Key Takeaways
- The UK’s Cyber Security and Resilience (Network and Information Systems) Bill aims to reform the existing UK Network and Information Systems Regulations
- The Bill expands the scope of industries and organizations covered, including data centers, designated critical suppliers, large load controllers, and managed service providers
- The Bill introduces stricter reporting requirements, including initial notification within 24 hours and full incident report within 72 hours
- The Bill grants the Secretary of State increased regulatory powers, including the ability to specify new essential activities and issue statutory Codes of Practice
- The Bill introduces two penalty tiers for non-compliance, with maximum penalties of £10 million or 2% of global turnover, and £17 million or 4% of global turnover
Introduction to the Cyber Security and Resilience Bill
The UK’s Cyber Security and Resilience (Network and Information Systems) Bill was introduced to Parliament on 12 November 2025, with the goal of reforming the existing UK Network and Information Systems Regulations. The Bill aims to strengthen and hold more industries to higher standards when it comes to cyber security. This is a significant development, as the current UK NIS regulations have been in place for several years, and the Bill seeks to expand the scope of industries and organizations covered, as well as introduce stricter reporting requirements and increased regulatory powers.
Expansion of Scope
The Bill seeks to cover more industries and organizations than the current UK NIS. This includes industries such as data centers, designated critical suppliers, large load controllers, and managed service providers. The Bill anticipates additional contractual controls, increased security checks, and cyber incident planning, in order to better manage cyber incidents that occur. This expansion of scope is significant, as it recognizes the increasingly critical role that these industries play in the UK’s digital economy. By bringing these industries within the scope of the Bill, the UK government aims to ensure that they are better equipped to prevent and respond to cyber incidents.
Lock Down on Reporting
The Bill will broaden existing reporting requirements for incidents that have had, or are capable of having a significant impact on services. This departs from the current NIS regulations, which only require reporting for incidents that have a significant impact on the continuity of essential services. The Bill introduces stricter reporting requirements, including an initial notification within 24 hours of becoming aware of a cyber incident, followed by a full incident report within 72 hours. There will also be an obligation to notify customers where they may be affected by the cyber incident. This increased transparency and accountability will help to ensure that organizations are taking proactive steps to prevent and respond to cyber incidents.
Increasing Regulatory Powers
The Bill will give the Secretary of State flexibility both to specify new essential activities and regulated persons and to issue statutory Codes of Practice. This is an important point, which should assist with "futureproofing" in a rapidly advancing technological landscape. The Bill also ensures the ability for the Secretary of State to take a more proactive enforcement role in incidents that may have a national security impact, with the ability to direct organizations to take action. This increased regulatory power will enable the UK government to respond quickly and effectively to emerging cyber threats, and to ensure that organizations are taking the necessary steps to prevent and respond to cyber incidents.
Enforcement and Penalties
The Bill will introduce two penalty tiers for non-compliance, in line with GDPR. The standard maximum penalty will be the higher of £10 million or 2% of global turnover, while the higher maximum penalty will be the higher of £17 million or 4% of global turnover. This significant increase in penalties reflects the UK government’s commitment to taking cyber security seriously, and to ensuring that organizations are held accountable for their cyber security practices. The Bill’s enforcement provisions will be an important tool in driving compliance and ensuring that organizations are taking the necessary steps to prevent and respond to cyber incidents.
Next Steps
The second reading of the Bill was completed on 6 January 2026, and the Bill now faces a detailed review by Members. It is expected that the Bill will come into force later this year, and organizations are now encouraged to review their cyber resilience frameworks to transition smoothly to meet the new requirements. This is an important opportunity for organizations to assess their current cyber security practices and to make any necessary changes to ensure compliance with the new regulations. By taking proactive steps to prevent and respond to cyber incidents, organizations can help to protect themselves, their customers, and the wider economy from the growing threat of cyber attacks.
