The Information Commissioner's Office (ICO) has issued a reprimand to the Post Office following a...
The government has introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament, marking a significant step in strengthening the UK’s legal framework for cyber security and protecting essential services from cyber attacks.
The Bill, announced in the King’s Speech following the most recent general election, was formally introduced on 12 November 2025. It proposes substantial reforms to the Network and Information Systems Regulations 2018 (NIS Regulations), reflecting the growing scale, cost and sophistication of cyber threats affecting UK organisations.
Purpose of the Bill
The Bill aims to improve the UK’s cyber resilience by expanding the scope of regulation, increasing oversight of key suppliers, and enhancing enforcement powers. The government has emphasised the importance of safeguarding essential public services and critical digital infrastructure against disruption.
Recent research indicates that the average cost of a significant cyber attack in the UK exceeds £190,000, amounting to an estimated £14.7 billion annually across the economy - around 0.5% of UK GDP.
Who Will Be Affected?
The proposed legislation will apply to organisations providing essential and digital services, including those operating in:
- healthcare
- transport
- energy
- water
- digital infrastructure
Notably, the Bill will also bring medium and large technology service providers within scope, including companies providing IT management, IT helpdesk support and cyber security services to both public and private sector organisations.
Key Proposed Measures
Expanded Regulation of IT and Digital Service Providers
Medium and large providers of IT and cyber services will be subject to new statutory duties, including:
- maintaining robust cyber security and incident response measures;
- promptly reporting cyber incidents to government authorities and affected customers; and
- implementing clear plans to manage and mitigate the consequences of cyber attacks.
Designation of Critical Suppliers
Regulators will be given new powers to designate certain suppliers as critical to the UK’s essential services. Once designated, those suppliers will be required to meet minimum cyber security standards, even if they are not themselves operators of essential services.
Stronger Enforcement and Penalties
The Bill proposes modernised enforcement powers, including the introduction of tougher, turnover-based penalties for serious breaches. This aligns cyber security enforcement more closely with regimes such as data protection under the UK GDPR.
New Powers for the Technology Secretary
The Technology Secretary will be empowered to direct regulators—and the organisations they oversee - to take specific and proportionate steps to prevent cyber attacks where there is a threat to UK national security. These powers could include requiring enhanced monitoring or the isolation of high-risk systems.
What Happens Next?
The Bill will now proceed through the parliamentary process. Organisations potentially affected by the new regime should begin assessing their cyber security governance, supply chain risks and incident response arrangements in anticipation of further guidance and implementation.
Q&A: Cyber Security and the New Bill
What is the Cyber Security and Resilience Bill?
It is proposed legislation designed to strengthen UK cyber defences by reforming and expanding the existing NIS Regulations.
Which organisations will be regulated?
In addition to essential service operators, medium and large IT and cyber service providers may now be regulated.
What new obligations are proposed?
Organisations may be required to meet minimum security standards, report incidents promptly, and maintain effective response and recovery plans.
How serious are the penalties?
The Bill proposes tougher, turnover-based fines for serious breaches, increasing financial and reputational risk.
When will the changes take effect?
The Bill is currently progressing through Parliament. Timetables for implementation will follow if it becomes law.