Share
On 12 November 2025, the UK’s Cyber Security and Resilience (Network and Information Systems) Bill (‘the Bill’) was introduced to Parliament, with the aim of reforming the existing UK Network and Information Systems Regulations (the ‘UK NIS’).
The focus of the Bill is to strengthen and hold more industries to higher standards when it comes to cyber security. So, what’s different?
Expansion of Scope
The Bill seeks to cover more industries and organisations than the current UK NIS. This means that the rules would also cover industries such as:
- Data Centres;
- Designated Critical suppliers;
- Large Load Controllers; and
- Managed Service Providers.
The Bill anticipates additional contractual controls, increased security checks, and cyber incident planning, in order to better manage cyber incidents that occur.
Lock Down on Reporting
The Bill will broaden existing reporting requirements for incidents that have had, or are capable of having a significant impact to services. This departs from the current NIS regulations, which only require reporting for incident that have a significant impact on the continuity of essential services.
There is also a tightening of timings - industries in-scope will have to submit an initial notification within 24 hours of becoming aware of a cyber incident, followed by a full incident report within 72 hours. There will also be an obligation to notify customers where they may be affected by the cyber incident.
Increasing Regulatory Powers
The Bill will give the Secretary of State flexibility both to specify new essential activities and regulated persons and to issue statutory Codes of Practice – i.e. expanding the regime to additional sectors and providing detailed guidance on compliance expectations. This is an important point, which should assist with “futureproofing” in a rapidly advancing technological landscape.
The Bill also ensures the ability for the Secretary of State to take a more proactive enforcement role in incidents that may have a national security impact, with the ability to direct organisations to take action.
Enforcement and Penalties
The Bill will branch out two penalty tiers in line with GDPR for non-compliance, one being the standard maximum which penalises organisations at either the higher of £10 million or 2% of global turnover or; the higher maximum at the higher of £17 million or 4% of global turnover.
What’s next?
The second reading was completed on 6 January 2026, and the Bill now faces a detailed review by Members. We expect to see this Bill come into force later this year, and organisations are now encouraged to review their cyber resilience frameworks to transition smoothly to meet the new requirements.