- with readers working within the Business & Consumer Services and Securities & Investment industries
The UK government has recently introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament, with the objective of strengthening the UK's defences against cyber threats to systems most critical to daily life. Once in force (many of the substantive reforms will require secondary legislation to be brought into effect), this legislation will extend direct regulation to a broader range of organisations underpinning essential services and key digital services in relation to cyber compliance – including data centres, managed service providers and specifically designated "critical suppliers". It will also expand incident reporting obligations and significantly enhance the enforcement powers of regulators. This briefing provides an overview of the key changes presented by the Bill.
Background
Cyber attacks inflict substantial costs on the UK economy (estimated at almost £15 billion per year). In its Annual Report, published in October 2025, the UK's National Cyber Security Centre (NCSC) reported a record 204 nationally significant cyber attacks in the year to September 2025, up from just 89 in the previous year. This equates to an average of four major attacks a week. The last few years have seen ransomware and supply chain attacks disrupt the NHS, local authorities, utilities, and the Ministry of Defence's payroll via a managed service provider.
These attacks are increasingly sophisticated, often linked to advanced persistent threat actors—either state-backed or highly capable criminal groups. Artificial intelligence is being weaponised to make phishing and social engineering attacks more efficient and effective (e.g. through deepfakes), so that they are ever more difficult to spot and quicker to execute.
NISR 2018
The Bill is presented as an amendment to the existing Network and Information Systems Regulations 2018 (NISR 2018).
NISR 2018 already regulate operators of essential services (OES) in sectors such as energy, transport, water, health, and digital infrastructure, as well as relevant digital service providers (RDSPs) including online marketplaces, search engines, and cloud computing service providers. They impose obligations regarding security measures and incident notification. NISR 2018 implemented an EU Directive that the EU has since replaced with the NIS2 Directive (2022/255) (NIS2). The UK is no longer obliged to follow NIS2 post-Brexit. As we explain later in this briefing, while there are similarities between the Bill and NIS2, the Bill's scope is narrower than NIS2 and less prescriptive about the measures that in-scope entities must take.
Expanding the scope of NISR 2018
The Bill brings the following entities into scope of the NIS regime if the entity provides relevant services in the UK, regardless of whether the entity is established in the UK.
- Data Centres
Data centres are brought into scope as "essential services", recognising their pivotal role in sustaining the backbone of the UK digital economy. Data centres include both the physical structure containing an area for housing, connecting, and operating IT equipment, and the supporting infrastructure - the supply of electricity, cooling/environmental, and security/resilience systems.
Thresholds apply in order for a data centre to fall within the Bill's scope: a rated IT load of 1MW for standalone data centres and 10MW for enterprise data centres (an enterprise data centre is one that is owned and operated by an organisation to support only the business of that organisation).
Competent authorities responsible for the regulation of data centres include the Secretary of State for Science, Innovation and Technology and OFCOM (acting jointly).
- Managed Service Providers
The Bill brings "relevant managed service providers" (RMSPs) into scope as a new category of provider, distinct from RDSPs, although both RMSPs and RDSPs will be overseen by the Information Commission (as the ICO will then be known).
What is a "managed service"?
The definition is broad. A managed service provider is:
- a medium or large business (as there is an exclusion for micro and small enterprises ((50 employees and annual turnover ≤ €10m))
- offering ongoing management of IT systems (whether in the form of support and maintenance, monitoring, active administration or "other activities")
- to a third-party customer*
- that has access or a connection to network and information systems upon which the customer relies.
* The customer must be a separate entity. The government's policy statement in April 2025 stated that the intention was to exclude services provided inhouse, but the current definition of "managed services" does not seem to exclude managed IT services provided intragroup between distinct legal entities.
The government's policy paper on managed service providers provides further practical examples.
- Critical Suppliers
In recognition of the substantial risk posed to essential services by vulnerabilities within their supply chain, regulators (competent authorities (for OES) or the Information Commission (for RDSPs and RMSPs)) will for the first time have power to designate as "critical suppliers" specific businesses supplying goods or services directly to an OES, RDSP, or RMSP. Once designated, those entities become directly subject to the NIS regime as "regulated persons", notwithstanding that they would not otherwise have been caught by it.
The criteria for designation need to be thrashed out further but ultimately depend on whether the disruption caused by an incident affecting a system on which the supplier relies is "likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the UK". The government gives, as examples, providers of healthcare diagnostics to the NHS or chemicals to water companies.
As critical suppliers could be designated by multiple competent authorities, those authorities are required to coordinate with each other in relation to designation decisions.
- Load Controllers
Entities that manage the flow of electricity to energy "smart" appliances (e.g., EV charging points, heating systems) with ≥300MW aggregate control will be brought into scope as OESs, bolstering resilience for the UK's energy grid and smart technology.
The Bill also seeks to clarify definitions in NISR 2018, most notably the definition of "cloud computing service", the current scope of which has given risen to some uncertainty.
More stringent incident notification and customer reporting
There are changes both to the timing of, and threshold for, notification of incidents.
Regulated entities must notify both their regulator and the CSIRT (NCSC) of incidents initially within 24 hours, followed by a full report within 72 hours. This is a tightening of the current NISR 2018 regime, under which the requirement is to notify without undue delay and in any event no later than 72 hours after becoming aware of an incident.
The Bill also broadens the types of notifiable incidents. Under NISR 2018, for example, operators of essential services only have to report incidents that have "a significant impact on the continuity of the essential services" they provide (i.e., incidents that disrupt the service). However, according to the Bill, while the "incident" definition varies slightly depending on the services in question, incidents that are capable of having a significant impact– ie. near misses, not just cases of actual impact–trigger the notification requirement.
Customer notification
Moreover, where a security incident could impact customers, data centres, RDSPs and RMSPs must take reasonable steps to identify and promptly notify affected customers with information on the risks and the nature of the incident.
The new regime enables NCSC to build a more immediate, centralised threat picture for the UK as major incidents unfold, supporting national response planning.
Strengthening enforcement powers and cost recovery by regulators
Penalties
The Bill raises the stakes for non-compliance, with organisations facing:
- For serious breaches, fines of up to £17 million or 4% of annual global turnover, whichever is greater;
- For less severe violations, fines of up to £10 million or 2% of turnover;
- Daily fines of up to £100,000 per day for continuing non-compliance.
The Secretary of State will have the flexibility, through secondary legislation and following consultation, to expand the scope of the NIS regime to cover additional sectors by specifying new "essential activities" and "regulated persons" and to introduce detailed security and resilience requirements.
The Secretary of State can also issue statutory Codes of Practice, subject to consultation and parliamentary scrutiny, describing detailed expected compliance measures for regulated entities.
The Bill also facilitates the sharing of information between regulators, government bodies, and overseas authorities for cross-border threat coordination.
To mitigate or prevent national security risks stemming from cyber threats, the Secretary of State is given specific powers to direct regulated entities and their regulators to take mandatory steps. Obligations imposed under such emergency directions take precedence over other legal or regulatory requirements.
Cost Recovery
Regulators are empowered to recover from regulated entities reasonable costs, including for enforcement, supervision, and guidance, through charging schemes.
What's "missing" from the Bill?
The Bill and the EU's NIS2 share many features—expanded scope, heightened supply chain focus, tougher penalties, and an emphasis on rapid incident reporting. Yet NIS2 covers a much broader range of sectors (18 in total) than the Bill. For example, unlike NIS2, the Bill does not cover manufacturing or the food sector. Some see the Bill's narrower scope as a "miss" by the government, particularly in the light of the significant damage and disruption caused this year by attacks on UK retailers like Marks and Spencer and on Jaguar Land Rover (the cyber attack on JLR is estimated to have cost the UK economy £1.9bn). However, the Bill provides considerable flexibility for the regulatory net to be cast more widely should this prove necessary, as we explained in section 4 above and through regulators' "critical supplier" designation powers.
Entities not yet in scope cannot afford to be complacent
Coordinated with the publication of NCSC's annual report, the UK government wrote directly to the top 350 UK businesses in October 2025, reinforcing the imperative for board-level oversight of cyber risk, urging them to rehearse their cyber response, follow government guidance such as Cyber Governance Code of Practice and NCSC's Cyber Assessment Framework (CAF), sign up to NCSC's early warning system and use NCSC's Cyber Essentials for managing supply chain risk.
Finally, the Bill does not include measures previously proposed by the government to ban ransomware payments by operators of critical national infrastructure and increase reporting of ransomware payments economy wide. Businesses should continue to watch out for the outcome of the government's consultation on these proposals (see our previous briefing on the government's ransomware payment proposals).
The Bill is only at the beginning of its parliamentary journey. While businesses should begin assessing whether they are in scope under the proposed reforms, and prepare for a more rigorous compliance environment ahead, it will be important to monitor how the Bill evolves as it progresses through Parliament.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
