- within Technology topic(s)
- in United States
- within Technology, Transport and Antitrust/Competition Law topic(s)
The UK's Cyber Security and Resilience Bill (the "Bill") was formally introduced to Parliament on 12 November 2025, a milestone in the Government's long-anticipated effort to strengthen the nation's cyber defences and regulatory framework for critical infrastructure. The Bill was presented for its first reading in the House of Commons, a procedural stage with no debate, paving the way for substantive scrutiny in the coming weeks.
What the Bill covers
The Bill, led by the Department for Science, Innovation and Technology (DSIT), delivers the Government's long-signalled plan to modernise the Network and Information Systems Regulations 2018 (NIS Regulations). Some of the changes mirror the European Union's NIS2, although the proposals amount to a much more limited overhaul than that which was implemented under NIS 2 in the EU.
The Bill introduces three core reforms designed to strengthen the UK's cyber defences and improve national resilience.
- Expanded scope: The NIS regulations will now capture data centres, managed service providers (MSPs), large load controllers1, and designated critical suppliers. This expansion of scope reflects how cyber threats have evolved, and in particular, the potential increased concentration risk which arises from interconnected supply chains where disruption to one entity can affect thousands.
Shared data centres will be treated as essential services once they exceed 1MW capacity, whereas enterprise data centres (i.e. single operator/customer) would only meet the threshold if they exceed 10MW capacity. Data centres will be jointly regulated by DSIT and Ofcom, while MSPs will fall under the Information Commissioner's Office (ICO). Large load controllers are designated as Operators of Essential Services (OES) if their potential electric control is equal to or greater than 300MW in relation to relevant smart appliances.
In addition, the Bill gives regulators new powers to designate critical suppliers to the UK's essential services if that supplier is likely to have a significant impact in their sector on the economy or the day-to-day functioning of society in the UK. Critical suppliers will be subject to similar obligations to OESs.
- Enhanced regulatory powers: The Bill also enhances regulators' ability to conduct inspections, issue enforcement notices, and recover supervision costs. Further, the Bill introduces clearer reporting requirements (including notifying significant cyber incidents within 24 hours, followed by a full report within 72 hours), matching the approach in NIS 2, and expands powers for information-sharing across regulators and law enforcement.
- Enabling resilience: To keep pace with emerging risks, the Government will have powers to update the regime through secondary legislation and direct regulators or operators to take proportionate action in response to urgent threats.
NIS Regulations 2018 vs. Cyber Security and Resilience Bill
|
Area |
NIS Regulations 2018 (current) |
Cyber Security and Resilience Bill 2025 (proposed) |
Practical impact / what to watch |
|---|---|---|---|
| Scope of regulated entities | Covers operators of essential services (OES) in energy, transport, health, water, and digital infrastructure (Annex II sectors only). MSPs and data-centre operators not included. | Expands coverage to include data-centre services, managed-service providers, large load controllers, and designated critical suppliers (Paragraph 4–12). Critical suppliers to an OES, RDSP or RMSP will be able to be designated as falling under NIS and become directly subject to it (Paragraph 12). | Brings previously unregulated but system-critical sectors into scope, especially data-centre operators and MSPs. |
| Regulators (competent authorities) | 12 sectoral regulators designated; scope and powers differ widely across sectors. | Retains multi-regulator model but introduces a "statement of strategic priorities" empowering the Secretary of State to set cross-sector outcomes (Paragraph 25). | Improves consistency and central coordination across regulators. |
| Incident reporting thresholds and timelines | Report only "incidents with significant impact" without fixed deadlines. |
Introduces two-tier reporting: initial notification within 24 hours; detailed report within 72 hours (Paragraph 15). Broadens scope to include incidents with potential (not just actual) disruption. Data centre OESs are required to make a notification where they are aware a data centre incident has occurred or is occurring, and data centre OESs that experience a significant incident will also be required to alert customers who may be affected. |
Faster, more proactive reporting; aligns with global norms and may increase compliance burden. |
| Enforcement and penalties | Maximum fine = £17 million (Reg 19). Limited clarity on proportionality and penalty tiers. | Simplifies penalty bands and permits potentially higher fines to reflect severity (Paragraph 21). Clarifies proportionality and introduces transparent cost-recovery powers (Paragraph 17). | Greater enforcement risk; regulators can fully recover costs of supervision and impose higher penalties. |
| Information sharing and co-operation | Limited data-sharing powers; inter-agency cooperation inconsistent. | Expands and clarifies powers for regulators, intelligence agencies, and law enforcement to share information while reducing duplication (Paragraph 18). | Enables holistic national threat picture; may require firms to share more operational data. |
| Future-proofing and secondary legislation | Updating the regime requires new primary legislation. | Grants the Government secondary-legislation powers to amend scope or security requirements and issue directions in response to imminent threats (Part 4 Paragraph 43–44). | Adds agility: Government can rapidly respond to emerging threats or designate new sectors. |
| Cost recovery by regulators | Limited cost-recovery; most oversight costs borne by Government. | Regulators may recover full costs of compliance monitoring via transparent charging schemes (Paragraph 17). | Higher but predictable fees for regulated entities; regulators better resourced. |
Why it matters
The introduction of the Bill reflects the UK Government's growing recognition that cybersecurity is an enabler of national and economic security. The reforms aim to align the UK more closely with evolving EU frameworks such as NIS2 and the Critical Entities Resilience (CER) Directive, while maintaining a distinctly UK-specific approach to implementation and enforcement.
For operators of essential services, digital infrastructure providers, and supply-chain participants, the Bill signals a forthcoming increase in compliance expectations. Entities that have not previously fallen within the scope of the NIS Regulations (particularly data centres, cloud providers, and managed IT service firms) should begin assessing their risk and governance structures. Entities supply regulated organisations may also want to assess the likelihood of being designated as a critical suppler.
What happens next
The first reading was largely procedural; no parliamentary debate or amendments occurred at this stage. The Bill must pass through 7 stages in both House of Commons and House of Lords before it is enacted into law. The full text of the Bill (as introduced) and accompanying Explanatory Notes are now available on the UK Parliament website. The Bill will come into force in phases once it has become an Act. Certain measures will come into force on Day 1 or on Month 2 following Royal Assent, while others will be brought into force through future secondary legislation (also known as "commencement regulations"), at a time determined by the Secretary of State. Changes in relations to data centres, relevant managed and digital service provider updates, large load controllers, critical suppliers, incident report and cost recovery are all expected to be brought into force via secondary legislation.
The HSF Kramer Cyber team will continue to monitor its passage and provide updates at later stages or where material amendments are introduced.
In the meantime, businesses which are either regulated under NIS or may be under the new proposals should:
- Review the April 2025 Policy Statement to understand the Government's intended direction of travel;
- Map existing obligations under the NIS Regulations and Data Protection Act 2018 against the anticipated expanded scope; and
- Monitor forthcoming consultation papers or guidance from DSIT and sectoral regulators, which are likely to accompany the Bill's passage.
Our view
NIS enforcement has been increasing in recent years as regulators become more active and interventionist in managing risks to critical national infrastructure. This area of the economy is receiving a significant share of the Government's focus, with separate proposals (currently unpublished) suggesting a potential ban on ransom payments being made by entities within the sector. The Cyber Security and Resilience Bill, if enacted, will expand the scope of entities caught by NIS and introduce a more comprehensive and risk-based approach to regulating operators of critical infrastructure and their supply chains. For many organisations (particularly those providing cross-border digital or infrastructure services), early preparation and board-level engagement will be key to ensuring readiness once the new regime takes effect.
Footnote
1. Load controllers are organisations managing electrical load for smart appliances, e.g., to support electric vehicle (EV) charging during peak times. They are a vital tool as the UK transitions to Clean Power 2030 and Net Zero. Large load controllers will be brought into scope, reducing the risk of grid disruption through enhanced cyber security requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
