United Kingdom Proposes Changes in the Cyber Security and Resilience Bill to the NIS Regulations, with Key Differences to NIS2

The UK Government has published the Cyber Security and Resilience (Network and Information Systems) Bill (the "Bill" or the "UK Bill") proposing significant amendments to the Network and Information Systems Regulations 2018 (the "NIS Regulations"). The Bill is intended to strengthen the United Kingdom's cybersecurity framework by expanding regulatory scope, introducing new categories of regulated entities, enhancing incident-reporting obligations, and increasing enforcement powers and penalties. The Bill remains subject to Parliamentary approval.

The Bill represents a significant expansion of the United Kingdom's network and information systems regulatory framework. The proposals would extend obligations to new categories of providers, introduce stricter incident notification requirements, and increase the scope for substantial financial penalties. Organisations already assessing their compliance with the EU NIS2 Directive should consider the UK Bill as part of that analysis. 

While the two regimes share common objectives, they differ in several important respects, and a compliance strategy designed solely around NIS2 may not fully address the requirements of the UK framework. Key differences to be aware of include that NIS2 covers a broader range of sectors (including public administration, space, food, and manufacturing), the UK regime directly regulates certain "critical suppliers" whereas NIS2 does not, incident-reporting thresholds differ, the United Kingdom does not require customer notification after incidents, and different fines may apply with the potential for higher penalties in the United Kingdom.

Overall, affected organisations should monitor the Bill's progress through Parliament and begin assessing the potential impact on their operations and compliance posture at an early stage.

Summary of Key Changes

Expansion of Scope: Managed Service Providers and Critical Suppliers

One of the most significant changes is the introduction of a new category of regulated entity; the Relevant Managed Service Provider ("RMSP"). Under the amended Regulations, an RMSP is defined as a person providing a managed service in the United Kingdom, where that managed service involves ongoing management of information technology systems for customers, provided by means of the service provider connecting to or otherwise obtaining access to network and information systems relied on by the customer in connection with a business or other activity.

The Bill also introduces a new regime for the designation of "critical suppliers." Designated competent authorities and the Information Commission will be empowered to designate persons who supply goods or services directly to:

• Operators of Essential Services ("OESs");
• Relevant Digital Service Providers ("RDSPs"); or
• RMSPs,

where those suppliers rely on network and information systems for the purposes of such supply, and where an incident affecting those systems could cause significant disruption to the provision of essential services, relevant digital services, or managed services.

This new power likely is intended to address supply chain risks and extends the regulatory perimeter to encompass third-party providers with systemic importance.

New Sector: Data Centre Services

The Bill introduces "data centre services" as a new essential service within a newly created data infrastructure subsector. Data centre service providers meeting specified threshold requirements, currently set at a rated IT load of one megawatt or above for non-enterprise data centres and 10 megawatts or above for enterprise data centres, will be deemed to be designated as OESs and subject to the full suite of NIS obligations. The Secretary of State for Science, Innovation and Technology and the Office of Communications will act jointly as the designated competent authority for the data infrastructure subsector.

Expanded Definition of "Incident"

Generally, the definition of "incident" is broadened under the proposed amendments. Whereas the current Regulations define an incident as any event having an actual adverse effect on security, the amended definition captures any event having, or capable of having, an adverse effect on the operation or security of network and information systems. This means that the scope of regulated incidents may increase.

There are additional thresholds for reporting incidents, including some which are industry specific. The general reporting threshold for an “OES Incident” will be if:

• An incident has affected or is affecting the operation or security of systems; or
• The impact of the incident in the United Kingdom is (or is likely to be) significant, for which specific factors to consider are given such as the number of affected users.

For an example of an additional industry-specific reporting threshold, data centre operators must report an incident if there could have been, has been, or is a significant impact on the continuity of the data centre.

This change will increase the number of reportable incidents and requires organisations to consider and respond to more potential incidents as well as manage actual impacts.

Enhanced Incident Notification Requirements

The Bill introduces a two-stage incident notification framework for all regulated entities. OESs, RDSPs, and RMSPs will be required to provide:

• An initial notification to the relevant competent authority or the Information Commission within 24 hours of becoming aware that an incident has occurred or is occurring. This should contain the entity's name, the relevant service affected, and brief details of the incident.
• A full notification must follow within 72 hours. This must contain more detailed information regarding the nature and impact of the incident.

In addition, new customer notification obligations are introduced for data centre service providers, RDSPs, and RMSPs. Following a full notification to the relevant authority, these entities must, as soon as reasonably practicable, take reasonable steps to establish which of their UK customers are likely to be adversely affected by the incident and then notify those customers.

Copies of all incident notifications must also be sent to the Computer Security Incident Response Team ("CSIRT") at the same time as they are submitted to the relevant competent authority or the Information Commission.

Information Gathering and Disclosure Powers

The Bill significantly expands the information-gathering powers of designated competent authorities and the Information Commission. Under the revised Regulation 15, authorities may require regulated persons—and any other person who appears likely to have relevant information or documents—to provide such information as is reasonably required for the purpose of exercising any of their functions under the Regulations. Information notices must specify the information or documents sought, explain why they are being sought, and set out the manner, form, and time period for provision.

The Bill also introduces extensive new provisions on information sharing between the enforcement authorities, the Secretary of State, law enforcement authorities, and relevant overseas authorities. Onward disclosure of information received under these provisions is generally prohibited except in specified circumstances, and disclosures must be relevant and proportionate to the stated purpose.

Strengthened Enforcement and Increased Penalties

The Bill substantially increases the maximum penalties that may be imposed for non-compliance. The previous maximum of £17 million for the most serious contraventions is replaced by a new tiered regime:

• The "standard maximum amount" for less serious failures is the greater of £10 million, or 2% of the worldwide annual turnover.
• The "higher maximum amount" for more serious failures, including security breaches and incident notification failures, is the greater of £17 million, or 4% of the worldwide annual turnover.

In determining the amount of a penalty, authorities must account for the impact of the failure, any steps taken by the person to remedy the failure or mitigate its impact, and the person's previous compliance record.

The Bill also extends the enforcement framework to RMSPs, providing for the service of enforcement notices and penalties in respect of failures relating to security duties, incident notifications, registration requirements, and compliance with information notices and directions.

Further Registration Requirements

The Bill introduces mandatory registration requirements for RMSPs with the Information Commission. RMSPs must submit specified details, including their name, principal address, director or partner names, and up-to-date contact details, before the registration date. Similar registration requirements apply to data centre service providers designated as OESs.

Periodic Charging Regimes

New charging provisions empower NIS enforcement authorities to impose periodic charges on regulated entities to recover the costs of regulatory functions. Authorities may also charge for specific activities undertaken in relation to a particular person. Charging schemes must be published and consulted upon.

Appeal Rights Extended

The Bill extends the right to appeal decisions and RMSPs will now have the right to appeal enforcement and penalty notices. Critical suppliers will also have appeal rights in respect of their designation and any revocation thereof.

Practical Implications

Managed Service Providers

Organisations providing managed IT services should prepare for their potential classification as RMSPs and the associated regulatory obligations. This will include:

• Registering with the Information Commission;
• Implementing appropriate and proportionate technical and organisational security measures;
• Developing incident response and notification procedures; and
• Operational and communications planning around the obligation to notify affected customers following an incident.

Data Centre Operators

Providers of data centre services at or above the relevant rated IT-load thresholds should anticipate designation, and ensure they can comply with the security duties and incident notification requirements applicable to essential services. These entities will also be subject to requirements to provide detailed registration information and notify customers likely to be adversely affected by incidents.

Existing OESs and RDSPs

Current regulated entities should review the expanded incident notification regime and prepare to provide initial notifications within the new 24-hour deadline. The lowered threshold for incidents and the requirement to notify customers of certain incidents will necessitate updates to incident response policies and procedures.

Third-Party Suppliers

Organisations supplying goods or services to OESs, RDSPs, or RMSPs should assess their exposure to potential designation as critical suppliers and the obligations that may follow, including security duties and incident-reporting requirements.

Comparison with EU NIS2 Directive

The UK Cyber Security and Resilience Bill represents the United Kingdom's post-Brexit approach to strengthening its network and information systems regulatory framework. The European Union has pursued similar objectives through the NIS2 Directive (Directive (EU) 2022/2555). The two regimes differ in several important respects, which we have indicated below in bold text. Organisations operating across both jurisdictions should be aware of these distinctions when developing their compliance strategies.

Feature	UK Cyber Security and Resilience Bill	EU NIS2 Directive	Commentary on Key Differences
Scope: Regulated Entities	Operators of Essential Services, Relevant Digital Service Providers, and newly introduced Relevant Managed Service Providers. A size-cap rule applies for the latter two categories.	Essential Entities and Important Entities across 18 sectors, applying a size-cap rule (generally medium and large enterprises). Some types of Essential Entities ("critical entities") are subject to designation by Member States.	The United Kingdom retains its main focus on a designation-based approach for OESs, whereas NIS2 applies a size-cap rule that automatically captures medium and large enterprises in specified sectors. This means some organisations in scope under NIS2 may not be regulated under the UK regime, and vice versa.
New Sectors	Data centre services introduced as a new essential service within a data infrastructure subsector.	Expanded significantly to include public administration, space, wastewater, food, manufacturing, postal services, waste management, and digital providers.	NIS2 covers a substantially broader range of sectors. Organisations in sectors such as public administration, space, food, and manufacturing may be in scope under NIS2 but not under the UK Bill.
Managed Service Providers	Introduces RMSPs as a distinct regulated category.	Managed Service Providers and Managed Security Service Providers fall within scope as Essential Entities or Important Entities, depending on the size of their organisation.	Organisations that provide managed services in the UK and the EU will not be able to rely on general NIS2 compliance in the UK, but will need to carefully review requirements for RMSPs under the UK Bill.
Supply Chain	Introduces designation regime for "critical suppliers" to OESs, RDSPs, and RMSPs.	Mandates supply chain security as one of ten minimum security measures, entities must assess cybersecurity risks in supplier relationships.	Under the UK Bill, "critical suppliers" are subject to direct oversight by the regulator, whereas NIS2 does not envisage direct oversight of suppliers by the regulators.
Incident Definition	Expanded to include events having, or capable of having, an adverse effect on the operation or security of network and information systems. Significance of the incident is to be assessed according to industry-specific factors set out in the Bill).	Significant incidents are those causing or capable of causing severe operational disruption, financial loss, or material/non-material damage to others. The NIS2 Implementing Regulation (EU) 2024/2690 includes more specific definitions for digital entities.	In-scope organisations providing services in the United Kingdom and the European Union will need to separately assess whether a relevant incident triggers reporting obligations under the UK Bill and/or under NIS2.
Incident Reporting: Initial Notification	Within 24 hours of becoming aware of an incident.	Early warning within 24 hours of becoming aware of a significant incident.	This incident-reporting deadline is broadly aligned.
Incident Reporting: Full Notification	Within 72 hours of becoming aware of an incident.	Incident notification within 72 hours of becoming aware of a significant incident.	This incident- reporting deadline is broadly aligned.
Incident Reporting: Final Report	Not specified in the current Bill.	Final report within one month of incident notification.	NIS2 requires a formal final report within one month, whereas the UK Bill does not currently mandate this. Organisations complying with NIS2 will need to maintain final reporting processes that go beyond the UK requirements.
Customer Notification	Required for data centre providers, RDSPs, and RMSPs to notify UK customers likely to be adversely affected.	Where appropriate, entities must notify recipients of services of significant incidents likely to adversely affect service provision, may also be required to inform recipients of significant cyber threats.	Organisations may have additional obligations to notify customers under NIS2. This depends on how NIS2 has been or will be transposed in each Member State.
Management Accountability	Not explicitly addressed in the current Bill.	Management bodies must approve and oversee cybersecurity measures, mandatory cybersecurity training for management; potential personal liability for non-compliance.	NIS2 introduces significant personal accountability for senior management, including mandatory training and potential liability, which is absent from the UK Bill. Organisations should not assume that governance structures designed for NIS2 compliance will satisfy UK requirements, or that the UK regime will impose equivalent management-level obligations.
Maximum Penalties: Standard	Greater of £10 million or 2% of worldwide annual turnover.	Monetary penalties for infringements of obligations other than cybersecurity risk-management measures and incident reporting will be defined by each Member State. Member States are required to consider factors such as the seriousness and duration of the infringement and ensure that fines are effective, proportionate and dissuasive.	Even the standard penalties under the UK Bill can be significant, whereas NIS2 provides Member States greater flexibility in determining whether fines will be applicable in their jurisdiction for less serious infringements.
Maximum Penalties: Higher/Serious	Greater of £17 million or 4% of worldwide annual turnover (for security breaches and incident notification failures).	Essential Entities: at least €10 million or 2% of global annual turnover (whichever is higher). Important Entities: at least €7 million or 1.4% of global annual turnover (whichever is higher). These penalties apply for breach of cybersecurity risk-management measures and incident-reporting obligations. Member States are able to specify higher maximum amounts in their transposition laws. Additional non-monetary sanctions include binding instructions, temporary bans on management personnel, and public disclosure of violations.	The UK Bill foresees significantly higher financial penalties than NIS2 for similar types of breaches. NIS2 provides for different levels of fines depending on the organisation's NIS2 classification.
Registration Requirements	Mandatory registration for RMSPs with the Information Commission, data centre providers designated as OESs must also register.	Essential and Important Entities must register with competent authorities, and each Member State can define its own national mechanism for registration.	Organisations operating across the United Kingdom and European Union will need to assess their registration obligations under the UK Bill, as well as Member State laws transposing NIS2.
Supervisory Approach	Enhanced information-gathering powers for competent authorities and the Information Commission.	Proactive supervision for Essential Entities (audits, inspections); reactive supervision for Important Entities (where it is suspected that the Important Entity is not in compliance with NIS2 requirements).	NIS2 provides for a lighter-touch regulatory regime for Important Entities than Essential Entities, whereas the UK Bill provides enhanced information-gathering powers across the board.

Organisations subject to both regimes should note that while the UK Bill and NIS2 share common objectives of strengthening cybersecurity resilience and imposing stricter incident-reporting obligations, there are material differences in scope, supervisory approach, and penalty structures.