Introducing the Cyber Security and Resilience Bill
On 1 April 2025 the Department for Science, Innovation and Technology (DSIT) published a policy statement sharing further detail on the Cyber Security and Resilience Bill (the Bill), which was announced in the King’s Speech in July last year. You can find the statement here.
The UK’s current cybersecurity law is set out in the Network and Information Systems (NIS) Regulations 2018 (NIS Regulations) and is based on the EU’s NIS Directive. The EU replaced the NIS Directive, post-Brexit, with the NIS 2 Directive. The Cyber Security and Resilience Bill seeks to similarly bring the UK NIS Regulations up to date, strengthening the cybersecurity and incident notification requirements in the UK.
Proposed updates include:
- Bringing managed service providers (MSPs) into scope of the NIS Regulations. The legislation will define which services count as a “managed service”. It is expected that such services will be those that:
- are provided at arm’s length – in-house services will be excluded;
- involve the provider having a network connection and/ or access to their customer’s network and information systems; and
- rely on the use of network and information systems to deliver the service.
- Enabling the government and regulators to impose stronger supply chain duties on key suppliers. These duties will be designed to ensure appropriate and proportionate measures are taken – such as contractual requirements, security checks, or continuity plans – to prevent vulnerabilities in suppliers from undermining essential or digital services.
- Expanding the scope of cyber incidents which need to be reported. Under the current NIS Regulations, for an incident to be reportable, it must have resulted in interruption to the continuity of the essential or digital service. The Bill will expand this to capture:
- incidents that are capable of having a significant impact on the provision of the essential or digital service (even if no such impact has occurred); and
- incidents that significantly affect the confidentiality, availability, and integrity of a system. This will capture things like spyware attacks and breaches of confidentiality where there has been no interruption to service.
- Introducing two stage reporting of incidents. Initial notification of a significant incident must be provided to the regulator and the NCSC within 24 hours of becoming aware of the incident, followed by an incident report within 72 hours.
- Providers of digital services and data centres that experience a significant incident will be required to alert customers who may be affected by that incident. It is unclear how this will fit with obligations under the UK GDPR to notify data subjects of a data breach.
- Strengthening the ICO by giving it greater information gathering powers and enabling it to more easily recover its costs from the organisations it regulates, including through the imposition of fees.
The policy statement highlights that there are some further measures, not referred to in the King’s Speech, that may be added to the Bill. These are:
- Bringing data centres within the scope of the NIS Regulations.
- Giving the government new powers to issue a “Statement of Strategic Priorities” to ensure consistency across all regulators operating in this area.
- Giving the government new powers to require regulated organisations and/or regulators to take action where there is a specific and significant cyber threat to national security.
