ARTICLE
24 May 2026

UK To Update Cyber Security Regime With Cyber Security And Resilience Bill

WT
Winston Taylor

Contributor

Winston Taylor logo

Whether you're leading the way, disrupting an industry, entering a new phase of growth, or launching a defining product—we're in the room with you. In the action. Sleeves rolled up.

With a rich history spanning both sides of the Atlantic, we are present in the major commercial centers that matter to our clients: the U.S., the U.K., Europe, Latin America, and the Middle East. Combining scale with the speed clients demand, our defining capabilities include major litigation, critical transactions, strategic IP, and private wealth.

Our team of over 1,400 lawyers works hand-in-hand across markets, sectors, practice areas, and client teams. All-in problem solvers, we bring the creativity to think differently, and the pragmatism to get things done when it counts the most.

Embedded in your business and sharing your ambition, we take the work personally. Shaping what we do and how we do it around your goals and needs, always one step ahead of the moment.

Explore Firm Details
The government announced it would be updating the UK's Cyber Security Regime shortly after it came into power in July 2024. On 12 November 2025, it presented the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament.
United Kingdom Technology
Debbie Heywood
Debbie Heywood’s articles from Winston Taylor are most popular:
  • in European Union
  • in European Union
  • in European Union
  • with readers working within the Business & Consumer Services, Technology and Law Firm industries

The government announced it would be updating the UK's Cyber Security Regime shortly after it came into power in July 2024. On 12 November 2025, it presented the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament.  

The Bill will largely expand and update the scope of the current 2018 NIS Regulations which implemented the EU NIS Directive, now replaced in the EU by the NIS2 Directive which was enacted after Brexit. This means the focus of the planned UK Bill is on operators of essential services (OESs), relevant digital service providers (RDSPs), relevant Managed Service Providers (RMSPs) and related supply chains. Much of what the Bill contains was trailed in the government's April 2025  policy statement so there are few surprises. 

More entities in scope of the regulatory framework 

Proposed changes to the 2018 NIS Regulations will be largely in line with the EU's NIS2. The Bill covers transport, energy, drinking water, health and digital infrastructure (including marketplaces, online search engines and cloud computing services). 

Managed service providers are brought into scope (with exemptions for SMEs). Certain data centres will also be brought into scope with data infrastructure classed as a relevant sector and data centres as essential services at certain thresholds (above 1MW capacity unless they are enterprise data centres, in which case it would be 10MW capacity). In addition, large load controllers are designated as OESs with a threshold requirement of potential electrical control equal to or greater than 300 megawatts in relation to relevant smart appliances, and the definition of cloud service providers is revised. 

Regulators will get new powers to identify and designate specific high-impact suppliers as "critical suppliers" and impose security obligations on them equivalent to those of other regulated entities.  

The Bill explicitly states that OESs may be designated whether or not a person is established in the UK. 

Security duties 

These are amended, but arguably of more significance, are the powers of the Secretary of State to further expand the regime under secondary legislation. 

Incident reporting and transparency 

The Bill updates and enhances current incident reporting requirements for regulated entities, both in terms of what must be reported and when. Transparency requirements for digital services and data centres will be enhanced and amendments are made to information sharing provisions. 

Reporting requirements will expand to cover incidents capable of having a significant impact on the provision of an essential or relevant digital service and incidents that significantly affect the confidentiality, availability, authenticity and integrity of a system provided by a regulated entity. 

The Bill introduces a revised two-stage reporting structure requiring regulated entities to notify their regulator of a significant security incident no later than 24 hours after becoming aware, followed by an incident report within 72 hours. Data centre OESs are required to make a notification where aware a data centre incident has occurred or is occurring, and data centre OESs that experience a significant incident will also be required to alert customers who may be affected. 

Powers of the Secretary of State and regulators 

The Secretary of State (SoS) will issue a Code of Practice and set out a Statement of Strategic Priorities in relation to the security and resilience of network and information systems, to which regulators are required to have regard. The SoS has powers to update the regulatory framework without the need for primary legislation subject to certain safeguards. This will allow the SoS to cover new sectors and sub-sectors and make changes to the responsibilities of the regulators. The government will also be able to introduce new obligations on regulated entities after appropriate consultation. 

The Secretary of State also has powers to instruct regulators and the organisations they oversee to take specific steps to prevent cyber attacks where there is a threat to national security.  

Regulators' information gathering and enforcement powers will be enhanced and regulators will be empowered to set up new fee and cost recovery regimes. Provision is made for a cost recovery scheme whereby periodic charges may be imposed by a NIS enforcement authority, and there are also revised information gathering, information sharing and inspection powers for regulators as well as obligations to produce specified guidance. 

Sanctions 

Sanctions for non-compliance have been significantly increased. The "standard maximum amount" for penalties where the person is an undertaking is the greater of £10,000,000 or 2% of the undertaking's turnover (both inside and outside the United Kingdom); in any other case, it's £10,000,000. The "higher maximum amount" is, where the person is an undertaking, the greater of £17,000,000 or 4% of the undertaking's turnover (both inside and outside the United Kingdom); and in any other case, £17,000,000.  

Penalties for non-compliance with national security directions can be up to £17,000,000, or where regulations are in force, the greater of £17,000,000 and 10% of the turnover of the undertaking (both inside and outside the United Kingdom). 

What does this mean for you? 

While for certain essential and digital services like healthcare, energy and transport, the proposals build on the existing requirements under the UK NIS Regulations, the enhanced compliance burden could be significant, including in relation to security requirements, incident preparedness, incident reporting, and supply chain compliance. 

Other organisations will be brought in-scope and regulated for the first time, in particular MSPs and data centres. A focus on the wider technology supply chain means providers of IT services like IT management, IT help desk support and cyber security to private and public organisations like the NHS will be regulated where they meet certain size thresholds, and need to meet clear security and incident management duties. 

Enhanced incident reporting requirements, additional powers for the SoS and regulators, and a stronger enforcement regime, including turnover-based penalties, send a clear message of the government's intent in bolstering the UK's cyber resilience. 

The CSRB was held over to the new Parliament and was re-announced in the May 2026 King's Speech. While originally thought to be a relatively uncontroversial piece of legislation, there are now murmurings that it might be held up by amendments related to concerns around powerful new AI like Anthropic's Mythos and the claims that they have unprecedented ability to exploit security vulnerabilities. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Debbie Heywood
Debbie Heywood
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More