The Cyber Security and Resilience Bill (the “Bill”) will be introduced to Parliament in 2025 and will lead to a significant overhaul of the UK’s cybersecurity framework.

At present, the UK’s existing cybersecurity framework is governed by the Network and Information Security Systems (“NIS”) Regulations 2018, which was the national implementation of the EU NIS Directive. NIS Regulations apply to five sectors (transport, energy, drinking water, health and digital infrastructure) and digital services (including online marketplaces, online search engines and cloud computing services).

Due to growing cybersecurity threats, the EU decided to update the NIS Directive with NIS2 (see our blogpost on it here) which came into force in October 2024. While two post-implementation reviews in the UK in 2020 and 2022 found the NIS Regulations as having a positive impact, the urgent need for updates to the regulation were also highlighted. As a result, the UK government announced that it would introduce a Cyber Security and Resilience Bill to reform the existing NIS Regulations.

Key elements of the Bill

The Bill proposes the following updates to the regulatory framework:

• Expanded remit of regulation

Similar to NIS2, the UK Bill will significantly broaden the remit of the existing NIS Regulations by including more digital services, such as managed IT service providers, and bringing the supply chains of entities already covered by NIS Regulations in scope of the Bill. As supply chains have been recognised as attractive threat vectors for cyber-attacks, the Bill will fill an immediate gap in defences to mitigate ransomware attacks in critical sectors in the UK. Regulators responsible for the enforcement of NIS Regulations will be able to classify entities as a ‘designated critical supplier’, which will mean these entities will be subject to specific contractual requirements, security and continuity checks.

• Strengthening regulators

The Bill will provide more powers to regulators in the UK to ensure essential cyber safety measures are implemented. This includes potential cost recovery mechanisms and powers for proactive vulnerability investigation. The National Cyber Security Centre’s Cyber Assessment Framework will also be updated to offer greater clarity on the principles and objectives firms must meet, which will simplify oversight for regulators. Furthermore, the Information Commissioner’s Office (“ICO”) will gain an expanded role, requiring companies within the scope of NIS Regulations to share more information with the regulator when registering. 

• Mandatory incident reporting

To help the government obtain better data on cyber-attacks, the Bill will mandate increased incident reporting by companies through an expansion of the criteria for reportable incidents, which were thought to be too narrow in the existing NIS Regulations. The Bill will require reporting of incidents that have a significant impact on the provision of essential or digital services, and not only incidents that result in an interruption to the continuity of the essential or digital service. This approach aligns with the EU NIS2 Directive. A two-stage reporting structure will also be introduced, requiring initial notification to the regulator within 24 hours, followed by a detailed report within 72 hours. Importantly, the Bill mandates notification to customers of significant incidents to digital and data services which will help to increase transparency around major incidents. This requirement is also in line with the EU NIS Directive.

Further measures under consideration

Beyond the immediate changes above, the government is also considering additional measures. These include bringing data centres into scope of NIS Regulations to increase digital infrastructure protection and placing a new duty for regulators to publish a statement of strategic priorities, to improve the regulators’ focus on enforcement and enable parliamentary scrutiny. The draft Bill is not available yet and some of the changes proposed above may be reflected in secondary legislation. Overall, the alignment of the Bill with the EU NIS2 Directive will assist organisations in adopting a uniform approach to their regional cybersecurity compliance in Europe.