Key Takeaways
- The UK’s Cyber Security and Resilience (Network and Information Systems) Bill aims to strengthen cyber security standards across various industries
- The Bill expands the scope of industries covered, including data centers, designated critical suppliers, large load controllers, and managed service providers
- New reporting requirements include initial notification within 24 hours and a full incident report within 72 hours of a cyber incident
- The Bill increases regulatory powers, allowing the Secretary of State to specify new essential activities and issue statutory Codes of Practice
- Non-compliance penalties will be tiered, with maximum fines of £10 million or 2% of global turnover, and £17 million or 4% of global turnover for more severe cases
Introduction to the Cyber Security and Resilience Bill
The UK’s Cyber Security and Resilience (Network and Information Systems) Bill was introduced to Parliament on 12 November 2025, with the goal of reforming the existing UK Network and Information Systems Regulations (UK NIS). The Bill seeks to strengthen and hold more industries to higher standards when it comes to cyber security, expanding the scope of industries covered and increasing regulatory powers. This move is a significant step towards improving the UK’s cyber resilience and protecting essential services from cyber threats.
Expansion of Scope and New Industries Covered
The Bill aims to cover more industries and organisations than the current UK NIS, including data centers, designated critical suppliers, large load controllers, and managed service providers. This expansion of scope means that these industries will be subject to new rules and regulations, including additional contractual controls, increased security checks, and cyber incident planning. The goal is to better manage cyber incidents and prevent them from having a significant impact on essential services. By covering more industries, the Bill will help to ensure that the UK’s critical infrastructure is better protected against cyber threats.
Lock Down on Reporting and Incident Response
The Bill will broaden existing reporting requirements for incidents that have had, or are capable of having, a significant impact on services. This is a departure from the current NIS regulations, which only require reporting for incidents that have a significant impact on the continuity of essential services. Under the new Bill, industries in-scope will have to submit an initial notification within 24 hours of becoming aware of a cyber incident, followed by a full incident report within 72 hours. There will also be an obligation to notify customers where they may be affected by the cyber incident. This increased transparency and timely reporting will help to improve incident response and minimize the impact of cyber incidents.
Increasing Regulatory Powers and Futureproofing
The Bill gives the Secretary of State flexibility to specify new essential activities and regulated persons, as well as issue statutory Codes of Practice. This will help to futureproof the regime and ensure that it can adapt to rapidly advancing technological landscape. The Bill also ensures that the Secretary of State can take a more proactive enforcement role in incidents that may have a national security impact, with the ability to direct organisations to take action. This increased regulatory power will help to ensure that organisations take cyber security seriously and take proactive steps to prevent cyber incidents.
Enforcement and Penalties for Non-Compliance
The Bill will introduce two penalty tiers for non-compliance, in line with GDPR. The standard maximum penalty will be the higher of £10 million or 2% of global turnover, while the higher maximum penalty will be the higher of £17 million or 4% of global turnover. These penalties are significant and will serve as a deterrent to organisations that fail to take cyber security seriously. The Bill also provides a clear framework for enforcement, with the Secretary of State having the power to investigate and take action against organisations that are found to be non-compliant.
Next Steps and Implementation
The second reading of the Bill was completed on 6 January 2026, and it now faces a detailed review by Members. It is expected that the Bill will come into force later this year, and organisations are encouraged to review their cyber resilience frameworks to transition smoothly to meet the new requirements. This will involve assessing their current cyber security measures, identifying gaps, and implementing new controls and procedures to ensure compliance with the Bill. Organisations that fail to take proactive steps to improve their cyber security may face significant penalties and reputational damage. As such, it is essential that organisations take the Bill seriously and start preparing for its implementation as soon as possible.
