The UK Government introduced the Cyber Security and Resilience Bill in November 2025, proposing significant changes to how organisations manage and report cyber security incidents. For Data Protection Officers, this Bill raises important questions about how new cyber security obligations might interact with existing data protection duties.
Before we proceed, a crucial point: this is still a Bill progressing through Parliament, not law. The requirements described here are proposals that may change during the legislative process. However, DPOs should understand these proposals now, as the Bill could affect incident response procedures, regulatory relationships, and cross-functional collaboration.
The Bill would amend the Network and Information Systems (NIS) Regulations 2018. These are UK rules governing cyber security for essential services and digital service providers, originally derived from the EU NIS Directive. Understanding this context helps explain why the Bill matters beyond IT security teams. For a broader overview of what the Bill covers, see our guide to What is the UK Cyber Security and Resilience Bill?
What the Bill Proposes
The current draft contains several significant changes to the UK’s cyber security regulatory framework. These proposals are subject to Parliamentary amendment, so treat this as a summary of intent rather than final requirements.
Expanded Scope of Regulated Entities
The Bill would bring new categories of organisation under NIS regulation. Data centres with a rated IT load of 1MW or more would be classified as essential services. Managed service providers—organisations that provide outsourced IT services—would also fall within scope.
Large load controllers managing 300MW or more of smart appliances would be covered. Perhaps most significantly, regulators would gain powers to designate “critical suppliers” whose services have substantial impact on a regulated sector. This last provision could extend the Bill’s reach into supply chains.
Proposed Incident Reporting Requirements
The Bill would introduce a two-stage incident reporting framework. Organisations would need to provide an initial notification within 24 hours, followed by a full incident report within 72 hours. Reports would go to both the relevant sector regulator and the NCSC (National Cyber Security Centre—the UK’s technical authority on cyber security).
Ransomware attacks would be explicitly covered under these requirements. The Bill also proposes that customer notification may be required for certain types of incident, though the specific triggers for this remain to be defined.
Proposed Penalties for Non-Compliance
The penalty regime would be substantial. Maximum fines would reach £17 million or 10% of global turnover, whichever is higher. Continuing violations could attract daily penalties of up to £100,000.
The Bill would also give government powers to mandate specific security measures where national security threats are identified. This represents a more interventionist approach than the current framework.
Understanding the Overlap with Data Protection
The Bill and UK GDPR are separate regulatory regimes with different triggers and obligations. This section explains where they intersect—not where they are the same. Conflating the two would create confusion in incident response.
Different Obligations, Potential Overlap
Under UK GDPR, organisations must report personal data breaches to the ICO within 72 hours where the breach is likely to result in a risk to individuals’ rights. Under the proposed NIS framework, “significant incidents” affecting network or information systems would need to be reported to the sector regulator within 24 hours.
These are not the same thing. Not every personal data breach constitutes a “significant incident” under NIS. A laptop containing customer data left on a train is a personal data breach but may not significantly impact network or system availability. Equally, not every NIS incident involves personal data. A denial-of-service attack that takes down a website but doesn’t expose any customer information is a NIS incident without a data protection dimension.
Some incidents would trigger both obligations. A ransomware attack that encrypts customer databases, for example, could require NIS notification for the system impact and GDPR notification for the personal data exposure. DPOs and IT security teams would need to assess incidents against both frameworks.
The ICO’s Role and Security Measures
Under the existing NIS Regulations, the ICO regulates certain digital service providers, including online marketplaces, search engines, and cloud computing services. For these organisations, the ICO is already both the data protection authority and the NIS competent authority. The Bill may expand or clarify this dual role. For some organisations, this could simplify regulatory relationships—one regulator for both cyber security and data protection. For others, it may mean engaging with multiple regulators for a single incident. The full scope of the ICO’s role under the Bill is still being clarified as the legislation progresses.
Both UK GDPR and the proposed Bill require organisations to implement security measures, but the requirements are assessed separately. UK GDPR Article 32 requires “appropriate technical and organisational measures” to ensure security appropriate to the risk. The Bill would mandate specific security standards for in-scope entities.
There is overlap in areas like risk assessment, access controls, incident detection, and monitoring. However, demonstrating NIS compliance would not automatically satisfy GDPR requirements. Organisations may need to document how their security measures meet both sets of obligations.
Practical Considerations for DPOs
These are preparatory considerations based on the current draft Bill. The legislation may change significantly before receiving Royal Assent. Monitor the Bill’s progress through Parliament and seek legal advice before making substantial changes to procedures or systems.
Assess Potential Scope
Start by understanding whether your organisation or its key suppliers might fall within the Bill’s scope. Consider whether your organisation operates data centres meeting the 1MW threshold. If you provide managed IT services to other organisations, you may be directly in scope.
Even if your organisation isn’t directly regulated, the “critical supplier” designation could bring you in scope if your services are important to regulated entities. Review your supply chain too—if key suppliers fall within scope, this may have contractual and operational implications.
Review Incident Response Procedures
If your organisation would fall within scope, the proposed 24-hour notification window is significantly tighter than GDPR’s 72 hours. Current incident response procedures may need adjustment to meet this timeline.
Consider whether your existing processes can identify and classify “significant incidents” as distinct from personal data breaches. You would need to know who the relevant sector regulator is and understand how to notify them. The NCSC would also receive reports, so understanding their role and notification process would be necessary.
Coordinate with IT Security
The Bill would increase the importance of collaboration between DPOs and IT security teams. Incident classification would need to consider both personal data impact and system or service impact. A single incident might require different notifications to different regulators under different timeframes.
Documentation practices may need to serve both GDPR accountability requirements and NIS compliance requirements. Consider how incident records, risk assessments, and security measure documentation can satisfy both frameworks without creating duplicate work.
Conclusion
The Cyber Security and Resilience Bill would create new cyber security obligations that intersect with—but remain distinct from—data protection law. For DPOs, the key message is that NIS incidents and personal data breaches are different things, even when they occur together.
If enacted as currently drafted, the Bill’s incident reporting timelines would be tighter than GDPR’s. The 24-hour initial notification would require faster incident detection and classification than many organisations currently achieve.
This remains proposed legislation. The final text may differ substantially from the current draft, and implementation timelines are not yet confirmed. Rather than making immediate changes, DPOs should assess whether their organisation or key suppliers might fall within scope and consider how incident response procedures might need to evolve.
Keep watching the Bill’s progress through Parliament. When the final text is available, there will be time to implement any necessary changes before requirements take effect.
Glossary
Competent authority: The regulator responsible for enforcing NIS requirements in a particular sector. Different sectors have different competent authorities—for example, the ICO for certain digital services, Ofcom for telecommunications.
NCSC (National Cyber Security Centre): The UK government organisation providing cyber security guidance and incident response support. Part of GCHQ, it serves as the technical authority on cyber security matters.
NIS Regulations (Network and Information Systems Regulations 2018): UK rules governing cyber security for operators of essential services and relevant digital service providers. The Cyber Security and Resilience Bill would amend these regulations.
Significant incident: Under NIS, an incident with substantial impact on service continuity or security. This is a different concept from a “personal data breach” under GDPR—the two terms have different definitions and different reporting thresholds.
