Why This Bill, and Why Now?
The urgency behind the Cyber Security and Resilience Bill stems from a widening gap between threat and defence, particularly across UK infrastructure. In its 2024 Annual Review, the National Cyber Security Centre (NCSC) warned that the UK’s digital defences were falling behind the pace and sophistication of cyber threats, especially in vital sectors such as energy, telecoms, and digital services.
The Government’s response is legislative: a Bill designed to modernise and expand the current NIS (Network and Information Systems) Regulations, improve incident response frameworks, and increase regulatory oversight. By doing so, it aims to elevate baseline resilience across the country’s most essential systems.
Who Will Be Brought Into Scope?
One of the most transformative aspects of the new legislation is its broadened regulatory scope. Under current NIS laws, only certain core sectors, like energy, health, and transport, are directly regulated for cybersecurity. The new Bill proposes a significant expansion of this list.
Entities newly entering scope include data centres exceeding 1MW in capacity (or 10MW for enterprise sites), a large number of managed service providers, and energy flexibility operators. These additions reflect the Government’s intent to secure not just core service providers but also the vital digital supply chains that support them. The Bill also gives ministers the authority to include additional sectors, such as the space industry, via secondary legislation, creating a more dynamic regulatory model.
Another crucial development is the ability for regulators to classify certain businesses as “Critical Suppliers,” even if they operate outside traditional infrastructure categories. For example, a fully licensed and regulated online casino platform, particularly one supplying backend services or financial infrastructure to a regulated entity, could fall under the new security obligations due to its operational importance. These changes reflect a broader recognition that digital dependencies are often buried in third-party relationships, a point echoed in similar frameworks like the EU’s Digital Operational Resilience Act and the UK’s Financial Services and Markets Act.
Strengthening the Rules: What Will Change?
The Bill doesn’t just cast a wider net, it also deepens the level of regulatory expectation for those already in scope. Three specific areas will see marked change: supply chain management, security methodology, and incident reporting.
Supply Chain and Technical Requirements
Organisations regulated under NIS will be expected to strengthen due diligence and security oversight over their suppliers. These duties will be backed by future secondary legislation and clarified in formal guidance documents, including a new Government-issued code of practice.
Security controls themselves will also become more technically specific. Instead of vague policy-level obligations, companies will be required to adopt defined technical standards and risk methodologies, with regulators able to issue updates without needing further parliamentary approval.
Incident Reporting Overhaul
A core component of the Bill is its reshaping of incident response obligations. Incidents must be reported to both the regulator and the NCSC within 24 hours of discovery; a full incident report must be filed within 72 hours. Definitions will expand to include any events that significantly compromise availability, confidentiality, or integrity.
Digital service providers and data centres will also be obligated to notify affected customers. This reporting architecture reflects a move towards real-time national oversight of serious cyber incidents, mirroring similar mechanisms in the EU’s NIS2 Directive.
New Powers for Regulators and Government
Beyond the private sector, the Bill also recalibrates how public authorities operate. Regulators such as the Information Commissioner’s Office (ICO) will be granted proactive supervisory powers, enabling them to request information, initiate audits, and intervene without waiting for reports of failure.
Government departments will also gain the ability to: update requirements via secondary legislation, streamline how new sectors are brought into scope, and issue specific operational directives in the event of a serious incident or threat.
Although the Government has stated that such powers would be used only when necessary and proportionate, they echo recent global shifts toward more interventionist cyber regulation.
Will Ransomware Policy Be Included?
Separate from the CS&R Bill, but likely to run in parallel, the Government is consulting on banning ransomware payments by CNI operators and public sector bodies. For the rest of the economy, a mandatory approval regime could be introduced, along with universal reporting of ransomware incidents.
It remains unclear how, or if, these proposals will be integrated into the CS&R framework. However, officials have indicated they will aim to streamline reporting if dual obligations are introduced.
When Will This Come into Force?
The Bill is expected to enter Parliament in late 2025, with Royal Assent unlikely before early 2026. Following that, a transitional implementation period will begin, during which the Government will consult on secondary legislation, issue technical guidance, and build out regulatory frameworks.
Organisations already subject to NIS may see shorter adjustment windows, while new entrants could be granted phased onboarding. Either way, preparation needs to begin now.
Comparison: UK Bill vs EU’s NIS2 Directive
Though the UK’s Bill is not a copy of NIS2, it broadly aligns in spirit and structure, especially regarding timelines, sectoral scope, and regulator powers.
Similarities:
- 24-hour early warning and 72-hour incident reporting
- Expanded scope to include digital services and supply chain risks
- Enhanced powers for regulators and authorities
Differences:
- The UK does not currently plan to bring sectors like postal services, manufacturing, and research into scope
- Public sector and financial services in the UK are regulated under separate frameworks, unlike in the EU
In short, the UK is pursuing equivalence, not replication, a reflection of its post-Brexit legislative independence, but also a nod to global interoperability.
How Can Organisations Prepare?
Whether your organisation is newly in scope or already governed by NIS, there are concrete steps you can take now to get ahead of the regulatory curve:
- Stay informed: Monitor the Bill’s progression and anticipate guidance materials.
- Board engagement: Ensure senior leadership is aware of potential regulatory and financial implications.
- Assess supply chains: Identify third-party providers who could bring you into scope.
- Upgrade incident response: Review reporting timelines, escalation workflows, and internal accountability.
- Consult early: Legal and cyber risk advisers can help benchmark where you are and where you need to be.
What to Look Out for Next
As the Cyber Security and Resilience Bill makes its way through Parliament, organisations should prepare for early technical guidance from regulators and anticipate further sector-specific engagement, particularly in energy, data services, and digital infrastructure.
UK regulators are expected to clarify compliance expectations through a forthcoming code of practice, while international businesses should also monitor how UK standards align with the EU’s NIS2 framework. The Government’s parallel consultation on ransomware payment restrictions adds another layer of urgency, signalling a broader shift toward interventionist oversight.
Organisations should begin aligning internal processes, assessing risk profiles, and strengthening supply chain oversight now, as the foundations for future compliance are already being laid. Those that act early will be better positioned to adapt quickly and gain a competitive edge under the forthcoming regulations.