Solicitors hub
Everything you need to know about becoming a solicitor
Search training contracts
Search for a training contract at nearly 1,000 organisations
Training contract deadlines
A comprehensive list of training contract deadlines
Vacation scheme deadlines
A comprehensive list of law firms' vacation scheme deadlines

INSIDE LOOK

Meet the Lawyer
Read how today's lawyers went from student to qualified lawyer
Meet the Recruiter
Advice from recruiters on acing your applications and more
Vacation Scheme Insiders
Get a sense of what firms' vacation schemes are really like
Brochures
Your essential first step in identifying the firm for you
Practice Area Profiles
Hear from solicitors working in specific practice areas

LEARN

DISCOVER

Barristers hub
Everything you need to know about becoming a barrister
Search pupillages
Search for a pupillage at nearly 200 barristers' chambers
Pupillage deadlines
A comprehensive list of pupillage deadlines

INSIDE LOOK

Meet the Lawyer
Read how today's barristers went from student to qualified barrister at the Bar
Practice Area Profiles
Hear from barristers working in specific practice areas
Types of chambers
Find out more about the different types of chambers

LEARN

DISCOVER

Beginner's hub

Interested in a future career as a lawyer? Use The Beginner’s Guide to a Career in Law to get started

Apprenticeships hub

Find out about the various legal apprenticeships on offer and browse vacancies with The Law Apprenticeships Guide

SQE hub

Information on qualifying through the Solicitors Qualifying Exam, including preparation courses, study resources, QWE and more

Commercial awareness hub

Discover everything you need to know about developing your knowledge of the business world and its impact on the law

Diversity hub

The latest news and updates on the actions being taken to improve diversity and inclusion in the legal profession

Application hub

Discover advice to help you prepare for and ace your vacation scheme, training contract and pupillage applications

First-year hub

Your first-year guide to a career in law – find out how to kickstart your legal career at this early stage

Non-law hub

Your non-law guide to a career in law – everything you need to know about converting to law

Training in Ireland hub

Everything you need to know about qualifying as a solicitor in Ireland

Education hub
This hub covers all aspects of legal education and training
Search law courses
Search law-related courses across the UK
Law school prospectuses
Identify the right law school for you with these prospectuses
Finances
Find out about sources of funding at each stage of the qualification process

COURSES

Undergraduate degree
Find out what an undergraduate degree is
Law conversion courses – PGDL
Find out about what you learn and where to study
Legal practice course – LPC
Find out what the LPC involves and whether you're eligible
Bar courses – BPTC/BPC
Find out about the course required to qualify as a barrister
SQE preparation courses
Find out about the brand-new SQE preparation courses

STAGES

DISCOVER

Commercial Question
Articles from law firms designed to get you thinking commercially
Features
These are designed to increase your knowledge of the profession
LCN Says
Insights from LCN and contributors from the world of law
The Oracle
Advice on issues from funding your studies to getting experience
LCN Weekly Newsletter
Kickstart your legal career with the latest content in our newsletter

EXPLORE

News
Discover key stories from the legal world
Videos
Our videos feature interviews and webinars on careers in law
Podcast
Hear from the experts via The LawCareers.Net Podcast
Blogs
Hear from your peers about their journey into the profession

DISCOVER

Back to overview

Commercial Question

Cybersecurity and Resilience Bill

updated on 07 October 2025

Question

What is the cyber bill and how will it impact law firms and clients?

Answer

This article was originally published on 30 September 2025.

In April 2025, the Department for Science, Innovation and Technology published a policy statement setting out the legislative proposals for the Cyber Security and Resilience Bill (the cyber bill). As part of the government’s wider focus on national security, the cyber bill aims to reform the UK’s existing cyber regime under the Network and Information Security (NIS) Regulations (and is particularly important in the wake of escalating cyber threats. As evidenced in recent high-profile incidents (eg, M&S cyberattack; and Synnovis ransomware incident), cyber criminals are becoming more sophisticated and, as technology continues to advance, the regulatory framework shouldn’t lag behind. However, rather than taking a purely reactive approach, the policy statement recognises that the resilience of cyber systems is fundamental to fostering an environment for economic stability and innovation. As such, the cyber bill frames the developments and proposals as a foundation, rather than barrier, to growth.

What are the proposals under the cyber bill?

Expanded scope

The NIS Regulations came into force in 2018 with obligations imposed on certain operators of essential services’ (OES) and relevant digital service providers (RDSP) in various identified sectors, such as transport, energy, health, water and digital infrastructure.

A key proposal under the cyber bill is the expansion of the cyber regime’s scope – crucially, by bringing the following entities within its scope:

1) Managed service providers (MSPs)

The policy statement defines a ‘managed service’ as a service that:

is provided to another organisation;
relies on the use of network and information systems to deliver the service;
relates to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications, and/or IT networks; and
involves a network connection and/or access to the customer’s network and information systems.

MSPs support critical services by providing core IT services to clients and hold privileged access to systems, infrastructure and data. By providing such support to various organisations, a single attack on an MSP could impact multiple clients and have wide-reaching consequences. This reform is expected to bring 900 to 1,100 MSPs into the remit of the cyber regime and this is particularly important given the attractiveness of MSPs as a target for malicious actors.

2) Data centres

The government views data centres as central to the UK’s economic future; they’ve been designated as part of critical national infrastructure. To introduce proportionate regulatory oversight, the policy statement contemplates classifying data centres as an essential service. Thresholds based on the amount of data processed have been proposed (ie, 10 megawatts capacity for enterprise data centres, otherwise a one megawatt capacity threshold will apply). This scope is expected to be adjusted from time to time, highlighting the government’s recognition that flexibility is necessary as threats evolve. This reform is particularly important as, driven by the growth of AI prompting the need for greater processing power, the number of data centres across the UK is expected to rapidly increase in the next few years for hyperscalers, such as Microsoft and Google, and other operators and users.

3) Designated critical suppliers (DCSs)

The cyber bill is expected to grant powers to regulators to designate specific high-impact suppliers as ‘designated critical suppliers’. In determining whether designation is appropriate, the policy statement provides the following threshold criteria as a framework of what to expect in the legislation:

The entity supplies goods or services to an OES or RDSP.
A disruption in the supplier’s goods or services could have a significant disruptive effect.
The supplier’s goods or services are dependent on networks and information systems.
The supplier is not already subject by similar cyber resilience regulations in force.

This reform underscores the importance of having robust supply chains as a key deficiency of the current regime is the lack of a targeted mechanism to address supply chain vulnerabilities. Under the current proposal, DCSs will be subject to various obligations similar to those that apply to OESs and RDSPs. Furthermore, it’s contemplated that the scope of the legislation will extend to small and medium-sized enterprises (SMEs) that are exempt under the NIS Regulations. This highlights the evolution of cyberattacks as entities may be subject to malicious activity with material impact irrespective of size – nonetheless, any burdens placed on smaller businesses should be proportionate and as such, the policy statement envisages only a small number of SMEs designated as DCSs.

Improving incident reporting

Recognising that various significant events currently go unreported, the policy statement emphasises the need to enhance existing reporting requirements and impose stricter obligations. This reform plans to assist regulators with assessing evolving threats, allowing them to act as necessary to continue bolstering the UK’s cyber resilience:

Reportable incidents: The cyber bill will expand the scope of the reporting regime by redefining what constitutes a reportable incident. Under the NIS Regulations, incidents become reportable after they have interrupted the continuity of essential or digital service. The government considers this scope too narrow and the policy statement contemplates expanding this by requiring reports to be made where incidents:

a) can have a significant impact on the provision of the essential or digital service; or
b) significantly affect the confidentiality, availability and integrity of a system.
Reporting structure: The cyber bill is expected to introduce a two-stage reporting structure. First, regulated entities are to make initial reports after 24 hours of becoming aware of an incident and this serves as an early warning notification. Thereafter, the entity must follow up with a detailed incident report within 72 hours. Compared to the current regime, this is likely to prompt more proactive reporting and is important to also facilitate quicker recovery processes, potentially minimising losses caused by cyber incidents.
Streamlined reporting: The reporting process is to be streamlined by requiring entities to report incidents to their specific sectoral regulator and the UK National Cybersecurity Centre. This seeks to ensure both bodies have and can develop an appropriate understanding of the evolving threats companies face.
Altering: The policy statement also envisages an obligation being placed on data centres and firms that provide digital services to alert customers when experiencing significant incidents, enhancing transparency and accountability of these entities. As such, these reforms further seek to build the wider population’s trust in cybersecurity and resilience.

Expanding powers of the secretary of state and sectoral regulators

Recognising the need for flexibility in the face of rapid changes in the threat landscape, the cyber bill will grant powers to the secretary of state so they can update the legislative/regulatory framework quickly when appropriate. This will be done by building in mechanisms for secondary legislation and potentially allowing the secretary of state to issue directions to regulated entities, subject to certain conditions.

Proposals are made within the policy statement to also expand the powers of the Information Commissioner’s Office (ICO), the regulator for RDSPs and MSPs. This intends to support the ICO in identifying risk and taking action to prevent imminent attacks. In practice, the cyber bill will enhance information-gathering abilities by:

expanding the duty on firms to provide information with the ICO;
expanding the criteria for the ICO to service information notices on firms; and
establishing information gateways for a more streamlined process for sharing information with the ICO.

To reduce any financial burden imposed due to the reforms, the government intends to improve the cost recovery regime by allowing regulators to set up new fee regimes.

How will the cyber bill impact law firms and their clients?

It’s crucial that companies prepare for the implementation of the legislative reforms discussed above and they may want to seek guidance from reputable law firms to help navigate the new regime.

As cyber security threats aren’t unique to the UK, many jurisdictions have introduced similar legislation – for instance, the EU’s NIS2 Directive, which the cyber bill is expected to share various core principles with, came into force in January 2023 with an implementation deadline for member states in October 2024. This means that many international companies in regulated sectors are likely to have existing measures in place to help go some way towards compliance. Companies should carry out a two-stage analysis:

first, to determine whether they’d be captured under the cyber bill; and
second, to establish systems to meet the applicable obligations.

Companies may need to update their policies and standards – for example, to ensure that entities have the infrastructure and systems to meet the 24-hour reporting requirement. However, in making these updates, companies should also allow for sufficient flexibility, aligning with the government’s approach and the increased scrutiny expected under the regime.

Organisations not directly caught by the updated regime should also consider how they may be impacted. Those reliant on regulated service providers could anticipate changes to their procurement and due diligence practices and contractual provisions. The new legislation could lay foundations for renegotiations – for instance, if out-of-scope entities wish to be informed of reportable incidents under the existing or new regime.

Conclusion

As cybersecurity threats continue to evolve, reforms to the existing framework in the UK should be welcomed. The policy statement provides helpful guidance as to what to expect and makes clear that the cyber bill will play a fundamental role in bolstering cyber resilience. By expanding the scope of the current regime, we can expect the cyber bill to protect a broader range of services from cyber threats; however, only time will tell whether it will be sufficient to ensure the UK stays ahead of the curve as threats become increasingly sophisticated.

Canaan Chan is a trainee solicitor at White & Case LLP.