Secretary of State – Heightened Powers

The Bill gives the Secretary of State strengthened powers, including the ability to issue a Statement of Strategic Priorities setting out national objectives that all relevant regulators must follow, ensuring greater consistency across sectors. The Secretary of State is also empowered to make regulations on the security and resilience of network and information systems, and to impose specific requirements on regulated entities, allowing the regime to evolve quickly in response to emerging threats.

Regulators will be empowered to recover the costs associated with their regulatory duties from regulated entities, so they are better resourced to carry out their responsibilities.

4. Faster Incident Reporting Obligations

The current regime means that regulators are only informed about cyber incidents once they have caused significant disruption. As a result, incidents where systems have been compromised but disruption has not yet occurred (for example, where cybercriminals gain access to hospital systems and wait before locking staff out and demanding payment) do not trigger existing reporting requirements.

Under the Bill’s reforms, a wider range of harmful cyber breaches will need to be reported to regulators where they have the potential to cause significant impacts, even if those impacts have not yet materialised.

The Bill also introduces new reporting timelines, requiring an initial notification within 24 hours of becoming aware of an incident, followed by a full report within 72 hours. In addition, data centres, RDSPs and RMSPs will be required to notify their customers if they are likely to have been affected.

5. Tougher Penalty Regime

Under the current regime, regulators are able to issue a financial penalty only up to £17 million for material contraventions which have or could have created a significant risk to, or significant impact on, or in relation to, the service provision by the regulated entity.

The new regime will introduce new maximum penalties corresponding to the two new bands:

• Up to £17 million, or 4% of a regulated entity’s worldwide turnover, whichever is higher for more serious breaches; and
• Up to £10 million, or 2% of a regulated entity’s worldwide turnover, whichever is higher, for less serious breaches. 

6. How can businesses prepare now?

A useful structure comes from the Cyber Governance Code of Practice. It is built around five board-level principles. These are Risk Management, Strategy, People, Incident Planning, and Assurance and Oversight.

1. Risk Management: confirm whether services fall within scope or whether you supply in-scope entities. Map essential dependencies.

2. Strategy: define risk appetite. Align budget with exposure. Link cyber resilience to business continuity and regulatory duties.

3. People: confirm roles and escalation pathways across operations, legal, communications and leadership.

4. Incident Planning: rehearse response and recovery. The October 2025 ministerial letter urges organisations to plan and exercise how operations would continue and rebuild after a destructive incident.

5. Assurance and Oversight: measure against the Cyber Assessment Framework (CAF) outcomes. Document decisions. Build supplier baselines including Cyber Essentials where appropriate.

7. How we can help

Our BreachReddi solution helps you build robust data privacy and cyber‑resilience practices, supported by expert input from Integrity360 and crisis‑communications specialists THREESIXTY. Fully tailored to your business (rather than a one‑size‑fits‑all approach) it includes targeted assessments of key risk areas and practical recommendations to strengthen your cyber defences, ensuring you can respond quickly and effectively in the event of a breach.