The UK Cyber Security and Resilience Bill: A New Era in Cyber Legislation

On 12 November 2025, the UK Department for Science, Innovation and Technology presented the Cyber Security and Resilience (Network and Information Systems) Bill (hereafter referred to as the "Bill") in Parliament. This proposed legislation marks a critical step toward fortifying the UK’s cybersecurity framework, prompted by the ever-escalating threat posed by cyberattacks.

Purpose of the Bill

At the heart of the Bill is a pivotal mission: to rectify the current vulnerabilities within the UK’s cybersecurity legislation, specifically the Network and Information Systems (NIS) Regulations of 2018 (hereafter referred to as "UK NIS"). With cyber threats proliferating in both frequency and sophistication, it has become increasingly apparent that a substantial overhaul is necessary. The accompanying Impact Assessment underscores this urgency, stating that UK businesses and essential public services are under continuous assault from malicious actors.

The Bill acknowledges that the existing UK NIS framework is no longer adequate, saying:

"There is a growing threat to our essential and digital services from malicious cyber actors. Cyber attacks are becoming more frequent and sophisticated, with criminals circumventing protections with new techniques and targeting our increasingly complex supply chains…"

This statement reflects a broader consensus among policymakers that the legislative framework must evolve to effectively address this landscape of cyber threats.

How Will the Bill Achieve Its Aims?

The Bill outlines several key amendments to the UK NIS framework, with each element designed to enhance the overall resilience of entities crucial to the UK economy. Notably, it aims to increase the number of entities subject to these regulations, while also empowering regulators and the Government with new supervisory and enforcement mechanisms.

One significant aspect is its alignment with the European Union’s NIS2 Directive, providing a semblance of consistency for businesses that must navigate both UK and EU cybersecurity laws. This harmonization is expected to streamline compliance efforts.

What Does the Bill Propose?

The Bill proposes several impactful measures:

Expanding the Scope of UK NIS

For the first time, the Bill seeks to encompass a broader range of sectors and services under UK NIS. This expanded scope will include data centers, managed service providers, and large load controllers. By including these entities, the Bill aims to hold more businesses accountable for managing their cybersecurity risks, thereby lowering their attractiveness to cybercriminals.

Empowering the Government for Future Updates

A critical feature of the Bill is the establishment of powers that allow the UK Government to amend the UK NIS through secondary legislation. This provision aims to ensure that the framework can adapt in real-time to meet evolving cyber threats, introducing updated mandatory security measures that in-scope entities must adhere to.

Introducing More Prescriptive Incident Reporting Requirements

Gone are the days when businesses report only those incidents that result in service disruption. Under the new framework, organizations will need to proactively inform regulators of any cyber incidents capable of significantly impacting their services. This includes initial notifications within 24 hours and complete reports within 72 hours.

National Security Directives

In the interest of national security, the Bill authorizes the Government to direct specific entities to adopt or avoid certain actions during significant cyber incidents. This could involve implementing specific cybersecurity measures or even appointing specialists to manage crises.

Heightened Penalties for Non-Compliance

To strengthen compliance, the Bill proposes substantial increases in fines for serious breaches, bringing them into line with similar regulations such as the UK GDPR. The maximum penalty will be either £17 million or 4% of annual turnover for infractions, while failure to comply with a Government directive could incur even higher penalties of £17 million or 10% of turnover.

Extra-Territorial Reach

The Bill also extends its jurisdiction beyond UK borders by requiring foreign providers of critical services—such as cloud computing platforms, online marketplaces, and managed services—to appoint a representative within the UK. These entities will need to register with the Information Commissioner within three months of the Bill’s enactment.

Time to Plan Ahead

With the Bill now in the early stages of parliamentary review following its first reading, it’s crucial for businesses that may fall under its new provisions to proactively prepare:

• Monitor Developments: Keep a close watch on the Bill’s progression through Parliament to stay informed about any amendments or changes.

• Assess Scope: Evaluate whether your business fits within the expanded framework (e.g., as a data center or managed service provider) and prepare for compliance requirements.

• Audit Incident Reporting Procedures: Review existing protocols for incident detection and reporting in light of the Bill’s new timelines and requirements.

• Conduct Cybersecurity Assessments: Perform thorough assessments to identify and remediate gaps, ensuring your cybersecurity posture is robust enough to withstand sophisticated cyber threats.

This proposed legislation signifies a transformative approach to cybersecurity in the UK, aiming for a more resilient and secure digital landscape. As businesses and public entities prepare for these changes, proactive engagement with the evolving legal framework will be a key factor in safeguarding vital services and infrastructures against the growing tide of cyber threats.

---

For any questions or further assistance regarding these developments, please feel free to reach out to the legal team at White & Case.