Cyber Security and Resilience (Network and Information Systems) Bill introduced to Parliament

The United Kingdom's government introduced the Cyber Security and Resilience (Network and Information Systems) Bill (the "Bill") to Parliament on 12 November 2025. The Bill is designed to update and strengthen the existing NIS Regulations 2018 (known as "NIS1") to raise cyber resilience across key parts of the economy, and to give government and regulators more agile powers to respond to evolving threats.

A large portion of the Bill was previewed in the King’s Speech back in July 2024, including that the Bill would expand NIS1 to include regulation of more digital services and supply chains, and introduce new incident-reporting requirements.

In the European Union,  NIS1 has already been superseded by the Network and Information Security 2 Directive (EU) 2022/2555 ("NIS2"), which entered into force on 16 January 2023 but which is not yet implemented nationally by all member states (We discuss the NIS2 in our August 2024 Legal Update).

Implementation Timing and Stakeholder Engagement

New requirements under the Bill will come into force in stages, with some provisions in force from the first day or the second month after Royal Assent.

Further requirements—including in relation to the appropriate risk management measures to be implemented by regulated entities and the notification of incidents—will be introduced by secondary legislation after consultation; the government expects to consult in 2026.

Increased Scope

The Bill will amend NIS1 to regulate new managed service providers and data centre operators, whether or not they are established in the United Kingdom.

Digital services currently regulated under NIS1 are online marketplaces, search engines and cloud computing services. The Bill will also now apply to Relevant Managed Service Providers ("RMSPs"), providing a broad range of managed ICT services including:

• providing ongoing management of IT systems for a customer (including for support and maintenance, monitoring, or active administration); or
• providing a connection or other access to network and information systems relied on by the customer (whether on premises or remotely).

RMSPs must identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies, including following relevant guidance from the UK Information Commissioner (the "ICO").

Other obligations on RMSPs under the Bill will include the need to register with the ICO and nominate a UK representative (if not already established in the United Kingdom). There is likely to be a charge associated with this registration. 

Under the Bill, the ICO will also be empowered to designate 'critical suppliers' who are providers of goods or services to operators of essential services, RMSPs, or other relevant digital service providers. This will be subject to a consultation procedure.

Incident Reporting

The definition of 'Incident' under the Bill now includes those 'capable of having an adverse effect' (rather than those with 'an actual adverse effect') on the regulated services.

Entities regulated by NIS1 and the Bill will need to provide to their competent authority:

• An initial report within 24 hours from first awareness. This must include the name of the entity, affected services and brief details of the incident;
• A full notification within 72 hours from first awareness; and
• Where customers are 'likely to be adversely affected,' notify them as soon as reasonably practicable.

The relevant authorities are empowered to share information with non-UK regulators; e.g. those responsible for NIS2 in the European Union.

Enforcement

The Bill imposes new maximum penalties corresponding to the two new bands. For more serious breaches, the maximum penalty is up to £17 million, or 4% of a regulated entity’s worldwide turnover, whichever is higher. For less serious breaches, the maximum penalty is up to £10 million, or 2% of a regulated entity’s worldwide turnover, whichever is higher.

Next steps

We recommend some immediate and practical actions for businesses to consider in response to the Bill:

• Understand scope: Understand whether your services are likely to be a 'managed service', whether you may otherwise be an 'operator of essential services' and are prepared to consult on your status as a critical supplier if necessary.
• Map and harden supply chains: Conduct a supplier inventory and criticality assessment. Identify suppliers that, if compromised, would disrupt your services. Ensure contracts across your supply chain include appropriate cyber controls, incident notification and audit/cooperation rights.
• Prepare for regulator engagement and potential charges: Expect stronger enforcement and clearer penalties; regulators will also be able to recover more of their costs. Budget for compliance, legal and reporting costs and put plans in place to engage early with the relevant competent authority.
• Review cyber insurance and business continuity plans: Update notification-triggers in relevant incident response and continuity procedures to align with potential faster reporting to regulators.

Ransom Ban

While businesses are considering their incident response procedures in light of this Bill, they may also want to note the government's response to its consultation about ransomware legislative proposals, such as reducing payments to cyber criminals and increasing incident reporting. The response indicates that a targeted ban on ransomware payments, including for owners and operators of critical national infrastructure (which may include entities regulated by this Bill), would be well-received.