Initial insights on the Cyber Security and Resilience (Network and Information Systems) Bill

The Cyber Security and Resilience (Network and Information Systems) Bill (the Bill) had its first reading in parliament on 12 November 2025.

The Bill aims to reform and supplement the existing Network and Information Systems (NIS) Regulations 2018 (the NIS Regulations) to bolster the UK’s national security against cyber threats, whether perpetrated by criminals or state actors.

The NIS Regulations apply to operators of essential services such as energy, transport, health, drinking water and digital infrastructure (internet exchange points and domain name system providers). They also cover some digital services, including online marketplaces, search engines and cloud computing services.

Businesses subject to the NIS Regulations must secure their networks and information systems, manage cyber security, physical security and operational resilience risks, and report incidents to their regulators.

In 2024, the UK was the most targeted country in Europe for cyber-attacks, and the National Cyber Security Centre (the NCSC) has seen a spike in nationally significant incidents. The cost to UK businesses from such attacks continues to grow year on year.

The NIS Regulations are now considered inadequate and outdated given the increasingly sophisticated threats to essential services and infrastructure. It’s against this backdrop that reform is deemed essential.

Overview of the Bill

The Department for Science, Innovation and Technology describes the Bill as having three ‘pillars’ of reform: expanded scope, effective regulators and enabling resilience.

1. Expanded scope: in response to cyber-attacks targeting a wider range of core services, the Bill will expand the scope of the NIS Regulations to include:
   • Data centres: these will be treated as essential services and data infrastructure as a NIS sector. Medium and large data centres will be required to have measures in place to manage risks
   • Managed service providers (MSPs): medium and large MSPs will fall within scope and must implement robust cyber security practices
   • Large load controllers: entities that manage electrical load for smart appliances, including electric vehicle charging
   • Designated critical suppliers: similar to the financial service sector’s regime for critical third parties, the Bill will enable regulators to designate critical suppliers, making them subject to the regulations.
2. Effective regulation: the new regime will require faster reporting of harmful attacks and will impose priority outcomes on regulators. Regulators will be allowed to recover costs for carrying out their duties, ensuring they are adequately resourced. The Bill will also simplify information sharing to remove barriers and increase the maximum financial penalties for failures to comply.
3. Enabling resilience: the government will be able to adjust the regime via secondary legislation, making it faster and easier to respond to an evolving threat landscape. It may also direct regulators or regulated entities to take targeted and proportionate action if a UK national security threat arises.

The Bill will be phased in, with new obligations on data centres, MSPs and critical suppliers (among others) implemented later via secondary legislation. Consultations on implementation will take place in 2026.

Focus on MSPs

The Bill will require medium and large MSPs that meet the criteria of a relevant managed service provider to comply with the NIS Regulations.

A relevant MSP is a legal person that provides managed services in the UK (whether established in the UK or not) and is not a small and micro enterprise. Providers of operational technology are not covered by the new MSP measures but may fall within scope of the NIS Regulations elsewhere.

Managed services are defined as services under contract for the ongoing management of IT systems for the customer. This may include support and maintenance, monitoring, active administration or other activities, provided by connecting to or accessing the customer’s network and information systems, whether on-premise or remote.

Managed services include IT outsourcing, managed security services and the management of security information and events.

Any MSP subject to public authority oversight, or earning less than half its income from commercial activities, is exempt.

Relevant MSPs will be subject to regulation by the Information Commissioner and will be required to:

• Register with the Information Commissioner
• Appoint a UK representative if based overseas
• Notify the Information Commissioner of significant incidents
• Identify and take appropriate and proportionate measures to manage risk to network and information systems relied on to provide services, and to prevent and minimise the impact of incidents affecting such systems
• Comply with secondary regulations as introduced.

Small and micro enterprise MSPs, which would otherwise be exempt, can be designated as critical suppliers and brought into scope of the NIS Regulations. These businesses need to be ready to comply if required.

Relevant MSPs must register with the Information Commissioner within three months of the regulations taking effect.

Notification obligations

Harmful cyber breaches likely to have a significant impact in the UK must be notified to regulators, even if the impact has not yet materialised.

Initial notifications will be required within 24 hours, followed by a full report within 72 hours. The NCSC must be informed in parallel with regulators.

Enforcement

Effective enforcement is key to the success of the Bill. The Bill reforms enforcement under the NIS Regulations by:

• Simplifying the current penalty structure
• Requiring regulators to consider broader circumstances when imposing a penalty, including mitigation attempts, compliance history, impact on service users, investment or growth, and the sector in which the entity operates.

Maximum fines issued under the amended penalty bands are set at the following levels:

• More serious breaches: the higher of £17m or 4% of worldwide turnover
• Less serious breaches: the higher of £10m or 2% of worldwide turnover.

Conclusions and getting ready

The Bill has yet to be debated in parliament and various detail will not be finalised until a later date, following more consultation or within secondary legislation to be drafted. However, it’s clear that the Bill aims to expand the reach of the NIS Regulations to businesses in new sectors and increase the consequences of non-compliance, introducing a simplified penalty structure and a higher ceiling on fines.

Any business already subject to the NIS Regulations, or those that will become subject to them once the Bill becomes law, should follow its progress through parliament closely and take steps now to ensure readiness to comply with the requirements by the relevant dates.

Businesses must also be prepared to make further changes in the future, as the UK moves to an agile regulatory regime that can adapt to specific threats and be ready to follow directions of the Secretary of State under emergency powers when national security is at risk.