uk - en

Americas
en
fr
UK
en
France
fr
Global
en
fr
Contact us
Home
Insights
The UK’s New Cyber Security and Resilience Bill

Wednesday, 19 November 2025

The UK’s New Cyber Security and Resilience Bill

Why it matters, how it works, and what it means for all of us.
Ian Hirst

Ian HIRST

Cyber Threat Services Partner

Aerial panoramic sunset cityscape view of London scenery big data network connections
Risks driving the reforms
How the Bill works?
The impact
The benefits
What to do now?

What is the Cyber Security and Resilience Bill? 

The UK Cyber Security and Resilience (CS&R) Bill is a major update to the country’s cyber laws. It is designed to strengthen the protection of essential services, including the NHS, energy networks, water companies, transport systems and key digital infrastructure such as data centres and cloud services. 

The Bill updates and expands the existing Network and Information Systems (NIS) Regulations 2018, which already set baseline cyber requirements for a handful of critical sectors. But those rules are now seen as too narrow and too slow for today’s threats. 

In July 2024, the government announced in the King’s Speech that it would bring forward the Bill. A detailed policy statement followed in April 2025, and the Bill was formally introduced to Parliament on 12 November 2025. In simple terms, the aim is to: 

  • Bring more organisations into scope, especially those that sit behind the scenes but keep everything running.
  • Make serious cyber incidents visible faster.
  • Give regulators sharper tools to raise standards and act when organisations fall short.
  • Allow the rules to be updated as threats and technology evolve.

Why now? The risks driving the reforms. 

Cyber-attacks are no longer rare or theoretical. They are a daily reality, and the consequences can be painfully real. 

  • A ransomware attack on an NHS pathology supplier in London led to more than 11,000 postponed appointments and procedures and has been linked to at least one patient death.
  • The National Audit Office has warned that many critical government IT systems have “substantial” cyber-resilience gaps, with recent incidents hitting the British Library, parts of the armed forces’ payment systems, and local authorities. [View related article on The Guardian]
  • The National Cyber Security Centre (NCSC) reports that hostile cyber activity against the UK is becoming more frequent, more sophisticated, and more damaging. There are hundreds of significant incidents each year and ransomware still the most immediate threat to critical infrastructure.
  • Government estimates suggest cyber-attacks now cost the UK economy £15 billion a year. 

At the same time, the way we deliver essential services has changed dramatically: 

  • Hospitals, power grids, trains, and water companies rely on complex digital systems, often hosted in large data centres.
  • Many organisations outsource key IT and cyber functions to managed service providers (MSPs).
  • Modern technologies like electric vehicle charging, smart devices and AI-enabled systems create fresh opportunities, but also new cyber weaknesses. 

The government’s own assessment is blunt: the current cyber regulations “have fallen out of date and are insufficient to tackle the cyber threats faced by the UK.” 

The Bill is therefore framed not just as a security measure, but as a foundation for economic growth: you cannot have a digital, AI-driven economy if the underlying systems are fragile and easy to disrupt.

How will the Bill work?

The detail is technical, but the core ideas are straightforward. The Bill focuses on four substantial changes.

Bringing more organisations into scope.

Under the existing NIS Regulations, only certain operators in energy, transport, health, drinking water and digital infrastructure are directly regulated. The Bill widens that net.

New groups coming into scope include: 

  • Data centres 
    Medium and large data centres, where everything from NHS records to banking systems may be hosted, will be treated as “essential services” in their own right. Data infrastructure has already been recognised as a new type of Critical National Infrastructure.
  • Managed Service Providers (MSPs) 
    IT outsourcers and cyber service providers often have deep access into their customers’ systems. The Bill brings medium and large MSPs under regulation, with the Information Commissioner’s Office (ICO) expected to oversee this group. Estimates suggest over nine hundred MSPs will be affected. [View Cyber security and resilience policy on Gov.uk]
  • Large electrical “load controllers” 
    These are organisations that manage electricity demand, for example, smart charging of electric vehicles or smart heating. They are vital to the move to clean energy, so the Bill will require them to meet stronger cyber standards to reduce the risk of grid disruption.
  • Designated critical suppliers 
    Regulators will be able to label certain suppliers as “critical” when failure at that one company could disrupt essential services, the pathology supplier incident is a clear example. Those suppliers can then be brought into the regime and given specific security duties.

In total, the government expects around 1,000 extra organisations to be covered by the revised regime.

Faster, richer incident reporting

Today, regulators often hear about a cyber-attack only when it has already caused major disruption. That is too late to help victims or understand patterns. The Bill will: 

  • Require in-scope organisations to notify serious incidents within 24 hours, with a more detailed report within 72 hours.
  • Ensure reports go not only to the sector regulator but also to the NCSC, which leads on serious cyber incidents across the UK.
  • Expand the definition of reportable incidents to cover “near misses,” situations where attackers have gained access and could cause serious harm, even if they have not yet pulled the trigger.
  • Require data centres, MSPs and relevant digital providers to notify their customers when an incident is likely to affect them, so those customers can act quickly. 

The goal is to move from firefighting in the dark to spotting patterns early and managing incidents as a system, not as isolated crises.

Stronger regulators and tougher penalties

The Bill gives regulators clearer direction, better tools, and more bite. Key elements include: 

  • A Statement of Strategic Priorities: the Secretary of State can set cross-cutting cyber priorities that regulators must work towards, helping to smooth out inconsistencies between sectors.
  • Enhanced information-sharing powers: regulators, law enforcement and intelligence agencies can safely share relevant cyber risk information without creating unnecessary burdens for businesses.
  • Improved cost recovery: regulators will be allowed to recover the full cost of running the regime, subject to transparency requirements. That is intended to ensure they have the resources to do the job properly.
  • Stronger enforcement: maximum penalties will be raised and aligned with other regimes like GDPR and product-security laws. Press coverage suggests fines could reach up to 4% of annual turnover or £17m, and some legal analysis points to GDPR-style fines of up to 10% of global turnover for the most serious failures. 

In practice, government has been clear that fines are a last resort, but the option is there when organisations repeatedly ignore their responsibilities.

Futureproofing the system.

Cyber threats move fast; legislation does not. To bridge that gap, the Bill builds in flexibility. It will: 

  • Give government powers to extend the regime through secondary legislation – for example, by adding new sectors or updating security requirements as technology changes.
  • Allow “powers of direction” so that, in an urgent national security situation, government can require regulators or specific organisations to take defined cyber actions.
  • Keep the UK broadly aligned with international approaches such as the EU’s NIS2 Directive, which matters for multinational companies and cross-border services. 

In short, the rules will not need rewriting from scratch every time a modern technology, or a new threat, appears.

Who will feel the impact? 

The Bill’s direct impact falls on a defined set of organisations, but its ripple effects will be felt much more widely. 

Directly regulated organisations include: 

  • Existing NIS operators (energy networks, transport operators, water utilities, major healthcare providers, and core digital infrastructure such as internet exchange points).
  • Newly in-scope entities: data centres, MSPs, large electrical load controllers, and designated critical suppliers. 

These organisations will face clearer duties around risk management, incident reporting, governance, and supply-chain security, often assessed against the NCSC’s Cyber Assessment Framework. 

Indirectly affected organisations will include: 

  • Suppliers to regulated entities, from software vendors to specialist service providers, who may see tougher security clauses in contracts and more questions from customers about their own cyber practices.
  • Businesses relying on data centres or managed services, who should benefit from greater transparency about incidents and more assurance that their providers are properly regulated.
  • Boards and senior leaders, who will be under growing pressure from regulators, investors, and insurers to prove that cyber resilience is being treated as a core business risk, not just an IT problem. 

And of course, citizens and customers, who may never hear the phrase “Cyber Security and Resilience Bill” but will notice its effects in the reliability of public services and the handling of major cyber incidents.

What are the benefits?

The Bill is not a silver bullet, and it does bring compliance costs. But the government’s own impact assessment estimates the annual cost at under £150 million, minor compared with the multi-billion-pound hit the UK takes from cyber-attacks each year. For non-experts, the benefits are easiest to understand in three buckets.

For citizens
  • More reliable essential services 
    Hospitals, water companies, energy networks, and transport operators will face stronger expectations to plan for and withstand cyber-attacks. Over time, that should mean fewer severe outages, and when something does go wrong, faster, and more organised recovery.
  • Better protection of personal data 
    While GDPR already sets strong rules for privacy, this Bill tackles the operational resilience side: making it harder for attackers to knock systems offline or corrupt data in the first place.
  • More honesty and transparency 
    Requirements for earlier incident reporting and for providers to notify their customers mean less chance of people being left in the dark when their services are affected.
For businesses
  • Clearer rules and expectations 
    Rather than a patchwork of guidance, businesses in scope will have a more consistent set of duties, tied to recognised frameworks like the NCSC Cyber Assessment Framework.
  • A more level playing field 
    Organisations that have already invested in strong cyber controls should no longer be undercut as easily by competitors cutting corners.
  • Better visibility of supply-chain risk 
    Mandatory reporting and customer-notification obligations on MSPs, data centres and critical suppliers should give their customers a clearer picture of what is happening, and a stronger basis to manage their own risk.
  • Improved access to insurance and investment 
    As regulatory expectations become clearer, insurers and investors can use them as a benchmark, rewarding organisations that meet or exceed the baseline
For the UK economy and society
  • Stronger national security 
    The Bill is part of a wider push, alongside the National Cyber Strategy, offensive capabilities via the National Cyber Force, and regional skills initiatives, to make the UK a harder target for both cyber criminals and hostile nation states.
  • A safer platform for innovation 
    Whether it is AI, smart energy systems or digital public services, innovation needs a stable foundation. Raising the minimum bar for cyber resilience makes it easier to experiment without exposing the public to unnecessary risk.
  • International credibility 
    By aligning with global best practice and addressing gaps highlighted by high-profile attacks, the UK signals that it remains a serious, trusted player in the digital economy.

What should organisations do now?

The Bill is still going through Parliament and will come into force in phases after Royal Assent. But waiting passively would be a mistake. There are some clear steps an organisation can take now, especially if it operates in or supplies critical services.

1. Work out if you are likely to be in scope. 

  • Are you an operator of essential services (energy, transport, health, water, digital infrastructure)?
  • Do you operate large data centres, provide managed IT/cyber services, manage electrical load, or function as a key supplier to any of the above?

2. Benchmark against recognised guidance. 

  • Use the NCSC Cyber Assessment Framework or Cyber Essentials as a starting point.
  • Identify gaps in areas like governance, risk management, access control, vulnerability management, and incident response. 

3. Stress-test your incident response. 

  • Could you realistically detect, triage, and report a serious incident within 24 hours?
  • Do you know who would sign off the notification, and who would talk to customers, regulators, and the media? 

4. Map and strengthen your supply chain. 

  • Understand which suppliers you rely on for critical services and how you would cope if one of them suffered a cyber-attack.
  • Build clearer security expectations and incident-notification requirements into new contracts. 

5. Get the board engaged. 

  • Treat cyber resilience as a core part of business strategy and risk management, not just a technical issue.
  • Use the Bill to ask: “If we were in front of a regulator after a major incident, what story would we tell about how we managed this risk?” 

6. Use the free support that already exists. 

  • NCSC guidance, the Cyber Governance Code of Practice, and government-backed schemes such as Cyber Essentials are all designed to help organisations raise their game without starting from nothing.

In summary 

The Bill is not about turning every organisation into a cyber specialist. It is about recognising that cyber-attacks are a fact and making sure that the services we all rely on can withstand them. For non-experts, you can think of it as a building-regulations update for the digital world: setting clearer rules for those who design, operate and maintain critical systems, so that the rest of us can safely flip a switch, tap a card, book an appointment or open an app and trust that it will work when we need it most.

Our Expertise

Cybersecurity
Discover
Cyber Threat Intelligence
Discover
Data Privacy
Discover

Get in touch

Ian Hirst

Ian HIRST

Cyber Threat Services Partner

We believe in the diversity of our profiles, the richness of our experiences, our differences of opinion - this is what creates the strength and relevance of the Talan collective.

Your career Our job offers