The UK Government has introduced the Cyber Security and Resilience (Network and Information Systems) Bill (the “Bill”) to Parliament, marking the most significant update to the UK’s cyber legislation since 2018. You can access a copy of the Bill here. The Bill aims to strengthen national security and protect critical infrastructure networks in key sectors from increasingly sophisticated cyber threats.
What is the purpose of the Bill?
The Bill updates the existing 2018 Network and Information Security Regulations to address modern risks and technological developments. The Bill’s primary purpose is to impose tougher security obligations by broadening the regulatory scope and enhancing enforcement powers. At a high level, the key provisions include:
| Bringing new sectors into scope of the legislation | The scope of the Bill covers data centres, managed service providers, large load controllers and designated critical suppliers. The UK Government considers these sectors to be core services relied upon throughout the UK economy. |
| Specifying what constitutes a reportable cybersecurity incident | The Bill requires organisations to report “data centre incidents” and “OES incidents” to a regulator. Although the definitions differ slightly, both categories broadly cover incidents that significantly impact the operation or security of network information systems relied on for providing a data centre service or an essential service. An essential service is one that is critical to national infrastructure, such as water, energy or transport, or vital to the UK economy and society, such as health and digital infrastructure. The Bill lists several factors for organisations to consider when deciding if an incident’s impact is significant. The list includes the extent of the disruption, the number of affected users, the incident’s duration, the geographical scope, and whether the incident compromised the confidentiality, authenticity, integrity or availability of data. |
| Mandating stricter incident reporting timelines | Organisations must submit initial notifications within 24 hours of becoming aware of a reportable incident. They must submit full notifications within 72 hours of becoming aware of a reportable incident. |
| Introducing new enforcement powers | The Bill proposes a split financial penalty system, determined by which paragraph of the Bill an organisation breaches. The “standard maximum amount” is the greater of £10 million or 2% of annual turnover. The “higher maximum amount” is the greater of £17 million or 4% of annual turnover. |
Alignment with EU Standards
The UK’s approach to cybersecurity legislation closely mirrors the EU’s Network and Information Systems (NIS2) Directive. Both frameworks aim to extend coverage to essential and digital services, enforce stricter incident reporting requirements, and introduce stronger accountability measures. However, the Bill allows the UK to tailor requirements to domestic needs while maintaining compatibility for organisations operating across both the EU and UK. This alignment will prove particularly important for businesses with EU operations, as it reduces complexity and ensures consistent compliance obligations.
Timelines and Next Steps
The Government introduced the Bill to Parliament on 12 November 2025. The Bill will now proceed through debate and potential amendments during the current session (which runs until Spring 2026). Full implementation should occur in 2026, following Royal Assent, the passage of secondary legislation, and the publication of regulatory guidance.
Organisations should begin considering whether the Bill applies to them, and if so, what steps they must take to ensure compliance. For example, they will need to update incident response plans to reflect the new reporting thresholds and timelines, and provide relevant team members with training to ensure they meet reporting deadlines.
