The UK's Cyber Security and Resilience Bill, detailed in April 2025, strengthens national cyber defenses for critical infrastructure and essential services.
Driven by rising threats and outdated regulations (derived from the EU's original NIS Directive), it aims to modernise the UK approach, similar to the EU's NIS2.
Key changes include:
- Broader scope: Extends regulations to Managed Service Providers (MSPs), critical suppliers (DCS), and data centres.
- Stronger enforcement: Grants regulators enhanced powers, including significant potential fines and proactive ICO oversight.
- Stricter reporting: Mandates faster, dual incident reporting (24/72hr deadlines) to regulators and the NCSC, plus customer alerts.
While sharing goals with NIS2, the Bill focuses heavily on supply chain risk. It increases compliance demands but ultimately aims for improved business resilience, framing robust security as good practice. Organisations are advised to proactively assess their security posture, budget for enhancements, and implement security frameworks promptly.
The UK government has introduced the Cyber Security and Resilience Bill (‘the Bill’), a transformative piece of legislation aimed at bolstering the nation's cyber defences. Announced during the King's Speech in July 2024 and detailed in April 2025, the Bill seeks to address escalating cyber threats to critical national infrastructure (CNI) and essential services, in this regard similarities can be drawn to the EU’s NIS2 regulations that came into force in October 2024. Here's an in-depth look at its key provisions, motivations, and implications.
Why the Bill is Necessary
The UK's digital landscape faces increasing threats from cybercriminals and state actors. Recent high-profile incidents, such as ransomware attacks on the NHS, Ministry of Defence, and other public services, have highlighted vulnerabilities in existing frameworks. The 2024 Cyber Breaches Survey revealed that over half of UK businesses experienced cyber breaches within a year. Current regulations, rooted in the EU's 2018 NIS Directive, have become outdated compared to the EU's updated NIS2 framework which came into force in October 2024 and it was not adopted by the UK. The NIS2 Directive introduced more stringent requirements with larger penalties to ensure a high level of cybersecurity for essential and important services. The aim of NIS2 was also to protect critical infrastructure and improve the overall resilience of the EU's digital landscape. Likewise, the Bill aims to modernise these rules to safeguard national security, economic stability, and public trust.
However, this should not be seen as an additional compliance overhead or burden, as this will also support the business operation and allow the organisation to develop its cyber maturity. Like much of the technology centred regulation we have seen in recent years, such as that concerning Operational Resilience in the financial sector, the Bill should be seen as a step towards codifying what is otherwise good industry practice.
Key Provisions of the Bill
The Cyber Security and Resilience Bill introduces significant updates to existing regulations, focusing on expanding scope, enhancing regulatory powers and improving incident reporting.
1. Expanded Regulatory Scope
- Managed Service Providers (MSPs): Approximately 1000 MSPs will now be subject to stricter cybersecurity requirements. Examples of MSP’s will include Server, Network and Cloud Suppliers as well as suppliers of support services such as Threat Monitoring & Incident Response and companies providing Application Hosting.
- Supply Chain Security: High-impact suppliers may be designated as "Designated Critical Suppliers" (DCS), imposing obligations like those on operators of essential services.
- Operators of Essential Services (OES) provide essential services critical to national infrastructure such as Energy & Healthcare.
- Designated Critical Suppliers (DCS) supply goods and services to OES or Digital Service Providers that are critical to service continuity (can include Small or Micro Suppliers)
- Data Centres: Recognised as critical infrastructure since September 2024, they are likely to come under new obligations.
2. Enhanced Regulatory Powers
- Regulators will gain stronger tools for enforcement, including cost recovery mechanisms to fund their activities. It has been suggested that this could include fines that are linked to the Telecommunications (Security) Act of £100,000 per day or 10% of Annual Turnover for companies that fail to comply.
- The Secretary of State will have authority to issue codes of practice and secondary legislation for technical security requirements that are derived from the Cyber Assessment Framework developed by the National Cyber Security Centre (NCSC) as well as Sector Specific Guidance and International Standards.
- The Information Commissioner's Office (ICO) will receive expanded powers for proactive oversight with some organisations needing to register with the ICO and provide detailed information about their security practices, supply chains and incident history during the registration process. The ICO will be able to demand documentation, vulnerability reports or threat intelligence from regulated entities without waiting for an incident.
3. Strengthened Incident Reporting
- This closely aligns to the Digital Operational Resilience Act legislation. Parallel dual reporting will be required with sector specific regulators such as Ofgem for Energy, NHS England for Healthcare and the ICO for Digital Services and also reported to the NCSC. A two-stage reporting system will be introduced:
a) Initial notification within 24 hours of incident awareness
b) Detailed reporting within 72 hours.
- Digital service providers and data centres must also alert impacted customers to ensure transparency and enable customers to mitigate operational risks
- Reporting requirements will include ransomware breaches and other significant incidents.
Alignment with EU's NIS2 Directive
It is important to note that the original NIS Directive came into force when the UK was still a Member State of the EU, it is therefore applicable to both jurisdictions and acts therefore as the precursor to the NIS-2 Directive in the EU and the proposed Bill in the UK.
The Bill in the UK and the EU's NIS-2 Directive share several key similarities, reflecting their common goal of enhancing cybersecurity and protecting critical infrastructure. Both frameworks aim to expand the scope of covered organisations, with the NIS-2 Directive increasing the number of sectors and the UK Bill broadening the remit of existing regulations to protect more digital services and supply chains. They both introduce stricter incident reporting requirements to improve understanding of cyber threats and focus on securing the entire supply chain, including third-party vendors and service providers. Additionally, both frameworks recognise the evolving threat landscape and the need for flexible and responsive measures to address emerging cyber threats.
While inspired by NIS2, the UK’s approach diverges in some areas, reflecting national priorities. For instance:
- The Bill emphasises supply chain risks and regulatory consistency across sectors.
- Unlike NIS2, it does not yet propose management liability for cybersecurity failures, although it is to be seen whether this will be addressed in the Bill once it is published.
Implications for Businesses and Public Sector
The Bill presents both challenges and opportunities:
- Increased Compliance Requirements: Organisations must enhance risk assessments, data protection measures, and network security protocols.
- Greater Accountability: Regulators will demand more transparency from businesses regarding vulnerabilities and incidents.
- Improved Resilience: By addressing systemic weaknesses, the legislation aims to create a more secure environment for businesses and citizens alike.
However, all of the above are common sense measures to allow businesses to be more resilient to attack and ensures they will be able to withstand and recover from a cyber attack and remain as a viable business. The implications of businesses adopting a weakened security posture should not be underestimated, take for instance the case of Travelex, that fell into administration following a cyber-attack in 2020 quite simply because they did not apply readily available patches to vulnerable servers.
Next Steps
Although the details and implementation timelines are not yet fully known. It is important for businesses to begin to look at how they will approach this rather than waiting.
You should be asking: -
- Do I fully understand what needs to be done.
- Do I know any areas of weakness that I need to think about addressing with either people or technology.
- Do I need to think about provisions in my budget to deliver any enhancements that are required.
- Do I have a control framework in place, aligned to one or more industry best practice frameworks, that allows me to manage existing and future compliance requirements
- Do I fully understand my technology and security architecture.
- Do I have a robust security testing culture embedded within the organisation.
By asking these questions and adopting best practice frameworks, organisations can ensure that they have a holistic view of their cybersecurity risks and are well-prepared to address any potential threats with appropriate Policies and Standards in place.
If you require any further information or would like to discuss your challenges please contact us.
