Updating the UK’s cyber security regulations
On 12 November 2025, the Government introduced the long-awaited Cyber Security and Resilience Bill to Parliament, marking a landmark step forward in the UK’s approach to digital security. It delivers crucial updates to the Network and Information Systems (NIS) Regulations 2018, the only current cross-sector cyber regulations, and grants enhanced powers to Government and to regulators. By boosting cyber protections across public and private sectors, the Bill aims to protect both national security and economic growth.
The urgency behind the Bill is underscored by the rising volume and severity of cyber-attacks handled by the National Cyber Security Centre (NCSC). In the year leading up to September 2025 alone, the NCSC managed 204 nationally significant cyber-attacks – an average of four major incidents every week. While recent high-profile incidents involving major retailers have drawn public attention to their economic impact, the reality is that cyber incidents affect 95% of Critical National Infrastructure (CNI) as well as 600,000 businesses annually, resulting in losses equivalent to approximately 0.5% of the UK’s GDP.
In this context, the Bill is meant to encourage a culture of cyber security and incentivise the adoption of good cyber practices. While the new regime does not cover all UK organisations, it is nonetheless very significant for ADS members, who will be affected not only as recipients of these regulatory changes but also, in many cases, as suppliers of the services and solutions needed to implement them.
Measures in the Bill
The Bill proposes to expand the scope of NIS regulations to include data centres, large load controllers, and certain medium and large managed services providers. For the first time, companies offering cybersecurity, IT management, and help desk support services would be required to meet clear security duties, such as promptly reporting major cyber incidents and maintaining robust response plans. This expansion is expected to bring around 1,000 service providers under regulatory oversight.
At the same time, the 12 regulators which are responsible for their relevant sector would be given new powers to designate and regulate organisations as ‘critical suppliers’ if they rely on network and information to provide services essential to the economy or functioning of society. These organisations would thus be directly subject to core minimum security standards and incident reporting obligations. Incident reporting criteria would be expanded, and initial reporting required no later than 24 hours after an incident, with a full report required after 72 hours. Failure to comply with the rules would expose critical suppliers to a fine based on their annual turnover, with the maximum penalty being £17m.
The Technology Secretary will be given new powers to make regulations, set unified expectations for the implementation of regulations, and direct regulators or regulated entities to act in response to threats to national security. These would enable the Secretary to instruct regulators and the organisations they oversee to protect themselves appropriately against cyber-attacks, isolate high-risk systems that support essential services and improve their monitoring. The oversight of the Technology Secretary is meant to drive better consistency in how 12 regulators implement the regime.
Finally, the Bill contains several provisions to help with implementation, including to provide greater certainty on the information that can be shared between regulators and the relevant public sector bodies. A new cost recovery framework will allow regulators to recover the full costs associated with their NIS activities, who will have to demonstrate how these funds are being used. Lastly, a code of practice would be published to provide guidance on NIS regulations and on the Bill’s provisions.
Looking ahead
The Cyber Security and Resilience Bill must progress through several stages of scrutiny and debate in both the House of Commons and the House of Lords before it can become law. Following Royal Assent, the Bill will come into force in phases, with many measures requiring secondary legislation to be fully implemented. This process will be informed by the Government consulting on implementation in 2026.
The Bill is another step that HMG is taking towards better integrating cyber security across the public and private sectors. Protecting people and businesses, and therefore economic stability, is a cornerstone of the Government’s whole of society approach to security. The effectiveness of this Bill will depend on providing organisations with clear guidance and practical timelines to achieve compliance, especially those with limited resources. With a stated objective to be ‘future proof’, the Bill will enable the Government to be more agile and responsive to evolving cyber threats. With that in mind, we await the refreshed National Cyber Strategy planned for this autumn.
