The UK’s new Cyber Security and Resilience Bill

Cyber attacks inflict substantial costs on the UK economy (estimated at almost £15 billion per year). In its Annual Report, published in October 2025, the UK's National Cyber Security Centre (NCSC) reported a record 204 nationally significant cyber attacks in the year to September 2025, up from just 89 in the previous year. This equates to an average of four major attacks a week. The last few years have seen ransomware and supply chain attacks disrupt the NHS, local authorities, utilities, and the Ministry of Defence’s payroll via a managed service provider.

These attacks are increasingly sophisticated, often linked to advanced persistent threat actors—either state-backed or highly capable criminal groups. Artificial intelligence is being weaponised to make phishing and social engineering attacks more efficient and effective (e.g. through deepfakes), so that they are ever more difficult to spot and quicker to execute.

The Bill brings the following entities into scope of the NIS regime if the entity provides relevant services in the UK, regardless of whether the entity is established in the UK.

• Data Centres

Data centres are brought into scope as “essential services", recognising their pivotal role in sustaining the backbone of the UK digital economy.  Data centres include both the physical structure containing an area for housing, connecting, and operating IT equipment, and the supporting infrastructure - the supply of electricity, cooling/environmental, and security/resilience systems.

Thresholds apply in order for a data centre to fall within the Bill's scope: a rated IT load of 1MW for standalone data centres and 10MW for enterprise data centres (an enterprise data centre is one that is owned and operated by an organisation to support only the business of that organisation).

Competent authorities responsible for the regulation of data centres include the Secretary of State for Science, Innovation and Technology and OFCOM (acting jointly).

• Managed Service Providers 

The Bill brings "relevant managed service providers" (RMSPs) into scope as a new category of provider, distinct from RDSPs, although both RMSPs and RDSPs will be overseen by the Information Commission (as the ICO will then be known). 

• Critical Suppliers

In recognition of the substantial risk posed to essential services by vulnerabilities within their supply chain, regulators (competent authorities (for OES) or the Information Commission (for RDSPs and RMSPs)) will for the first time have power to designate as "critical suppliers" specific businesses supplying goods or services directly to an OES, RDSP, or RMSP. Once designated, those entities become directly subject to the NIS regime as "regulated persons", notwithstanding that they would not otherwise have been caught by it.

The criteria for designation need to be thrashed out further but ultimately depend on whether the disruption caused by an incident affecting a system on which the supplier relies is "likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the UK".  The government gives, as examples, providers of healthcare diagnostics to the NHS or chemicals to water companies.

As critical suppliers could be designated by multiple competent authorities, those authorities are required to coordinate with each other in relation to designation decisions.

• Load Controllers 

Entities that manage the flow of electricity to energy “smart” appliances (e.g., EV charging points, heating systems) with ≥300MW aggregate control will be brought into scope as OESs, bolstering resilience for the UK’s energy grid and smart technology. 

The Bill also seeks to clarify definitions in NISR 2018, most notably the definition of "cloud computing service", the current scope of which has given rise to some uncertainty. 

There are changes both to the timing of, and threshold for, notification of incidents.

Regulated entities must notify both their regulator and the CSIRT (NCSC) of incidents initially within 24 hours, followed by a full report within 72 hours. This is a tightening of the current NISR 2018 regime, under which the requirement is to notify without undue delay and in any event no later than 72 hours after becoming aware of an incident.

The Bill also broadens the types of notifiable incidents. Under NISR 2018, for example, operators of essential services only have to report incidents that have “a significant impact on the continuity of the essential services" they provide (i.e., incidents that disrupt the service). However, according to the Bill, while the "incident" definition varies slightly depending on the services in question, incidents that are capable of having a significant impact– ie. near misses, not just cases of actual impact–trigger the notification requirement. 

The new regime enables NCSC to build a more immediate, centralised threat picture for the UK as major incidents unfold, supporting national response planning.

The Secretary of State will have the flexibility, through secondary legislation and following consultation, to expand the scope of the NIS regime to cover additional sectors by specifying new “essential activities" and "regulated persons" and to introduce detailed security and resilience requirements.

The Secretary of State can also issue statutory Codes of Practice, subject to consultation and parliamentary scrutiny, describing detailed expected compliance measures for regulated entities.

The Bill also facilitates the sharing of information between regulators, government bodies, and overseas authorities for cross-border threat coordination.

To mitigate or prevent national security risks stemming from cyber threats, the Secretary of State is given specific powers to direct regulated entities and their regulators to take mandatory steps. Obligations imposed under such emergency directions take precedence over other legal or regulatory requirements.

The Bill and the EU’s NIS2 share many features—expanded scope, heightened supply chain focus, tougher penalties, and an emphasis on rapid incident reporting. Yet NIS2 covers a much broader range of sectors (18 in total) than the Bill. For example, unlike NIS2, the Bill does not cover manufacturing or the food sector. Some see the Bill's narrower scope as a "miss" by the government, particularly in the light of the significant damage and disruption caused this year by attacks on UK retailers like Marks and Spencer and on Jaguar Land Rover (the cyber attack on JLR is estimated to have cost the UK economy £1.9bn). However, the Bill provides considerable flexibility for the regulatory net to be cast more widely should this prove necessary, as we explained in section 4 above and through regulators' "critical supplier" designation powers.

Finally, the Bill does not include measures previously proposed by the government to ban ransomware payments by operators of critical national infrastructure and increase reporting of ransomware payments economy wide.  Businesses should continue to watch out for the outcome of the government's consultation on these proposals (see our previous briefing on the government's ransomware payment proposals). 

The Bill is only at the beginning of its parliamentary journey. While businesses should begin assessing whether they are in scope under the proposed reforms, and prepare for a more rigorous compliance environment ahead, it will be important to monitor how the Bill evolves as it progresses through Parliament.