ENG

UK Cybersecurity Reform: Planned changes in the Cyber Security and Resilience Bill

Published

Apr 16 2025

Reading Time

8 minutes

Written By

rory coutts Module
Rory Coutts

Associate
UK

I am an associate in our Commercial Group, and I advise clients in the technology and communications sector.

matthew buckwell Module
Matthew Buckwell

Senior Associate
UK

I am an associate in our Commercial Group, and I advise clients on the global challenges facing the digital and communications sector as well as providing counsel on new technologies and their relationships with the use of data.

Related

Sectors

Trending Topics

Countries

The UK government has published greater detail on their ambitions for a forthcoming Cyber Security and Resilience Bill (“Bill”) expected this year. The Bill is expected to update the UK’s core cybersecurity legislation set out in the NIS Regulations 2018 (“NIS”).

The Bill and its updates to NIS are part of a broader strategy to update the UK’s cybersecurity regime in line with international standards, notably the EU's NIS2 Directive, and to raise cybersecurity preparedness in the UK economy.

What has happened?

The Government has published a policy statement outlining its planned changes in the Bill. The statement does not represent finalised Government policy, but instead outlines the general intent and expected impact of the Government’s plans. 

Some of the policy ideas in the statement have been discussed before. For example, the idea to bring managed service providers in scope builds on past consultations carried out by previous governments. Other proposals are new, and these will all be developed further by Government before the Bill is published. 

Importantly, the statement and subsequent Bill are part of a broader effort from the UK Government to update its cybersecurity framework. Other workstreams include a Home Office consultation on ransomware reporting, an ongoing resilience review expected to be finalised this Spring and designation of data centres as critical national infrastructure. 

What are the Government's plans?

The statement puts forward proposals on sectors and organisations which could be brought into scope of NIS, enhanced obligations for those in scope, and greater powers of enforcement. 

At present, NIS applies to the following organisations: 

  1. Operators of Essential Services (“OES”) – covering those operating in sectors such as electricity, oil, gas, transportation etc. subject to sector specific criteria or designation by a competent regulator; and 
  2. Relevant Digital Service Providers covering cloud computing services, online marketplaces, and online search engines (“RDSPs”)

The Government is planning to expand these definitions, namely by adding the following categories of service providers:

Service Detail Impact
Managed Service Providers (“MSPs”)

MSPs would include a service which:

  1. Is provided to another organisation (i.e., not in-house), and;
  2. Relies on the use of network and information systems to deliver the service, and;
  3. Relates to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications, and/or IT networks, including for the purpose of activities relating to cyber security, and;
  4. Involves a network connection and/or access to the customer’s network and information systems.

 

MSPs would be subject to the existing obligations applicable to RDSPs under NIS and oversight from the Information Commissioner’s Office. 

This is not a new proposal and builds on past consultations carried out by previous governments.

The Government estimates that this would apply to 900-1100 MSPs. 

This would also align with the position under the EU NIS2 Directive.

Designated Critical Suppliers (“DCS”)

Regulators could be granted powers to designate specific high-impact suppliers as DCS. Indicative criteria for designation as a DCS are:

  1. Supply of goods or services: The supplier provides goods or services (including digital services) to an OES (regulated by that regulator) or to an RDSP (in the case of the ICO).
  2. Significant disruptive effect: The regulator judges that a failure or disruption in that supplier’s goods or services – or an incident affecting the supplier’s network and information systems – could have a significant disruptive effect on the provision of the essential or digital service.
  3. Reliance on networks and information systems: The supplier’s goods or services depend on networks and information systems, making them relevant to the scope of the regulatory framework. This is intended to ensure that suppliers only fall within scope if their goods or services involve or rely upon technology (such as IT infrastructure or operational technology) that could be targeted or disrupted.
  4. Not already regulated: The supplier is not subject to similar cyber resilience regulations elsewhere (e.g., under Part 2 of the Communications Act 2003, as amended by the Telecommunications (Security) Act 2021) or elsewhere under the 2018 Regulations.

The statement proposes to designate micro or small RDSPs (which are currently exempt) as being subject to NIS. This could apply where RDSPs play a pivotal role in supporting essential services.

DCS would be subject to ‘comparable’ obligations applicable to OES and RDSPs. It is not immediately clear if this means that DCS will have mirrored obligations depending on who they are supplying to (i.e. OES or RDSPs) or have obligations apply to them regardless. 

In terms of designated micro or small RDSPs, the Government expects that the number of RDSPs eligible for designation is minor which will narrow the impact in practice.

Data Centres

Data centres would be in scope at or above 1MW capacity unless it is an enterprise data centre which will only be in scope if they are at or above 10MW capacity.

Past government consultations on this topic suggested a working definition which closely mirrors that used in EU NIS2 (note this is not explicitly referred to in the statement but is included by B&B by way of guidance):

“A structure, or group of structures, dedicated to the centralised accommodation, interconnection and operation of information technology and network telecommunications equipment providing data storage, processing and transport services together with all the facilities and infrastructure for power distribution and environmental control together with the necessary levels of resilience and security required to provide the desired service availability”.

Whilst the statement does not specify if data centres would be classed as OES or RDSPs, it is significant that last year the Government classed data centres as Critical National Infrastructure, suggesting that these could fall under the OES category in future. The statement also does not say whether data centres would fall under the responsibility of the ICO or another regulator.

This proposal is not new and has been discussed as part of a 2023 consultation which suggested that the definition of a data centre could extend to colocation and co-hosting data centre services as well as the working definition to the left. 

The Government refers to research noting there are currently 224 colocation data centres in the UK, managed by 68 operators. Of these, around 182 third-party sites and 64 operators would fall within scope. 

This would also align with the position under the EU NIS2 Directive.

Greater obligations for organisations in scope

The statement outlines plans in the Bill to enhance requirements for organisations in scope of NIS: 

  • Supply chain duties: the statement outlines that the Government would be given powers to set duties for OES and RDSPs in secondary legislation to manage their supply chains. This could include contractual requirements, security checks, or continuity plans to prevent vulnerabilities in suppliers from undermining essential or digital services.
  • Technical requirements: the Government plans to place the NCSC’s Cyber Assessment Framework (“CAF”) and technical standards under NIS on a stronger statutory footing by setting ‘technical and methodological security requirements’. The statement mentions that NIS standards which are currently applicable only to RDSPs could be applied to OES too. Furthermore, standards could be brought in line with those under the EU’s NIS2 which provides far  more granular detail on security requirements that entities are required to follow (see our summary which touches on these granular NIS2 requirements here). The statement adds that a code of practice would supplement any updated regulatory requirements. 
  • Incident reporting (scope): the Bill will expand reportable cybersecurity incidents to capture incidents that are capable of having a significant impact on the provision of the essential or digital service, and incidents that significantly affect the confidentiality, availability, and integrity of a system. Examples of incidents that would be reportable under the new framework include compromises of data confidentiality, spyware attacks that use firms that provide digital services (including MSPs) as a vector to access other organisations, or other incidents significantly affecting the integrity of a system;
  • Incident reporting (timeframes): the Government plans to introduce a two-tiered reporting timeframe. This would require organisations to report to their corresponding regulator (which can differ for OES) and the NCSC (which currently is voluntary) no later than 24 hours after becoming aware of an incident, followed by an incident report within 72 hours, which would again align with the position in the EU NIS2 Directive.

Additional enforcement and oversight powers

The Government also intends to revamp the powers of the Secretary of State, regulators, and fees for registering under NIS: 

  • Powers of direction to entities: the Secretary of State would be given powers to instruct regulated entities, requiring them to take action to address threats to and incidents affecting their systems where there is a significant threat to national security;
  • Powers of direction to regulators: the Secretary of State would be given powers to instruct a regulator on national security grounds, requiring them to exercise their functions;
  • Enhanced ICO powers: the ICO currently regulates RDSPs under NIS and, once the Bill is passed, MSPs as well. The Government plans to give the ICO greater powers to require information from organisations when they register with the ICO for the purposes of NIS, further scope to issue information requests, and powers to enforce a failure to register with the ICO; 
  • Fees and cost recovery: the statement describes plans to set fees payable by registered organisations as well as recovering costs via invoices. It is not clear how cost recovery mechanisms would work but the shift to levying fees is a departure from the current model allowing free NIS registrations in the UK. If fees follow the same general structure as the ICO’s GDPR registration fees these are likely to be proportionate based on revenue and/or staff headcount.
  • Delegated powers: the statement mentions plans to give the Secretary of State powers to amend, after public consultation, legislation without passing through a full legislative cycle. The intention is to allow the Government to quickly update UK cyber rules in line with new cyber threats. The statement flags that these powers could apply in particular to supply chain security requirements and technical and methodological security requirements described above. This is a common approach in UK legislation in recent years  and can lead to surprises for organisations which face short windows to bring their operations into compliance with new requirements; and 
  • Statements of strategic priorities: the statement notes that the Bill would give the Secretary of State powers to issue strategic priorities for regulators with oversight of organisations subject to NIS. 

Next steps

At this stage much of the detail and exact wording of the Bill remains to be seen but organisations following the UK’s reform to cybersecurity will be able to draw some inferences on the direction of travel from the statement and will be able to draw some comfort from the fact that the UK is looking to align, at least in part, with the EU NIS2 Directive.

At present, we do not have a firm date for when any consultations and ultimately the Bill will be published but we expect this to be 2025. 

For more information please contact Rory Coutts and Matthew Buckwell

Latest insights

More Insights
Curiosity line blue background

Navigating regulatory and operational challenges in the European data centre industry

3 minutes Apr 15 2025

Read More
featured image

KSA: Public consultation on Draft “AI Hub” Law

4 minutes Apr 15 2025

Read More
featured image

German coalition agreement: What impact will the future German Federal Government's security initiatives have on telecommunications companies?

4 minutes Apr 14 2025

Read More
More Insights