The UK’s proposed Cyber Security and Resilience Bill

Expanded Scope

UK NIS currently applies to organisations classified as operators of essential services, such as utilities, transportation and healthcare providers and certain digital services providers, including cloud computing, online search and online marketplaces. The Bill extends the scope of UK NIS to now also include data centres, managed service providers, large electrical load controllers and entities that are designated as critical suppliers.

The new rules concerning critical suppliers are particularly broad. Allowing UK regulators to designate particular companies in any sector as being ‘critical', where they are involved in the supply of goods or services to organisations that are subject to UK NIS, where the disruption is likely to have a significant impact to the economy or day-to-day functioning of society.

Reporting Requirements and Regulators' Powers

The Bill proposes changes to the incident reporting requirements under UK NIS. The Bill lowers the threshold for a notifiable incident to one which is capable of having an adverse effect on the security of network and information systems. It also shortens the timeline for reporting. Organisations would be required to make an initial notification within 24 hours of becoming aware of an incident, including brief details about the incident. They must then file a full notification within 72 hours. This would bring the UK requirements in line with the NIS2 requirements for Europe.

Notably, reportable incidents will also have to be notified in parallel to the National Cyber Security Centre, which forms part of GCHQ, the UK's intelligence, security and cyber agency. This heightens the potential risk of wider government intervention on cyber incidents that pose a national security risk.

Regulators will equally have the ability to share information they receive from incident notifications. A regulator would be able to inform relevant international authorities about an incident if they believe it is likely to have a significant impact in that jurisdiction. They would also be able to inform the public if they believe public awareness about the incident is necessary to manage it or prevent a future incident, or is otherwise in the public interest.

Expanded Regulatory and Government Powers

The Bill grants regulators power to charge fees to the entities they supervise. This can be in the form of both a periodic charge for general oversight and enforcement, and specific charges regarding costs incurred in relation to a specific organisation. In other comparable regimes there has been some concern about the proportionality of regulators' approach to fee setting (e.g. see DSIT's letter to Ofcom here regarding fees for implementing the Online Safety Act). Regulated entities may wish to consider advocating for proportionate fee regimes or legislative guardrails on fee-setting powers.

The maximum financial penalty will also be amended. The current regulations include a maximum penalty of £17m. This will be changed to the greater of either £17m or 4% of an undertaking's global turnover. This has the capacity to allow for significantly higher fines, in line with the UK GDPR and many equivalent EU digital regulations.

Increased Flexibility

The Government has emphasised a desire to build flexibility into the Bill, allowing for a considerable amount of secondary legislation and creating several discretionary powers. It is expected that any changes to security and resilience requirements will be introduced via secondary legislation.

One particularly notable discretionary power proposed in the Bill grants the UK Secretary of State (“SoS”) the ability to direct regulated entities to take steps that might mitigate the risk of an imminent or live threat to UK national security, where such a direction is necessary and proportionate. As this Government, and previous Governments, have declined to define what constitutes ‘national security', there is little policy detail that clarifies the types of situation in which the SoS may issue a direction or the expected volume of directions. However, it seems apparent that the SoS will have a tremendous amount of latitude in this regard, and will have the power to move swiftly if needed (including foregoing any consultation with the entity if delay would itself be contrary to national security interests).

Given the significant enforcement fines (10% of turnover or £17m) associated with contravention of such directions, regulated entities may wish to seek further clarity on the likelihood and scope of such directions and in what circumstances SoS will judge that action is both necessary and proportionate.

Comparison to the EU NIS 2 Directive

In many aspects the Bill may be understood as the UK's parallel regulation to the EU's NIS 2 Directive, as both are aimed at raising cyber resilience and reporting. Many standards within the Bill align closely with the EU NIS 2 Directive including expansion of scope to include additional entities such as managed service providers and imposing stricter incident reporting obligations.

However, there are also significant divergences in scope, implementation and enforcement penalties which indicate the UK is attempting to create a unique and tailored approach to cybersecurity focusing on the most critical sectors. Notably the Bill applies to fewer sectors and does not impose personal liability for management. In addition, the Bill: (1) allows regulators to designate critical suppliers and impose equivalent security obligations, (2) provides significant new powers to the SoS including for intervention in national security threats as explained above, (3) introduces cost recovery for regulators through regulated entity fees, and (4) introduces maximum fines aligned with the GDPR (up to £17 m or 4% global turnover) in comparison to €10M or 2% of global turnover which is the envisaged cap under NIS 2.

Timeline

While there has been no public timeline set out for the passage of the Bill, we anticipate that the Government will aim to pass the legislation by the end of this Parliamentary session in Spring 2026. Were this timeline to prove too ambitious, the Bill could be “carried-over” and considered in the next session. Following Royal Assent, as detailed above, much of the practical detail for compliance will be set out in future secondary legislation. 

Authored by Dan Whitehead, Robert Gardener, Michaela Glass, Edward Roberts, and Jabeen Rizvi.