In November 2025, the UK government introduced the Cyber Security and Resilience Bill to Parliament, marking the most significant update to the country’s cyber legislation since 2018. The timing is no coincidence: cyber attacks now cost the UK economy an estimated £14.7 billion annually, with 429 nationally significant incidents recorded in recent years.
This new legislation aims to strengthen protections for the systems and infrastructure that keep the country running. For businesses operating in critical sectors, understanding these changes isn’t optional—it’s essential to avoiding substantial penalties and protecting operations.
What the Bill Does
The Cyber Security and Resilience Bill modernises the Network and Information Systems (NIS) Regulations 2018, which first established security requirements for operators of essential services. Expected to become law by mid to late 2026, the Bill significantly expands the scope and enforcement powers of UK cyber security regulation.
At its core, the legislation strengthens cyber defences for critical national infrastructure—the systems and services essential to everyday life. This includes everything from energy and transport networks to healthcare systems and digital services. The government’s position is clear: as threats evolve, so must the legal framework protecting against them.
The Bill also grants regulators greater powers to monitor compliance, investigate incidents, and enforce standards. This represents a shift from guidance-based approaches to mandatory requirements backed by meaningful consequences.
Who It Applies To
The Bill significantly widens the net of organisations subject to cyber security regulation. Whilst the NIS Regulations 2018 applied primarily to operators of essential services, the new legislation brings an estimated 900 to 1,100 additional firms into scope.
Three categories of organisations face particular scrutiny. Data centres, designated as Critical National Infrastructure since September 2024, now have explicit legal obligations under the Bill. Managed Service Providers that support essential services will also be regulated, recognising their role in maintaining critical systems. Critical suppliers—those providing essential products or services to regulated entities—complete the expanded scope.
Twelve sector regulators will oversee compliance, including Ofcom, Ofgem, the Financial Conduct Authority, and the Care Quality Commission. Each regulator will apply the Bill’s requirements within their respective sectors, though the underlying obligations remain consistent. If your organisation provides services or infrastructure to any essential service, it’s worth assessing whether you fall within scope.
Key Requirements
The Bill establishes three core obligations for in-scope organisations. First, incident reporting becomes both mandatory and time-sensitive. Organisations must provide an initial notification to the National Cyber Security Centre (NCSC) within 24 hours of detecting a significant cyber security incident. A full incident report must follow within 72 hours, detailing the nature of the breach, affected systems, and remedial actions taken.
Second, organisations must implement security standards based on the NCSC Cyber Assessment Framework. This framework sets out outcomes across four key areas:
- Managing security risk
- Protecting against cyber attack
- Detecting cyber security events
- Minimising the impact of incidents
Third, the Bill introduces explicit supply chain security requirements. Organisations must ensure their suppliers and service providers meet appropriate cyber security standards. This extends liability beyond your own systems to the entire ecosystem supporting your operations. For many businesses, this represents the most challenging aspect of compliance—you’re now accountable for risks you don’t directly control.
The legislation also empowers the Secretary of State to issue directions requiring specific security measures. These directions can mandate particular technologies, processes, or controls where regulators identify systemic vulnerabilities.
Penalties and Enforcement
The Bill’s enforcement provisions carry real financial weight. Organisations committing serious breaches of the regulations face fines of up to £17 million or 4% of annual global turnover, whichever is higher. This penalty structure mirrors GDPR, signalling the government’s intent to treat cyber security failures with similar gravity to data protection violations.
For ongoing non-compliance, regulators can impose daily fines of £100,000 until organisations address identified issues. These accumulating penalties create strong incentives for swift remediation rather than prolonged inaction.
The Secretary of State holds additional powers to issue legally binding directions to organisations falling short of required standards. Failure to comply with these directions constitutes a criminal offence, potentially exposing senior executives to personal liability. This represents a significant shift in regulatory approach—cyber security is no longer purely a technical or operational concern but a board-level responsibility with personal consequences.
Regulators can also restrict or suspend an organisation’s operations until security issues are resolved. For businesses in critical sectors, this power effectively makes adequate cyber security a prerequisite for continued trading.
Preparing for the Bill
Although the legislation won’t become law until late 2026, organisations in potentially affected sectors should begin preparations now. Start by assessing whether your organisation falls within scope. If you operate in any of the twelve regulated sectors, provide services to essential infrastructure, or manage systems for critical operators, you’re likely captured by the Bill.
Next, benchmark your current security posture against the NCSC Cyber Assessment Framework. This framework will form the basis of regulatory expectations, so understanding your gaps now allows time for structured improvement. Many organisations find significant deficiencies in incident detection and supply chain security—areas the Bill explicitly addresses.
Establish or review your incident response procedures, ensuring you can meet the 24-hour initial notification requirement. This demands more than technical capabilities; it requires clear escalation paths, defined responsibilities, and rehearsed processes. Consider conducting tabletop exercises to test your response under realistic conditions.
Finally, map your supply chain dependencies and assess third-party cyber security practices. The Bill’s supply chain requirements mean you’ll need visibility into how suppliers protect your data and maintain service resilience. Building these relationships and assurances takes time—starting early prevents last-minute scrambles as the legislation takes effect.
Further Resources
For more information on the Bill and its requirements, consult the official Bill collection on GOV.UK and the UK Parliament bills page. The NCSC Cyber Assessment Framework provides detailed guidance on implementing required security controls.
Measured Collective offers practical GDPR and data protection training to help organisations build compliance capabilities. Understanding the intersection between data protection and cyber security regulation ensures a coordinated approach to managing regulatory requirements.
The Cyber Security and Resilience Bill represents a step change in how the UK regulates digital security. Organisations in scope face expanded obligations, tighter timelines, and substantial penalties for non-compliance. Those who treat preparation as a strategic priority—rather than a last-minute compliance exercise—will be best positioned to meet these new standards whilst maintaining operational resilience.
