Cyber Security and Resilience Bill - what will it do?

Posted: 30/07/2025

During the King's Speech in July 2024, the government announced its intention to bring a Cyber Security & Resilience Bill (the Bill) before Parliament later this year. As cyber threats in the UK are growing in scale and impact, affecting public services and businesses, the government's aim through the introduction of the Bill is to boost the adoption of cyber defences to protect organisations and support economic growth.

The existing regulations are limited and cover only select sectors, highlighting the urgent need for broader and updated cybersecurity legislation. Subsequently, in April 2025, the Department for Science, Innovation and Technology published a policy statement that put some meat on the legislative bones of the forthcoming new Bill.

Why is legislation required?

As the policy statement itself records: 'Hostile cyber activity in the UK has grown more intense, frequent, and sophisticated, with real world impacts for UK citizens.' 

The policy statement cites as examples last year's ransomware attack on the NHS and the resulting impact on over 11,000 postponed appointments and procedures; the compromise of the Ministry of Defence's payment network; and attacks on Southern Water, Leicester City Council and St Helens Borough Council.  The 2024 Cyber Breaches Survey recorded that more than half of businesses had reported some form of cyber security breach or attack in the preceding 12 months. 

This is set against the government's acknowledgement that cyber security is a critical enabler of economic growth, fostering a stable environment for innovation and investment.  As the policy statement notes: 'Secure and robust digital services create a stable and secure environment for businesses to thrive, attracting investment and encouraging the development of cutting-edge technologies. This stability not only enhances the competitiveness of individual companies but also drives overall economic progress by reducing downtime and operational disruptions.'

The goal of the Bill is therefore to 'increase the uptake of essential cyber defences'. The government says this will protect more entities from cyber-attacks and foster 'an environment in which investment and innovation can thrive'.

In that regard, the UK's current regulatory framework is extremely limited. The Network and Information Systems (NIS) Regulations 2018 (the NIS Regulations) are currently the UK’s only cross-sector cyber security legislation. Those regulations place some security duties on Operators of Essential Services (OES), covering operators in only five specific sectors - transport, energy, drinking water, health and digital infrastructure - and on Relevant Digital Service Providers (RDSP), covering cloud computing services, online marketplaces and online search engines, but little more. Regulatory reform is therefore of paramount importance, given the increasing number and complexities of cyber-attacks.

The Bill – what is likely to be included?

There appears to be two key limbs to the government’s approach: broadening the scope of the regulatory regime and empowering regulators and enhancing oversight.

Broadening the scope of the regulatory regime

If the proposals set out in the government's recent policy statement are adopted, the Bill will considerably broaden the scope of the current NIS Regulations, bringing in more organisations and suppliers.  This includes bringing Managed Service Providers (MSP) and data centres into the regulatory regime and enabling regulators to specify Designated Critical Suppliers (DCS).

MSPs subject to regulation will include any service which is:

• 'provided to another organisation (ie not in-house)
• relies on the use of network and information systems to deliver the service
• relates to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications, and/or IT networks, including for the purpose of activities relating to cyber security, and
• involves a network connection and/or access to the customer’s network and information systems'.

The proposal is that MSPs would be subject to the same obligations applicable to RDSPs and will be regulated by the Information Commissioner’s Office (ICO), who will have information gathering, investigation and enforcement powers. The policy statement estimates that this is likely to affect between 900 - 1100 MSPs. 

Data centres would also now be in the scope of the regulations irrespective of the nature of service(s) offered from them and their ownership at or above 1MW capacity, unless it is an enterprise data centre (ie those operated by a business solely to deliver and manage the IT needs of that business) which will only be in scope if they are at or above 10MW capacity.  The indication is also that these capacity limits can be adjusted over time to take account of market developments and the risk landscape. 

While the policy statement does not expressly confirm whether data centres will be treated as OESs or RDSPs, given that the government has previously designated them as Critical National Infrastructure, it is widely expected that they will likely fall under the OES category. There are currently 224 colocation data centres in the UK managed by 68 operators and, of these, it is expected that 182 third party sites and 64 operators would fall within scope.

In addition, regulators would be granted powers to designate organisations as DCSs – ie specific high-impact suppliers, in order to strengthen supply chain security. This designation would be made when the supplier's goods or services are so critical that disruption could significantly affect essential or digital services it supports. Indicative criteria for designation as a DCS are:

• Supply of goods or services: ie a supplier who provides goods or services (including digital services) to an OES (regulated by that regulator) or to an RDSP (in the case of the ICO).
• Significant disruptive effect: where the regulator judges that a failure or disruption in that supplier’s goods or services – or an incident affecting the supplier’s network and information systems – could have a significant disruptive effect on the provision of the essential or digital service.
• Reliance on networks and information systems: where the supplier’s goods or services depend on networks and information systems, making them relevant to the scope of the regulatory framework. This is intended to ensure that suppliers only fall within scope if their goods or services involve or rely upon technology such as IT infrastructure or operational technology that could be targeted or disrupted.
• Not already regulated: that the supplier is not subject to similar cyber resilience regulations elsewhere.

Designation as a DCS will bring such suppliers directly within the scope of core security requirements and incident reporting obligations, ensuring consistent standards across the most critical tiers of the supply chain. 

Finally, the policy statement also proposes to empower regulators to designate micro or small RDSPs - which are currently exempt - as being subject to NIS Regulations if they meet the designation criteria above.

Empowering regulators and enhancing oversight

The plans for the Bill outlined in the policy statement include:

• Technical and methodological security requirements: the government intends to put the National Cyber Security Centre's (NCSC) Cyber Assessment Framework (CAF) on a 'firmer footing' to make it essential for firms to follow best practice. The Secretary of State will be given powers to make regulations to update the existing requirements and powers to issue a code of practice that sets out guidance on how regulatory requirements should be satisfied.
• Improving incident reporting: the Bill will update and enhance the current incident reporting requirements for regulated entities by expanding the incident reporting criteria, updating incident reporting times, streamlining reporting (by reporting to the regulator and NCSC simultaneously), and enhancing transparency requirements for digital services and data centres. 
• The Bill is intended to introduce the following:
  - an expanded scope of reportable incidents, from incidents that have resulted in an interruption to continuity of the service to now include cybersecurity incidents that are capable of having a significant impact on the provision of the services, even if no such impact has yet occurred;
  - a two-stage reporting structure which will require regulated entities to notify their regulator and also to inform NCSC of a significant incident no later than 24 hours after becoming aware of that incident, followed by an incident report within 72 hours. Firms that provide digital services and data centres that experience a significant incident will also be required to alert customers who may be affected by that incident.
• Improved ICO information gathering powers: the Bill will enhance the ICO’s ability to gather information to assist them in determining the criticality of regulated digital services and their risk-based approach. This includes:
  (a) an expanded duty for firms that provide digital services to share information with the ICO on registration;
  (b) expanded criteria for the ICO to use their existing power to serve information notices on firms that provide digital service; and
  (c) appropriate information gateways for other entities, outside the scope of the NIS Regulations, to share information with the ICO. The Bill will also introduce powers for the ICO to enforce a failure to register with the ICO.
• Improved cost recovery mechanisms for regulators: the Bill will introduce the ability for regulators to set up new fee regimes, allowing for fees to be levied as well as recovering costs via invoices, including enforcement costs.
• Powers of direction (regulated entities): the government is considering giving the Secretary of State the power to issue a direction to a regulated entity in relation to a specific cyber incident or threat, requiring the entity to take action to remedy the incident or threat where necessary and proportionate for reasons of national security.
• Powers of direction (regulators): similarly, the government is considering equipping the Secretary of State with a new power to issue a direction to a regulator on national security grounds, requiring them to exercise their functions to ensure that action is undertaken across their sectors. 

Will it help?

Taken altogether, these new legislative proposals would represent a significant upgrade on the inadequate current regulatory framework.  

Depending on the final wording of the Bill and which proposed measures survive, the combined effect of all of the additional measures under consideration could potentially give the UK some of the strongest regulatory protections in the world against advanced attackers targeting our critical national infrastructure. It is also clear that the government intends to try to align the UK - at least in part - with the EU's equivalent NIS2 Directive.

However, while the government's intentions are clear, the devil is in the detail. The precise wording of the Bill remains unknown and we do not yet have an indicative date as to when it will be published or whether further consultation will take place first.      

Furthermore, the government's sectoral approach to regulation, with separate industry regulators given more powers to regulate their own sectors, also carries its own risks, not least that we could end up with a fragmented patchwork of different approaches applied across different sectors with no coherent overarching strategy to tie them all together. 

The government, for its part, appears to be alive to this risk and has included within the policy statement, by way of mitigation, a proposal that the Secretary of State will produce a periodic 'statement of strategic priorities' to regulators, accompanied by a requirement for regulators to report on their progress towards such priorities, to ensure that their objectives and expectations for implementation are consistent and aligned. However, how effective that will be is a matter that can only be assessed in practice.

For now, based on the policy statement, it is expected that the Bill will be a significant positive step forward but we will know more when the Bill itself is actually published.

How to prepare

Organisations can begin to prepare for the introduction of the Bill now, ahead of its publication, as follows:

• Determine regulatory scope: Conduct an assessment to establish whether the organisation falls within the scope of the Bill and identify any associated statutory obligations.
• Identify compliance gaps: Review existing cybersecurity policies and procedures to ensure alignment with any new obligations. Where deficiencies are identified, update such policies and provide appropriate staff training.
• Review supplier contracts: Examine supplier agreements to ensure they include appropriate cybersecurity clauses, risk allocation provisions, and continuity planning. Amend contracts as necessary to ensure legal robustness and compliance with the Bill.
• Audit cybersecurity frameworks: Conduct an audit of the organisation’s cybersecurity infrastructure to evaluate whether current capabilities meet the required regulatory standards and risk management expectations.
• Update user-facing legal documents: Where changes to cybersecurity practices affect end users, review and revise customer terms, privacy policies and service agreements to reflect the organisation’s updated legal position and obligations.

Return to news headlines