Cyber Security and Resilience (Network and Information Systems) Bill: Key changes and implications

The government introduced the Cyber Security and Resilience (Network and Information Systems) Bill, to parliament on 12 November 2025. The Bill seeks to expand the scope of the Network and Information Systems Regulations 2018 and introduces tougher enforcement powers to protect essential services. These changes are  being introduced as a result of the increase in cyber attacks and the impact these attacks have had on critical infrastructure in the UK.

Expanded  Scope

The existing regulations apply to essential services including health, energy and transport. The Bill expands the scope of these regulations to include Managed Service Providers (MSPs), large load controllers and data centres.  Medium and large data centres will need to have appropriate and proportionate measures in place to manage risks. Managed Service Providers will be treated much the same, with medium and large MSPs needing to comply with more robust cyber security practices.

The inclusion of these sectors reflects their growing importance to the UK economy and the potential systemic risks posed by cyber incidents affecting them.

Enhanced incident reporting

The Bill introduces stricter incident reporting requirements, to ensure that regulators are made aware of emerging threats at an early stage. Regulators must be informed of cyber breaches that have the potential to cause significant harm, within 24 hours initially, followed by a full report within 72 hours.

These measures aim to ensure  regulators are more aware of the threats effecting the organisations they regulate, enabling a more coordinated response and ensuring better transparency.

Secretary of State powers

The Secretary of State will have the authority to issue statements, establishing priority outcomes, which each regulator must work to achieve. The statements will also define the roles and responsibilities of each regulator. Given the number of regulators enforcing NIS Regulations, this measure should help to achieve greater consistency across the board.

Tougher enforcement

The Bill also introduces tougher enforcement measures including harsher fines for non-compliance.  For serious breaches, organisations could be fined the greater of £17 million or 4% of global turnover. The Bill also allows for daily fines for ongoing non-compliance, of the greater of £100,000 per day, or 10% of the organisation’s daily turnover.

These enhanced penalties are designed to incentivise compliance and reflect the critical importance of cyber resilience for essential services.

Next Steps

If the Bill is passed, it is expected that secondary legislation, including detailed risk-management and notification rules, will be published, with official consultation expected to take place in 2026.

What should organisations do now?

• Review whether your organisation falls within the expanded scope of the NIS Regulations.
• Assess current cyber security and incident response arrangements, particularly for MSPs and data centres.
• Prepare for stricter reporting timelines and higher penalties for non-compliance.

For further advice on how the Bill may affect your organisation, or for assistance in preparing for compliance, please contact our commercial & tech team.