Navigating the UK Cyber Security and Resilience Bill

In its 2024 Annual Review, the UK's National Cyber Security Centre warned that "there is a widening gap between the increasingly complex threats and our collective defensive capabilities in the UK, particularly around our critical national infrastructure."

Like many governments around the world, the UK is turning to the legal and regulatory levers at its disposal to enhance CNI resilience. The Cyber Security and Resilience Bill will enable the Government to significantly expand the number of organisations that must comply with NIS regulations, enhance the security and incident reporting requirements, and introduce new government powers.

To better understand how other countries are tackling their cyber challenges, NCC Group has updated its Global Cyber Policy Radar with recent developments.

What will the Bill do?

The key measures set to be included in the Bill are:

Widening the net

• Brings new sectors of the economy into the scope of the NIS regulations, including data centres with over 1MW capacity (unless it is an enterprise data centre, which will only be in scope if it is above 10MW capacity), an estimated 900-1100 managed service providers, and energy flexibility providers. Other sectors, such as the space industry, could enter into scope over time, with the Government giving itself the power to extend the NIS Regulations without requiring an Act of Parliament.

• Enables regulators to designate 'Critical Suppliers', who will be directly within scope of core security requirements and incident reporting obligations. Like the measures implemented by the UK's Financial Services and Markets Act and the EU's DORA, a small number of suppliers providing goods or services to NIS-regulated entities will be impacted.

Enhancing requirements

• Establishes stronger supply chain duties for NIS-regulated organisations. Once the Bill becomes law, these requirements will be set out in secondary legislation.

• Paves the way for clearer technical and methodological security requirements. The Government will gain new power to update existing requirements and issue a code of practice to guide how regulatory requirements should be satisfied. We expect future regulations to set these out in more detail once the Bill is passed.  

• Strengthens incident reporting requirements by:
  • Expanding the types of incidents that will need to be reported, covering incidents that can significantly impact the provision of the essential or digital service and incidents that significantly affect the confidentiality, availability, and integrity of a system. 
  • Introducing a two-stage reporting structure that will require regulated entities to notify their regulator and inform NCSC of a significant incident no later than 24 hours after becoming aware of that incident, followed by an incident report within 72 hours.
  • Requiring firms that provide digital services and data centres to alert customers who may be affected by an incident. 

Giving Government and regulators more powers

• Adopts a more proactive supervisory approach for the most critical firms that provide digital services, with the ICO getting new information gathering and oversight powers.

• Enables regulators to set up new fee regimes, levy fees, and recover costs via invoices.

• Introduces new government powers to update requirements and bring new sectors of the economy into the scope of the NIS regulations.

What else might be in the Bill?

The Government is considering introducing a new power to issue directions to regulated entities in relation to a specific cyber incident or threat, requiring the entity to take remediation action. While the power is intended to only be used "where necessary and proportionate," the move would align with a global trend toward much more interventionist cyber regulatory regimes.

The Government is (separately) consulting on proposals to ban ransomware payments by CNI and public sector organisations, with the rest of the economy required to gain approval before a ransom can be paid. All UK organisations would also be required to report ransomware incidents. At this stage, it is unclear if or how the changes to the UK NIS Regulations will interact with the ransomware proposals. Still, the Government has stated it will work towards streamlining reporting obligations if the ransomware proposals are implemented.

When will the changes come into effect?

The Cyber Security and Resilience Bill will be introduced to Parliament later this year, though Royal Assent (i.e., the Bill becoming law) is unlikely to happen until at least early 2026.

After that, there will likely be a transitionary period as the UK Government develops and implements the new requirements via the code of practice and secondary legislation.

How does it compare to the EU's NIS2?

The Bill won't be a direct replica of the EU's NIS2 Directive, not least because the legislative processes are different. That said, the UK Government has stated that it will align "where appropriate" with the EU's NIS2 Directive. Broadly speaking, the following represent the likely similarities and differences: 

• Security and supply chain requirements: The UK Government intends to bring its NIS security requirements "into closer alignment with NIS2" and enhance supply chain rules, as the EU's NIS2 Directive is also doing.

• Incident reporting: The UK looks set to align with the EU's NIS2 reporting timelines, with a 24-hour early warning requirement, followed by an incident report within 72 hours. The definition of which incidents will need to be reported is likely to be similar, too, though we are yet to see the UK's final legal text.

• Sectors impacted: Notable sectors that are not covered by the UK Government's current plans but are included in the EU's NIS2 are space, manufacturing, waste, postal services, and research organisations – though the UK Government could add these sectors over time with its new powers. In addition, while banking, financial institutions and public organisations are regulated under the EU's NIS2, these sectors are overseen by different regulatory and oversight frameworks in the UK. They so will not be brought under the scope of UK NIS Regulations any time soon.

• Regulator powers: Both the UK's Cyber Security and Resilience Bill and the EU's NIS2 Directive implement strengthened powers for competent authorities.