The increasingly digital economy has reshaped how organisations operate, interact, and deliver value. With this evolution has come a growing number of cyber risks, from sophisticated ransomware attacks to state-aligned threat actors seeking to destabilise critical infrastructure. 

The last three years have seen attacks on the UK digital economy, both by cyber criminals and state actors, where UK hospitals, universities, local authorities, democratic institutions and government departments have been targeted. Recent cyberattacks on the NHS and the Ministry of Defence show how severe these incidents can be. 

For example, the ransomware attack on the NHS in June 2024 resulted in over 10,000 outpatient appointments and 1,693 elective procedures being postponed. The UK government recognises that legislation has not kept pace with the changes and risks, and in response has proposed the Cyber Security and Resilience Bill in an attempt to redress the balance. 

This article is intended to provide an overview of the changes that the Bill is likely to introduce, to enable regulated companies and their advisers to be prepared for the changes as and when they take effect. 

Background

The Bill was first proposed in the 2024 King’s Speech, and is intended to reinforce UK cyber security, by protecting a broader range of essential digital services, enhancing regulators’ powers and increasing reporting requirements for cyber threats.

Currently in the UK, the Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) transpose the requirements of the Cybersecurity Directive (EU) 2016/1148 - known as the Network and Information Security Directive, or NIS Directive - into domestic law. The NIS Directive was the first pan-European piece of cybersecurity legislation, and required EU Member States to identify operators of essential services (OESs) and relevant digital service providers (RDSPs) operating in their jurisdictions, and bind them with basic cybersecurity and incident reporting requirements. In Europe, the NIS Directive was repealed and replaced by Directive (EU) 2022/2555 (NIS 2 Directive) with effect from October 2024. The NIS 2 Directive widens and reinforces the cybersecurity and incident notification requirements of the NIS Directive. 

Following Brexit, the UK is not obliged to transpose the requirements of the NIS 2 Directive into domestic law, so the NIS Regulations remain in force. The NIS Regulations cover five sectors (transport, energy, drinking water, health and digital infrastructure) and some digital searches (including online marketplaces, online search engines, and cloud computing services). They also include a general small business exemption for digital services such that companies with fewer than 50 staff, and a turnover of less than €10 million do not qualify as RDSPs. As a result, only a relatively small number of companies in the UK are actually subject to the NIS Regulations: the government estimates that only 160 cloud providers, three online marketplaces and no search engines met the requirements of being an OES or RDSP as of April 2018. 

A draft of the Bill has not yet been published, however, on April 1 2025, the Department for Science, Innovation and Technology (DSIT) issued a press release, outlining its proposals[i]. In a policy statement on April 9, the government provided more detail. According to the government, the Bill “will address the specific cyber security challenges faced by the UK while aligning, where appropriate, with the approach taken in the EU NIS 2 directive.” Among other things, the Bill will bring more entities into its scope, enhance regulators’ powers and oversight, and delegate powers to enable flexibility towards emerging threats. 

Expanding on these themes, the Bill has many implications, as outlined below.

Bring more entities into its scope

The Bill will have a broader effect than the NIS Regulations, by bringing more categories of organisations into its scope, specifically managed service providers and critical suppliers. 

Managed Service Providers

The Bill will bring managed service providers (MSPs) into scope. MSPs offer core IT services to businesses, playing a critical role in in the UK economy. However, their access to clients’ IT systems, networks and infrastructure makes them an attractive target to cybercriminals. 

The Bill will define a managed service as a service which:

• Is provided to another organisation;
• Relies on network and information services to deliver the service; and
• Relates to ongoing management, support, administration and/or monitoring of IT systems, IT infrastructure, applications and/or IT networks, including for the purpose of activities relating to cyber security; and
• Involves a network connection and/or access to the customer’s network and information systems. 

MSPs will be subject to the same obligations as RDSPs under the NIS Regulations and the Information Commissioner’s Office (ICO) will act as the relevant regulator. The government estimates that expanding the scope will secure a further 900-1100 MSPs, establishing MSPs as trusted and reliable partners in the cybersecurity landscape. 

Supply chain security and ‘Critical Suppliers’

Supply chains are critical for delivering essential services and maintaining digital infrastructure. However, a single supplier may form a key link in a large number of supply chains, making them an attractive target to cyber attackers. The Bill will impose more rigorous supply chain obligations on OESs and RDSPs, by way of secondary legislation. It will also allow regulators to identify and designate “designated critical suppliers” (DCSs), which will be subject to comparable obligations as OESs and RDSPs. These measures are intended to enhance national cyber resilience and reduce the threat of significant disruptions if a regulated entity is subject to a cyberattack. 

Regulators may designate a supplier as a DCS if its goods or services are sufficiently critical that disruption could cause significant disruption on the essential or digital service it supports. DCS are likely to only represent a small portion of suppliers providing goods or services to OES or RSDPs. Designation as a DCS will bring a supplier into the scope of the core security requirements and incident reporting obligations, which is intended to ensure consistent standards across the critical tiers of the supply chain. 

The threshold criteria for designation as a DCS are likely to be as follows:

• The supplier supplies goods or services to an OES or RDSP.
• The regulator determines that the failure or disruption of the supplier’s goods or services, or incident affecting that supply chain would cause significant disruption to the provision of the essential or digital service.
• The supplier’s goods or services depend on networks and information systems (i.e. so they fall within the scope of the regulatory framework).
• The supplier is not regulated by similar cyber resilience regulations elsewhere. 

The Bill would extend the scope of its obligations to cover small and micro RDSPs, (currently exempt from the NIS Regulations) if they meet the threshold criteria outlined above, in order to ensure proportionate regulation of high-risk suppliers, regardless of their size. In addition, the Bill provides flexibility to review the threshold criteria to ensure that that requirements can be updated to reflect technological changes and emerging threats, and evolve through the experience of practical application. By addressing supply chain vulnerabilities and imposing security standards on key suppliers, the government intends to reduce the risk of significant disruptions to essential and digital services, enhance national cyber resilience and increase trust in critical infrastructure. 

Empower regulators and enhance oversight

The Bill will enhance regulators’ powers in order to ensure that cyber resilience measures are being implemented, and improve incident reporting. 

The National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) is intended to help OES and digital service providers achieve and demonstrate an appropriate level of cyber resilience. The Bill intends to make it an essential requirement for firms to follow best practice and update the requirements from the NIS Regulations to align with those of the NIS 2 Directive. It will do so by granting the Secretary of State powers to make regulations to update existing requirements (following appropriate consultation) and issue codes of practice as to how these requirements should be achieved. Doing so will clearly set out the government’s expectations on security requirements for OES and RDSPs to follow. 

The Bill will also improve incident reporting by expanding applicable reporting criteria to capture incidents which are capable of having a significant impact, rather than the narrower scope of those incidents which actually have resulted in an interruption to the provision of an OES or RDSP. This measure is intended to capture more incidents of concern. The Bill will update incident reporting times, introducing a two stage reporting process that requires regulated entities to report a significant incident within 24 hours after becoming aware (an ‘early warning’) followed by an incident report within 72 hours. Regulated entities will be required to notify incidents to their regulator and the NCSC at the same time, with the intention of enhancing regulators’ and the NSCS’ understanding of the threat landscape. The Bill’s reporting requirements are intended to be similar to and no more onerous than the equivalent requirements under the NIS 2 Directive. In addition, affected RDSPs and data centres will be required to notify affected customers of any significant incidents, to encourage openness and accountability. 

Improve the Information Commissioner’s information gathering powers

The Information Commissioner’s Office (ICO) is the regulator for RDSPs, regulating online marketplaces, search engines, cloud services and managed services. The Bill is intended to support the ICO in proactively identifying cyber risk and taking appropriate steps to prevent imminent attacks. It will do so by expanding digital service providers’ obligations to share information with the ICO on registration, expanding the ICO’s ability to serve information notices on digital service providers, facilitating other entities’ sharing of data with the ICO and introducing enforcement powers for failing to register with the ICO. 

Additional measures

The Bill will allow regulators to set fee regimes in order to raise the funds necessary to enable them to function effectively. It will allow the Secretary of State to seek powers to update the regulatory framework without requiring an Act of Parliament, thereby enabling more agile regulation of emerging threats. For instance, these powers could be used to bring new sectors into the scope of the regulations, or make changes to the responsibilities and functions of NIS regulators. 

As well as the measures outlined above, the government is considering other measures. These include bringing data centres into the scope of the regulatory framework, as critical national infrastructure (or CNIs). It is also considering implementing a clear and coherent framework for cyber security regulation across the existing 12 regulators and their sectors, by introducing a new power for the Secretary of State to publish a Statement of Strategic Priorities, which would be updated every three to five years. This would establish a unified set of objectives and expectations for the implementation of the regulations. 

The government is also considering new powers for the Secretary of State to issue directions to both regulated entities and regulators, requiring them to take action to address threats and incidents affecting their systems or functions, respectively, where there is a significant threat to national security. These powers would enable the government to respond swiftly and effectively to incidents and threats that present national security risks, protecting critical infrastructure from sophisticated cyber threats and ensuring that whole sectors are resilient against cyber security threats. 

Conclusion

The Bill demonstrates the government’s intention to meet the challenge presented by the increasing cybersecurity threat facing the UK, by expanding the scope of existing regulation, and enhancing its measures. These measures are intended to protect critical infrastructure from hostile actors, by securing essential services such as the NHS and energy providers.

A draft Bill has yet to be published, however, companies that are subject to existing regulation and those likely to fall within its expanded scope, such as managed service providers, critical service providers and data centres, should monitor developments so that they are able to meet their obligations as and when they arise.