On 1 April 2025, the government published a statement providing further detail on the UK’s upcoming Cyber Security and Resilience Bill. The Bill, which has been expected since the King's Speech last July, will draw considerably from the EU's recent NIS2 regulations. It aims to address the increasingly hostile cyber landscape facing critical national infrastructure by strengthening existing cybersecurity rules.
Current Regulatory Framework
The UK’s current Network and Information Systems (NIS) regulations have been in force since May 2018 and are based on the EU’s original NIS Directive. They cover operators of essential services in five key sectors: transport, energy, drinking water, health, and digital infrastructure. Some relevant digital service providers (search engines, online marketplaces and cloud computing services) are also in scope.
Both the UK and EU had been planning to update the NIS rules for some time now. While the EU has already done this – NIS2 has applied in member states since last October (see blog) - the UK’s update plans had somewhat stalled. The previous Conservative government said back in January 2022 that the rules would be changed (see blog). However, no bill was forthcoming, leaving the UK open to accusations that it was falling behind its EU counterparts.
Key Provisions expected in the Bill
Expanded scope
While NIS2 brought multiple new sectors in scope, the Bill will propose adding:
- Managed Service Providers (“MSPs”): MSPs will be defined in the Bill, but are expected to cover providers offering core IT services to businesses and public sector organisations who have access to clients’ IT systems and data. This makes them significant targets for cyber threat actors. The Bill would subject MSPs to the same duties as digital service providers, with regulation by the Information Commissioner's Office (ICO). This change is expected to bring around 900-1100 MSPs in scope.
- Data centres: the statement discusses classifying data infrastructure as a relevant sector. This is likely to involve setting thresholds based on the amount of data processed.
Regulators will also be empowered to designate certain suppliers as "designated critical suppliers" where the supplier’s goods or services are so critical that disruption could cause a significant disruptive effect on the essential or digital service it supports.
Security
Subject to ongoing consultation, the Bill will enable the government to impose security duties on operators of essential services and relevant digital service providers, something NIS2 also does. Basic and enhanced technical standards based on the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework are expected to be put on a firmer footing, extending rules which currently only apply to digital service providers.
Incident reporting
The Bill will update and enhance the current incident reporting requirements for regulated entities by introducing a two-stage reporting structure for cyber incidents. Regulated entities will be required to notify their regulator and the NCSC 24 hours after gaining awareness of an incident. A detailed report must then be provided within 72 hours. Again, this aligns more closely with the provisions in NIS2 which has a similar early warning notification system.
Expanding ICO powers and publishing regulatory objectives
The ICO, as the regulator of in-scope digital service providers, will have more authority to collect information from those entities. This will enable the ICO to take a more proactive approach to enforcement. Changes will include an expanded duty for relevant digital service providers to share information with the ICO when they register with them, and expanding the criteria for the ICO to be able to serve information notices.
Furthermore, the Bill is expected to propose the publication of a statement of strategic priorities for regulators. The NIS regime is currently enforced through a number of sector regulators, and it is hoped this will establish a unified set of objectives and expectations to maintain consistency across them. It also introduces new powers for the Secretary of State to issue directions directly to regulated entities and regulators on national security grounds.
Comment
The Bill represents a notable effort to enhance the UK's cyber security position. It does not currently adopt all of NIS2’s changes, for instance there is no management liability discussed in the statement. However, by aligning with NIS2 to expand the scope of the existing regulation, focussing on security and supply chain risks, and empowering regulators, the Bill aims to protect the nation’s critical infrastructure and digital services from the growing threat of cyber-attacks.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-04-24-19-24-09-412-680a8fd99b5c2ce78354a935.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-04-24-18-10-44-441-680a7ea41f52562e734a36af.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-04-16-10-45-05-782-67ff8a314a50fd9adb173a92.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-04-16-10-18-08-213-67ff83e0b34a593b4ea48aee.jpg)