On April 1, 2025, the UK government published the Cyber Security and Resilience Policy Statement (the “Policy Statement”), which details the UK government’s legislative proposals for the Cyber Security and Resilience Bill (the “Bill”), which was originally announced in July 2024. As explained in the Policy Statement, currently, the key legislation in the UK governing “cross sector” cybersecurity is the Network and Information Systems (NIS) Regulations 2018 (the “NIS Regulations”). The NIS Regulations were the pre-Brexit national implementation of the EU NIS Directive. The EU NIS Directive was recently repealed and replaced by the Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the EU (the “NIS2 Directive”). The Bill will propose amendments to the NIS Regulations, taking into consideration “insights” and “valuable lessons” from the EU on the implementation of NIS2. According to the Policy Statement, the Bill will “address the specific cybersecurity challenges faced by the UK while aligning, where appropriate, with the approach taken in the EU NIS 2 directive. This strategic approach ensures…[the UK] can be flexible and responsive to cyber threats in a proportionate way that balances the impact on business.”
As detailed further in the Policy Statement, the Bill will include measures such as:
- Extending the scope of the NIS Regulations to include more entities. The Policy Statement details several ways in which the scope will be extended. For example, it explains how Managed Service Providers will be brought into scope given their “unprecedented access to clients’ IT systems, networks, infrastructure and data.” While subject to further drafting for the Bill, the Policy Statement defines a “managed service” as a service that:
- is provided to another organization (i.e., not in-house);
- relies on the use of network and information systems to deliver the service;
- relates to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications and/or IT networks, including for the purpose of activities relating to cybersecurity; and
- involves a network connection and/or access to the customer’s network and information systems.
The Policy Statement also sets out plans to extend the scope by strengthening supply chain duties for operators of essential services (an “OES”) and relevant digital service providers (an “RDSP”) through secondary legislation. Regulators will also be able to designate critical suppliers if the supplier’s goods or services are so critical that disruption could cause a significant disruptive effect on the essential or digital service it supports. According to the Policy Statement, critical suppliers are expected to account for a “very small number and percentage of those suppliers providing goods or services” to an OES or RDSP.
- Empowering regulators and enhancing oversight. The Policy Statement details several proposals in this respect, including by:
- developing technical and methodological security requirements. While the UK National Cyber Security Centre (“NCSC”) Cyber Assessment Framework currently acts as a resource supporting certain organizations in assessing and managing cybersecurity, it is proposed that three principles and objectives will be established that will make it “essential for firms to follow best practice,” in turn making it “simpler for the regulators to oversee the requirements.” The Policy Statement also confirms that the technical standards and methods requirements of the NIS Regulations will be updated to bring them closer into alignment with NIS2.
- enhancing incident reporting requirements. The Policy Statement sets out how the Bill will update and enhance the current incident reporting requirements for regulated entities under the NIS Regulations by expanding the incident reporting criteria, updating incident reporting times, streamlining reporting, and enhancing transparency requirements for digital services and data centres. For example, similar to NIS2, the Bill is said to introduce a two-stage reporting structure, which will require regulated entities to notify their regulator and also inform the NCSC of a significant incident no later than 24 hours after becoming aware of that incident, followed by an incident report within 72 hours. The Policy Statement states the UK government intends “for this procedure to be similar to, and no more onerous than, the equivalent requirements under” NIS2.
- Improve information gathering powers of the UK Information Commissioner’s Office (“ICO”). In addition to being the UK data protection regulator, the ICO is the regulator for RDSPs under the NIS Regulations, regulating online marketplaces, search engines, and cloud services. Once the Bill is implemented, the ICO will also be the regulator for managed service providers. According to the Policy Statement, the Bill will enhance the ICO’s ability to gather information to assist it in determining the criticality of regulated digital services, including by expanding the duties on firms to share information with the ICO on registration and expanding the criteria for the ICO to use its existing power to serve information notices on firms.
In addition, the Policy Statement detailed other measures under consideration by the UK government, which may be included in the Bill or advanced under other legislation, such as:
- Bring data centres into scope of the regulatory framework. The Policy Statement explains that UK data centres that meet certain criteria will be subject to certain duties. This would include, for example, notifying and providing certain information, having in place appropriate and proportionate measures to manage risks and reporting significant incidents.
- Publish a statement of strategic priorities for regulators. The UK government is considering introducing a new power for the UK Secretary of State to publish a statement of strategic priorities to establish a unified set of objectives and expectations for the implementation of the regulations. Such a statement would be updated once every three to five years and be accompanied by a requirement for regulators to report annually on their progress against the objectives in the statement.
- New executive powers for UK government to enable swift and decisive action in response to cyber threats. The Policy Statement details two powers that the UK government is considering granting to the UK Secretary of State:
- The power to issue a direction to a regulated entity in relation to a specific cyber incident or threat, requiring the entity to take action to remedy the incident or threat. The UK Secretary of State would only be able to issue a direction where necessary and proportionate for reasons of national security; and
- The power to issue a direction to regulators on national security grounds, requiring them to exercise their functions to ensure that action is undertaken across their sectors. The power would only be used where necessary for national security and where the impact of a direction is deemed to be proportionate.
According to the press release on the Policy Statement, the Bill is to be introduced later this year.