Cybersecurity and Resilience Bill

Answer

In April 2025, the Department for Science, Innovation and Technology published a policy statement setting out the legislative proposals for the Cyber Security and Resilience Bill (the cyber bill). As part of the government’s wider focus on national security, the cyber bill aims to reform the UK’s existing cyber regime under the Network and Information Security (NIS) Regulations (and is particularly important in the wake of escalating cyber threats. As evidenced in recent high-profile incidents (eg, M&S cyberattack; and Synnovis ransomware incident), cyber criminals are becoming more sophisticated and, as technology continues to advance, the regulatory framework shouldn’t lag behind. However, rather than taking a purely reactive approach, the policy statement recognises that the resilience of cyber systems is fundamental to fostering an environment for economic stability and innovation. As such, the cyber bill frames the developments and proposals as a foundation, rather than barrier, to growth.

What are the proposals under the cyber bill?

Expanded scope

The NIS Regulations came into force in 2018 with obligations imposed on certain operators of essential services’ (OES) and relevant digital service providers (RDSP) in various identified sectors, such as transport, energy, health, water and digital infrastructure.

A key proposal under the cyber bill is the expansion of the cyber regime’s scope – crucially, by bringing the following entities within its scope:

1) Managed service providers (MSPs)

The policy statement defines a ‘managed service’ as a service that:

• is provided to another organisation;
• relies on the use of network and information systems to deliver the service;
• relates to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications, and/or IT networks; and
• involves a network connection and/or access to the customer’s network and information systems.

MSPs support critical services by providing core IT services to clients and hold privileged access to systems, infrastructure and data. By providing such support to various organisations, a single attack on an MSP could impact multiple clients and have wide-reaching consequences. This reform is expected to bring 900 to 1,100 MSPs into the remit of the cyber regime and this is particularly important given the attractiveness of MSPs as a target for malicious actors.

2) Data centres

The government views data centres as central to the UK’s economic future; they’ve been designated as part of critical national infrastructure. To introduce proportionate regulatory oversight, the policy statement contemplates classifying data centres as an essential service. Thresholds based on the amount of data processed have been proposed (ie, 10 megawatts capacity for enterprise data centres, otherwise a one megawatt capacity threshold will apply). This scope is expected to be adjusted from time to time, highlighting the government’s recognition that flexibility is necessary as threats evolve. This reform is particularly important as, driven by the growth of AI prompting the need for greater processing power, the number of data centres across the UK is expected to rapidly increase in the next few years for hyperscalers, such as Microsoft and Google, and other operators and users.

3) Designated critical suppliers (DCSs)

The cyber bill is expected to grant powers to regulators to designate specific high-impact suppliers as ‘designated critical suppliers’. In determining whether designation is appropriate, the policy statement provides the following threshold criteria as a framework of what to expect in the legislation:

• The entity supplies goods or services to an OES or RDSP.
• A disruption in the supplier’s goods or services could have a significant disruptive effect.
• The supplier’s goods or services are dependent on networks and information systems.
• The supplier is not already subject by similar cyber resilience regulations in force.

This reform underscores the importance of having robust supply chains as a key deficiency of the current regime is the lack of a targeted mechanism to address supply chain vulnerabilities. Under the current proposal, DCSs will be subject to various obligations similar to those that apply to OESs and RDSPs. Furthermore, it’s contemplated that the scope of the legislation will extend to small and medium-sized enterprises (SMEs) that are exempt under the NIS Regulations. This highlights the evolution of cyberattacks as entities may be subject to malicious activity with material impact irrespective of size – nonetheless, any burdens placed on smaller businesses should be proportionate and as such, the policy statement envisages only a small number of SMEs designated as DCSs.  

Improving incident reporting

Recognising that various significant events currently go unreported, the policy statement emphasises the need to enhance existing reporting requirements and impose stricter obligations. This reform plans to assist regulators with assessing evolving threats, allowing them to act as necessary to continue bolstering the UK’s cyber resilience:

• Reportable incidents: The cyber bill will expand the scope of the reporting regime by redefining what constitutes a reportable incident. Under the NIS Regulations, incidents become reportable after they have interrupted the continuity of essential or digital service. The government considers this scope too narrow and the policy statement contemplates expanding this by requiring reports to be made where incidents:
  
  a) can have a significant impact on the provision of the essential or digital service; or
  b) significantly affect the confidentiality, availability and integrity of a system.
   
• Reporting structure: The cyber bill is expected to introduce a two-stage reporting structure. First, regulated entities are to make initial reports after 24 hours of becoming aware of an incident and this serves as an early warning notification. Thereafter, the entity must follow up with a detailed incident report within 72 hours. Compared to the current regime, this is likely to prompt more proactive reporting and is important to also facilitate quicker recovery processes, potentially minimising losses caused by cyber incidents.
• Streamlined reporting: The reporting process is to be streamlined by requiring entities to report incidents to their specific sectoral regulator and the UK National Cybersecurity Centre. This seeks to ensure both bodies have and can develop an appropriate understanding of the evolving threats companies face.  
• Altering: The policy statement also envisages an obligation being placed on data centres and firms that provide digital services to alert customers when experiencing significant incidents, enhancing transparency and accountability of these entities. As such, these reforms further seek to build the wider population’s trust in cybersecurity and resilience.

Expanding powers of the secretary of state and sectoral regulators

Recognising the need for flexibility in the face of rapid changes in the threat landscape, the cyber bill will grant powers to the secretary of state so they can update the legislative/regulatory framework quickly when appropriate. This will be done by building in mechanisms for secondary legislation and potentially allowing the secretary of state to issue directions to regulated entities, subject to certain conditions.

Proposals are made within the policy statement to also expand the powers of the Information Commissioner’s Office (ICO), the regulator for RDSPs and MSPs. This intends to support the ICO in identifying risk and taking action to prevent imminent attacks. In practice, the cyber bill will enhance information-gathering abilities by:

• expanding the duty on firms to provide information with the ICO;
• expanding the criteria for the ICO to service information notices on firms; and
• establishing information gateways for a more streamlined process for sharing information with the ICO.

To reduce any financial burden imposed due to the reforms, the government intends to improve the cost recovery regime by allowing regulators to set up new fee regimes.

How will the cyber bill impact law firms and their clients?

It’s crucial that companies prepare for the implementation of the legislative reforms discussed above and they may want to seek guidance from reputable law firms to help navigate the new regime.

As cyber security threats aren’t unique to the UK, many jurisdictions have introduced similar legislation – for instance, the EU’s NIS2 Directive, which the cyber bill is expected to share various core principles with, came into force in January 2023 with an implementation deadline for member states in October 2024. This means that many international companies in regulated sectors are likely to have existing measures in place to help go some way towards compliance. Companies should carry out a two-stage analysis:

• first, to determine whether they’d be captured under the cyber bill; and
• second, to establish systems to meet the applicable obligations.

Companies may need to update their policies and standards – for example, to ensure that entities have the infrastructure and systems to meet the 24-hour reporting requirement. However, in making these updates, companies should also allow for sufficient flexibility, aligning with the government’s approach and the increased scrutiny expected under the regime.

Organisations not directly caught by the updated regime should also consider how they may be impacted. Those reliant on regulated service providers could anticipate changes to their procurement and due diligence practices and contractual provisions. The new legislation could lay foundations for renegotiations – for instance, if out-of-scope entities wish to be informed of reportable incidents under the existing or new regime.

Conclusion

As cybersecurity threats continue to evolve, reforms to the existing framework in the UK should be welcomed. The policy statement provides helpful guidance as to what to expect and makes clear that the cyber bill will play a fundamental role in bolstering cyber resilience. By expanding the scope of the current regime, we can expect the cyber bill to protect a broader range of services from cyber threats; however, only time will tell whether it will be sufficient to ensure the UK stays ahead of the curve as threats become increasingly sophisticated.

Canaan Chan is a trainee solicitor at White & Case LLP.