ARTICLE
20 November 2025

UK Cyber Security And Resilience Bill Introduced Into Parliament

B
BakerHostetler

Contributor

BakerHostetler logo
Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
Explore Firm Details
On November 12, 2025, the long-awaited Cyber Security and Resilience Bill was introduced in Parliament, marking a significant step forward in the UK's approach to protecting critical cyber infrastructure...
United States Technology
Andreas T. Kaltsounis,Jacob T. Wall, and Kyle M. Kennedy
Your Author LinkedIn Connections
BakerHostetler are most popular:
  • with readers working within the Advertising & Public Relations and Telecomms industries

On November 12, 2025, the long-awaited Cyber Security and Resilience Bill was introduced in Parliament, marking a significant step forward in the UK's approach to protecting critical cyber infrastructure and managing cyber risk. The Bill is a priority for the Labour government's legislative agenda, first announced in the King's Speech in July 2024. If enacted, it will represent the most comprehensive update to the UK's cybersecurity legal framework in years, with far-reaching implications for businesses operating in the UK market.

The Bill would overhaul the UK's existing Network and Information Systems Regulations (NIS), first adopted in 2018, when the UK was an EU member state. Significant changes would include:

  • Expanding the scope to cover certain managed service providers, designated "critical suppliers," data center operators and large electrical load controllers
  • Adding "early warning" incident reporting requirements, expanding the scope of reportable incidents to include those likely to be significant, and requiring reporting to both the sectoral regulator and the UK National Cyber Security Centre (NCSC)
  • Introducing novel customer incident reporting requirements for data center operators, managed service providers and digital service providers
  • Authorizing GDPR-like penalties of up to 10 percent of global annual revenue for certain violations
  • Establishing rulemaking authority, allowing the scope and security and resilience requirements to be later expanded

The Bill's first reading marks the beginning of its parliamentary journey. Given the Bill's significance to national security and the UK government's stated priority, it is likely to receive expedited consideration. Nevertheless, complex technical bills with significant compliance burdens, like this one, typically require many months for royal assent. There will be opportunities to influence the Bill during this journey.

As the Bill progresses, commentators and legislators will likely draw comparisons to the EU NIS 2, the EU's update to its previous NIS directive. The differences between the EU and UK approaches may ultimately outweigh their many similarities. For example, the UK's current version does not distinguish between important and essential entities, maintains a relatively limited scope of regulated entities, and does not provide for management liability or oversight.

Below, we briefly summarize the Bill's key provisions.

Scope of Regulated Entities

The Bill would expand the scope of the UK NIS to cover certain managed service providers and critical suppliers and the scope of covered operators of essential services (OESs) to include data center operators and load control providers.

The Bill would create a new classification of "managed service providers," with specific obligations (e.g., registration requirements) for "relevant managed service providers" (RMSPs). An RMSP is not an OES; it would be subject to unique obligations. RMSPs include entities providing "managed services" in the UK, including managing information technology systems or providing access to network and information systems. RMSP is defined to exclude public entities and entities that do not meet the size threshold in Commission Recommendation 2003/361/EC. The EU NIS 2 also regulates managed service providers, which NIS 2 defines to include any ICT-related products and services.

The Bill would also create a category of "critical suppliers." Regulatory authorities would designate critical suppliers under certain circumstances, specifically where an entity uses network or information systems to supply goods or services to an OES and an incident disrupting the entity could significantly impact the UK. Like RMSPs, critical suppliers are not OESs and have specific obligations.

Separately, the Bill would extend to two new types of OESs. First, the Bill would add a subsector for "data infrastructure" that includes certain data center operators. These data center operators would be subject to unique reporting requirements. The Bill would also add "large load controllers" to the existing electricity subsector. This includes electrical load controllers with potential electrical control of at least 300 MW.

Many of these concepts align, at least in part, with the EU NIS 2. NIS 2 also regulates managed service providers, critical entities and data centers, although it lacks a category specifically for large load control services. At the same time, the Bill does not adopt many of NIS 2's most noteworthy features, such as the distinction between essential and important entities, and omits many of the sectors covered by NIS 2 (e.g., postal carriers).

Incident Reporting

The Bill would both expand existing OES incident reporting requirements and create separate regulatory and customer notice obligations for data center operators, relevant digital service providers (RDSPs) and RMSPs.

The Bill would require that after an OES incident, the OES notify not only the relevant sectoral regulator but also the NCSC. The scope of reportable OES incidents would be broadened to include those that affect the operation or security of the IT systems relied on to provide the essential service and that are "likely to have a significant impact," as determined by reference to several factors, rather than merely those that have an "actual adverse effect on the security" of network or information systems and a significant impact. As a result, an OES would potentially be required to report incidents before a significant impact occurs, as long as such impact is likely.

The Bill would require two separate reports: initial notice within 24 hours of first awareness and a second, full notice within 72 hours. This is similar to the EU NIS 2, except the Bill would not require a final report 30 days later. The initial notice would only require basic details, but the full notice would require more information than is required by the current UK NIS, including whether the incident was caused by a separate incident affecting another "regulated person" (e.g., a critical supplier).

Data center operators, RDSPs and RMSPs would be subject to separate notice requirements. Data center operators would be subject to the same procedural reporting requirements, but the threshold for reportable incidents is lower and tailored to the data center context. RDSP and RMSP reporting obligations generally align with OES reporting obligations, except reporting would be made to the Information Commissioner's Office. RDSPs and RMSPs would also use unique statutory factors to assess incident significance; these factors are designed to be relevant to the RDSP and RMSP context.

In addition to regulatory notice requirements, the Bill would require data center operators, RDSPs and RMSPs to notify individual customers that are likely to be adversely affected by an incident as soon as reasonably practicable. Adverse impact is determined by statutory factors unique to each type of entity. These individual notice requirements would be triggered when the entity gives its full 72-hour notice. This requirement is new to the UK NIS, though the EU NIS 2 does impose individual notice requirements.

Regulatory and Rulemaking Powers

The Bill would give designated UK regulators new powers to issue regulations on certain topics, including the security and resilience of network and information systems if the regulations relate to managing risk or mitigating adverse impacts from system compromises. Absent these regulations, the Bill would not impose substantive security requirements, unlike the EU NIS 2. Potentially regulated entities should expect regulators to impose substantive security requirements through regulation.

The Bill would also empower regulators to give certain directions to regulated entities if two conditions are met: (1) there is a compromise of a relevant network and information system that gives rise to a risk to national security, and (2) the direction is necessary and proportionate to address the national security risk. Although these directions must be limited to eight listed requirement types, the final type broadly allows a regulator to direct "a thing to be done or not done in relation to the [UK]."

Enforcement Mechanisms and Penalties

The Bill would introduce GDPR-like penalties for violations, with higher-severity violations (e.g., failing to maintain appropriate security measures; entirely failing to notify regulators of an incident; failing to comply with routine inspections) subject to a "higher maximum amount," which would be the greater of £17 million or 4 percent of global annual revenue. Lower-severity violations (e.g., failing to comply with registration requirements; failing to notify the NCSC at the same time as the sectoral regulator following an incident) would be subject to a "standard maximum amount," which is the greater of £10 million or 2 percent of global annual revenue.

In addition, the Bill would authorize regulators to issue higher maximum penalties in some cases:

  • For violating a security-related regulation issued by a regulator, the regulator may specify penalties of up to £17 million or 10 percent of global annual revenue, whichever is higher.
  • For violating a national security direction issued by a regulator, the regulator may specify a penalty of £17 million or 10 percent of global annual revenue, whichever is higher. Ongoing violations may be subject to a daily penalty of up to £100,000.

The Bill would also authorize penalties of up to £10 million for failing to comply with regulatory inspection and assessment requirements. Ongoing violations may be subject to a daily penalty of up to £50,000.

Finally, the Bill would allow regulators to recover the costs of their NIS-related functions by establishing a "charging scheme" with routine fees for regulated entities, or by imposing retrospective fees to recover for enforcement actions.

Implementation Timeline

If the Bill is adopted, its various rulemaking authorities will take effect within two months. The Bill's substantive obligations for regulated entities would take effect on a date prescribed by regulation, and the Bill specifically allows transitional and saving provisions. In the meantime, businesses should evaluate their potential coverage under the expanded Bill, monitor legislative and regulatory developments, consider opportunities to influence the legislation, and begin preparing for compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Andreas T. Kaltsounis
Andreas T. Kaltsounis
Photo of Jacob T. Wall
Jacob T. Wall
Photo of Kyle M. Kennedy
Kyle M. Kennedy
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More