On November 12, 2025, the UK government introduced the draft Cyber Security and Resilience (Network and Information Systems) Bill (the “Bill”) to the UK Parliament. The Bill, which was originally announced in July 2024, proposes amendments to the Network and Information Systems (NIS) Regulations 2018 (the “NIS Regulations”), taking into consideration the European Union (“EU”) Directive on measures for a high common level of cybersecurity across the EU (the “NIS2 Directive”).
According to the UK government, the Bill is designed to mitigate the ever-increasing risk of cyber attacks targeting the UK’s essential services. Key provisions of the Bill include:
- Broader Applicability: The Bill proposes to extend the reach of the NIS Regulations to encompass more entities, including (i) medium and large data centers; (ii) managed service providers, including medium and large companies providing IT management; (iii) large load controllers managing electrical loads for smart appliances; and (iv) designated critical suppliers which supply goods or services to operators of essential services. Organizations within the scope of the Bill would be required to, amongst other things, adhere to clear security standards, promptly report significant cyber incidents, and maintain robust contingency plans.
- Critical Supplier Designation: Under the Bill, regulators would receive expanded authority to identify and classify suppliers of essential goods and services as “critical.” Once designated, these suppliers would be required to adhere to stringent baseline security standards. This approach is designed to address and mitigate supply chain vulnerabilities that could otherwise be leveraged by threat actors to disrupt vital services.
- Enhanced Enforcement Mechanisms: The Bill seeks to introduce tougher, turnover-based penalties for serious breaches, significantly increasing the financial consequences of non-compliance compared to the NIS Regulations.
- Government Intervention Powers: The UK Technology Secretary would be granted new powers to instruct regulators and the organizations they supervise to implement specific, proportionate measures in response to credible cyber threats to UK national security. This could include mandates to enhance system monitoring, segment high-risk networks, or take other tailored actions to protect the integrity of essential services.
- Strengthened Incident Reporting Obligations: The Bill aims to expand the incident reporting requirements beyond the existing requirements under the NIS Regulations by, amongst other things, introducing a two-stage reporting structure which will require organizations to notify their relevant regulator and the UK National Cyber Security Centre of a significant incident no later than 24 hours after becoming aware of that incident, followed by an incident report within 72 hours. In addition, data centers and providers of digital or managed services facing a cyber incident may be required to promptly inform potentially affected customers.
For more information on the development of the Bill, see our previous blog.