Cyber Security and Resilience Bill: Strengthening the UK’s Digital Defences

On 12 November 2025 the UK Cyber Security and Resilience Bill was introduced to Parliament. The Bill is designed to update the existing Network and Information Systems Regulations 2018 (NIS Regulations) to respond to growing concerns about cyber threats targeting essential infrastructure and services. The need for this is obvious given the increase in high-profile and damaging cyberattacks that we have seen over the last few years.

The Bill is a result of two post-implementation reviews of the NIS Regulations and was announced in the King’s Speech in July 2024, so at this stage there are not many surprises, but the drafting can still change as it goes through Parliament. The amended duties under the NIS Regulations will also be supplemented by further regulations, codes of practice and guidance.

Below is a summary of some of the key changes proposed in the Bill:

Extended Scope

The Bill, if passed, would extend the application of the existing NIS Regulations to persons providing:

1. data centres;
2. services relating to load control (electricity sector); and
3. managed services.

The existing registration/representative requirements would also be extended to these service providers.

Whilst it was implicit in the existing NIS Regulations, the Bill would also make it clear that providers of public electronic communication services or networks would not be considered operators of essential services.

Critical Suppliers

The Bill also provides for the designation of persons as “critical suppliers” by the relevant regulators and/or the Information Commissioners Office (ICO) if the supplier is likely to have a significant impact in their sector on the economy or the day-to-day functioning of society in the UK.

This designation can only occur after there has been a notice and a consultation with the person to be designated.

Incident Reporting 

The scope of incident reporting will also be expanded with the Government’s intention to capture ransomware attacks. Further, the existing NIS regulations require that incidents that meet the thresholds for reporting should be reported to the regulator within 72 hours; the new Bill would align this position (in part) with the EU NIS2 Directive and provide for an initial 24-hour notification and then a follow-up within 72 hours.

For customer notifications, the current NIS Regulations require the provider to notify the relevant regulator and that regulator may notify the public or require the provider to do so. The Bill would change this to place the obligation to notify customers directly on the provider themselves.

Practical Implications for Businesses

Organisations that are currently in scope of the NIS Regulations should consider the potential impact of the Bill on their services and their contracts, particularly managed service providers. They will also need to get ready to potentially report incidents within 24 hours of becoming aware of them.

Companies that would come into scope of the NIS Regulations because of the Bill should:

• review their cyber security frameworks against the anticipated requirements;
• prepare for enhanced reporting obligations;
• consider contractual implications for supply chain partners, as obligations may flow down through procurement processes.

For those following the EU regime and who have implemented NIS2 already, they will need to conduct a gap analysis to see where their compliance efforts can help them get a head start on compliance here.

Next Steps

The Bill is only at its first reading so this is only the beginning of its journey. Businesses operating in regulated sectors should monitor developments closely and begin planning for compliance, but there is also an opportunity to influence the legislation as it passes through Parliament.

For further information on how these changes may affect your organisation, please contact Matt Buckwell.