On 12 November 2025, the UK Government published the draft Cyber Security and Resilience (Network and Information Systems) Bill, with the aim of further strengthening the UK’s cybersecurity legislative framework and increasing resilience across essential and digital services.

The Bill proposes a number of amendments to the UK's Network and Information Systems (NIS) Regulations 2018 (NIS) – currently the UK's only cross-sector specific cyber regulation. In a similar vein to the EU's NIS2 Directive (2022/255) (EU NIS2), the Bill aims to address the shortfalls that have emerged as a result of the evolving cyber threat landscape, including the heightened risks posed to the provision of essential services due to the exploitation of supply chain vulnerabilities. The Bill does this by expanding the scope of the regime to capture a number of additional types of third-party suppliers including Managed Service Providers (MSPs) and data centres. It also provides heightened enforcement powers to tackle non-compliance. The Bill, in itself, does not however substantially increase or amend many of the existing obligations under NIS. Notably, the current version does not set out any specific minimum technical and organisational measures (TOMs) to be implemented (unlike the EU NIS2).

This article considers why the evolving threat landscape has necessitated an update to the existing NIS regime and provides a high-level overview of the Bill's proposed changes. Part I of the article is a summary of the key changes. Part II provides a more granular perspective on some of the new categories of entities caught within scope of the proposed updates that the Bill makes, as well as more detail on the proposed changes to incident reporting enforcement, and cost recovery.

PART ONE: The Bill Explained

The evolving threat landscape

As a result of factors such as the rapid pace of technological advancement, increased state backing of threat actors leading to the scalability of illicit operations, and lower barriers to entry, there has been a surge in cyber-attacks affecting the UK's critical services across both the public and private sectors. This highlights the scale of the challenge, with the Bill forming a central part of the Government's response.

Recent high-profile cyber-attacks have highlighted that, increasingly, it is third party service providers that critical entities rely upon to deliver their services that are being successfully targeted, often leading to widespread disruption for the customers of those vendors. Examples of recent notable incidents linked to supply chain vulnerabilities include:

• the ransomware attack on Capita, the outsourcing provider. This affected multiple clients and saw hackers gain access to over 6 million people's data
• the ransomware attack on Advanced. The IT service provider's outage cascaded across the NHS and put around 80,000 people's data at risk
• the cyber-attack on the MOVEit file transfer system. The third-party software was exploited at scale and the attack affected thousands of organisations around the world
• the cyber-attack on Synnovis, the healthcare supplier. This caused disruption to critical services across England.

The Bill's expansion of scope to expressly cover more service providers builds upon the trend of regulators, such as the ICO, focusing on the adequacy of TOMs implemented by service providers. Recently, the ICO fined Capita and Advanced £14 million and £3.07 million respectively for failures to apply adequate TOMs which led to disruptive cyber incidents (see our article: ICO fines Capita for UK GDPR infringements following March 2023 data breach.) Notably, the enforcement action against Advanced was the first penalty imposed on a data processor under the GDPR (see our article: ICO fines processor after inadequate security measures lead to widespread disruption to critical services.)

Regulators, such as the ICO, have stressed that the rate of improvement in the area of supply chain resilience needs to be drastically accelerated. One of the sources of frustration that has been publicised in relation to the current NIS regulations is inadequate incident reporting, which has often seen only low double-digit numbers of incidents being reporting in many years, (against a backdrop of the National Cyber Security Centre reporting that the number of nationally significant incidents has often been in triple digits). Regulators have also described learning crucial (unreported) details of high-profile incidents affecting essential services in the press, rather than under the reporting mechanisms required by NIS. 

It is important to note that the Bill is being developed alongside other ongoing Government initiatives designed to help limit the impact of cyber-attacks on UK infrastructure, such as the Home Office consultation on ransomware attacks, which - if enacted - may include prohibitions on ransomware payments for public sector bodies, as well as owners and operators of critical national infrastructure.

Updating the current NIS regime

As stated above, the Bill proposes updates to increase the robustness of the current NIS regime, rather than creating a new, separate framework. This is achieved, not through amending the core obligations imposed within the Bill itself or by providing further detail on the minimum TOMs it expects entities to implement, but by expanding the types of entities caught within its scope and increasing the power of enforcement bodies in a number of areas. Key updates include:  

• Supply chain and widened scope – attention is focussed on supply chain security in a similar manner to EU NIS2. For example, the Bill widens the regime to specifically include MSPs, data centre service providers, and certain large load controllers within its scope. It also provides a new definition of "cloud computing services" which clarifies which cloud services are captured. Consequently, once the changes set out in the Bill are enacted, these entities will have a statutory obligation to have appropriate TOMs to manage the risks posed to the security of the network and information systems on which their essential services rely, as well as becoming directly exposed to regulatory oversight for the first time in relation to NIS.
• Ability to widen scope further in the future - regulators are given the power to widen the scope further, enabling them to designate organisations they consider as critical suppliers (CRs) from time to time. These critical suppliers will face similar duties and obligations to other regulated entities.
• Changes to incident reporting – the definition of reportable incidents is broadened to include events having, or capable of having, an adverse effect on the operation or security of network and information systems, thereby capturing incidents that have compromised the integrity or security of a system without causing significant disruption yet. The Bill also contains stricter incident reporting requirements, necessitating an initial notification to be made within 24 hours and a full notification made within 72 hours to the competent authority. This will likely require entities caught within scope of the regime to revisit their internal incident response practices and procedures (such as runbooks).
• Significant monetary penalties and cost recovery – severe financial penalties for non-compliance are included, alongside a new cost recovery mechanism which could see increased financial liability for entities. The Bill introduces a substantially greater "standard" penalty than under NIS, capped at the greater of £10,000,000 or 2% of global turnover. At present, similar examples of non-compliance under NIS could be subject to penalties which do not exceed £1,000,000, or £8,500,000 depending on the enforcement authorities view on materiality. More serious failings can attract the higher maximum amount, which is the greater of £17,000,000 or 4% of global turnover. Regulators can also impose daily fines of up to £100,000 for ongoing contraventions.  It is considered that regulators are more likely to enforce and fine under this Bill, once enacted.
• Increased powers for government and regulators – including to react more quickly to emerging threats, with a right to intervene and direct entities as to actions which must be taken, to inspect and seize documents, as well as to interview personnel.

Managing risk under increased enforcement powers

Whilst the minimum TOMs set out under NIS remain unchanged by the Bill itself, it arms regulators with greater enforcement powers. Nevertheless, the Secretary of State is able to set a statement of strategic priorities for UK cyber resilience, as well as issue codes of practice, which may provide further indication of minimum TOMs. Furthermore, the Secretary of State is able to direct both regulated entities and regulators to perform specific actions. And the regulators themselves will have broader investigatory tools at their disposal, which alongside severe financial penalties and a new cost recovery mechanism, suggests greater appetite for enforcement. This demonstrates further the imperative for businesses caught by the scope of the Bill to make cybersecurity a boardroom priority. As already discussed, the potential penalties under the Bill for non-compliance are significant.

Timing

The Bill has completed its first reading in the House of Commons and now moves to its second reading for debate and approval of a programme motion setting the timetable for the remaining stages, before a final version is agreed for Royal Assent, making it law. Whilst timeline for new laws coming into force vary, currently there is no indication the Government is fast-tracking the legislation.

Recommended next steps

As the Bill progresses, entities should assess whether they will be within scope of the revised NIS regime and track any updates made to the Bill itself. As a result of the UK's legislative and regulatory focus on cybersecurity and the heightened threat landscape organisations should ensure that they have robust  strategies, plans, and testing in place and that they are prepared to respond to a cyber-attack. We recommend that companies take the opportunity now to review the sufficiency of their current strategy along with the appropriateness of investment levels in this area. This includes reviewing underlying policies and procedures such as incident response plans to make sure they are fit for purpose.

PART 2: The Bill In More Detail

Expanded scope captures a wider set of entities

Under NIS, operators of essential services (OESs) and relevant digital service providers (RDSPs) are required to implement appropriate security measures to manage the risks posed to their systems and ensure the resilience of their services. The Bill updates the scope of RDSPs, providing a new definition of cloud computing services which seeks to remove ambiguity as to which cloud services are captured. Furthermore, the scope of NIS is broadened in the current draft of the Bill to specifically include data centre providers, as well as MSPs.

Capturing Managed Service Providers within the scope

The Bill will bring some medium and large MSPs – referred to as Relevant Managed Service Providers (RMSPs) in the Bill – within the scope of the NIS regulations. A relevant MSP, for the purposes of the Bill, is defined as an entity providing a managed service in the UK (regardless of where that entity is established), albeit there are some exceptions such as for certain micro or small enterprises.

A "managed service" is defined as a service which is provided:

• under a contract for the provision of ongoing management of information technology systems to another organisation (whether in the form of support and maintenance, monitoring, active administration, and other activities)
• to the customer by connecting to, or otherwise obtaining access to, network and information systems relied on by the customer in connection with a business or other activity carried on by the customer.

Consequently, once any changes set out in the Bill are enacted, these new MSPs caught by the scope will face a regulatory duty to assess and manage both cyber and operational risks, placing a statutory obligation on them to have minimum cyber security measures as well as their becoming directly exposed to regulatory oversight for the first time in relation to NIS.

Ability to designate further Critical Suppliers as in scope

The Bill empowers NIS regulators (currently around 12 different bodies across their respective sectors or regulators who are sector agnostic, such as the ICO) to designate specific high impact suppliers as Critical Suppliers (a CS), requiring them to comply with similar obligations as OESs. The designation criteria in the Bill means regulators can designate an entity as a CS from time to time where:

• a supplier supplies goods or services directly to an OES;the supplier relies on network and information systems for the purposes of that supply
• the competent authority considers:
  • an incident affecting the operation or security of any network and information system relied on by the supplier for the purposes of that supply has the potential to cause disruption to:
    • the provision of by the person to which the supply in made, or
    • the provision of any essential services, relevant digital services, or managed services by persons to which the supplier supplies goods or services.
  • any such disruption is likely to have a significant impact on the economy or day-to-day functioning of society in the whole or any part of the UK.

Designating Data Centres and certain large load suppliers within scope

The Bill seeks to bring data centres specially within the scope of NIS for the first time by setting out new threshold requirements which determine whether specified kinds of essential services in the data infrastructure sector are caught. In the Bill, a "Data centre service" is specifically defined as (and deemed to provide an essential service) when it provides a physical structure (a data centre) which:

• contains an area for housing, connection, and operation of relevant IT equipment
• provides supporting infrastructure for or in connection with the operation of relevant IT equipment.

Relevant IT equipment is also defined in the Bill and includes certain supporting infrastructure such as infrastructure for the supply of electricity, for environmental control, or for security.

Additionally, the Bill sets out certain large load controllers are to be designated as operators of an essential service and therefore in scope.

As the UK seeks to position itself at the heart of technical infrastructure for AI, the Bill seeks to strike a balance between statutory responsibility and attracting investment.

Clarifying which Cloud Computing Services are in scope

The Bill introduces a new definition for cloud computing services. This is defined as a digital service which:

• enables access to a scalable and elastic pool of shareable computing resources (such as networks, servers, software, and storage) where:     
  • there is broad remote access to the service
  • the service is capable of being provided on demand and on a self-serve basis
  • the pool of computing resources may be distributed across two or more locations
  • the service is not provided solely for use for the purpose of a business.
• is not a managed service.

Consequently, entities providing such services have the potential to be designated as an RDSPs and, therefore, fall within the scope of the obligations. Whilst NIS always provided that cloud computing services were a defined digital service, there was no further clarity given in NIS itself, beyond a digital service that "enables access to a scalable and elastic pool of shareable computing resources".  

Obligations set out under the Bill or enabled by the Bill

As stated above, whilst the Bill does not, in itself, substantially increase or amend the core obligations under NIS to implement appropriate technical and organisational security measures to protect essential services and system security, nor does it list minimum cyber security risk management measures that must be met, such as those outlined in Article 21 of EU NIS2.

The Secretary of State is able to set a statement of strategic priorities for UK cyber resilience, as well as issue codes of practice. Whether additional obligations (such as specific risk management measures akin to the EU NIS2) are introduced by statutory codes of practice, is yet to be determined. If codes of practice provide more specific guidance on what constitutes appropriate security measures, entities caught by the scope of it will need to be cognisant of the proposed measures and be ready to ensure that they are compliant.

The Bill also empowers the Secretary of State to give directions to both regulated entities and regulators. The scope of these directions is broad, enabling the Secretary of State to require a regulated entity to perform a wide range of actions, from providing information, to requiring a prohibition and restriction on the use of particular goods, services, or facilities. Directions may offer guidance to businesses on what is deemed to be appropriate and proportionate in terms of measures during or after a breach. The Secretary of State can also direct regulators to monitor compliance with a given direction, further enhancing the level of scrutiny.

Incident reporting

Under the Bill, all in-scope entities will face strict deadlines for incident reporting. The Bill expands incident reporting criteria by broadening the definition of incidents subject to obligations and reporting to include anything "capable of having" an adverse effect, not just incidents that have an "actual" adverse effect (which is the current standard). The Bill also provides for updated timelines, streamlines processes, and enhances transparency for digital services and data centres.  These are material changes to note.

Redefining the definition of an incident

"Incident" is redefined in the Bill such that any event having, or capable of having, an adverse effect on the operation or security of network and information systems is captured. This is a noticeably broader definition when compared with the current NIS regime requirement.

Updating incident notification timelines

Under the Bill, regulated entities must submit an initial report to the competent authority as a part of initial notification requirements within 24 hours. The Bill specifies some of the key information to be included, such as details of the incident and key factors (including the extent of disruption, duration, and number of users affected). A full notification report must follow within 72 hours. Once more, the Bill specifies the information to be contained, including any cross-border impact. The timeframes are analogous to those imposed under EU NIS2.

Enforcement, penalties, and a new cost recovery mechanism

Under the Bill, regulators would gain enhanced intervention and enforcement mechanisms, including being able to impose significantly stronger financial penalties, alongside a new cost recovery regime. The Bill grants robust investigatory and enforcement powers, allowing authorities to require a person to provide various information and documents and to be subject to inspections and seizure of documents as well as tests or interviews. This power includes obtaining, generating, collecting, or retaining documents – even those a person otherwise would not collect or retain. The Secretary of State can also instigate investigation to verify compliance or assess and gather evidence of an alleged breach.

The Bill also allows regulators to impose stronger financial penalties for non-compliance in certain areas:

• with the standard maximum amount for certain specified failures being the greater of £10,000,000 or 2% of global turnover
• the higher maximum amount for more serious failures is the greater of £17,000,000 or 4% of global turnover
• a right to impose daily penalties of up to £100,000 per day, depending on severity, for ongoing contraventions.

This new system replaces the provisions under NIS, whereby penalties cannot exceed £1,000,000 for any contravention the enforcement authority determines is not material or £8,500,000 for a material contravention which the enforcement authority determines does not have a significant risk or impact on service provision by the OES or RDSP, or £17,000,000 for a material contravention which the enforcement authority determines has or could have created a significant risk or impact on the service provision by the OES or RDSP.  Potential charges under the new cost recovery mechanism could also be substantial in monetary amount.

Whilst the standard maximum amount aligns with the penalties under EU NIS2, the introduction of a higher maximum amount means a significant increase in potential liability for regulated entities under the Bill. Furthermore, EU NIS2 only provides for cost recovery in the case of a targeted security audit, whereas the scope for cost recovery under the Bill applies to a wider range of regulatory activities.