Proposed reforms to cyber security laws in the UK have been a long time coming, as the government has finally introduced the Cyber Security and Resilience Bill (the "Bill") to parliament for its first reading on 12 November 2025. The new law is expected to come into force at some point in 2026 with commencement to be phased and delivered largely through secondary legislation. The Bill will update the Network and Information Systems Regulations 2018 ("NIS"), which places 'security and resilience duties' on organisations 'involved in the delivery of essential services and some digital services'. 

The government's press release states that the Bill is designed to increase UK defences against cyber-attacks and the protection of public services. The Bill seeks to achieve this by widening the application of NIS, imposing additional notification obligations, and tightening up the enforcement regime.

The government is looking to significantly modernise to the UK's existing cyber law framework, and will bring the legislative framework more closely aligned to the EU's NIS2 Directive. Along with an existing raft of cyber regulation across the EU, organisations will need to be aware of the expanding scope of entities who will be subject to the Bill, and this will mean that more organisations will be in scope. 

There are 3 'pillars' of reforms to update NIS; (1) to 'protect services people rely on, (2) deliver a step change in national security, and (3) underpin economic stability'.

Who is caught?

NIS primarily applies to 'operators of essential services' (such as organisations in the energy, transport, health, water and digital infrastructure sectors) and certain digital service providers.

The Bill will significantly expand this scope. In particular, organisations are likely to be caught where they provide services that are considered so essential that their disruption could affect daily life, economic stability, or national security in the UK, according to the government's policy paper on the Bill. The range of entities that will fall within the scope is expected to include:

• Managed service providers, including outsourced IT providers, cyber security service providers, and entities providing services essential to the resilience or security of another organisation's network or information systems.
• Data centre operators above specified capacity thresholds, reflecting the government's view that data infrastructure is now critical national infrastructure.
• Certain entities in the energy sector, including large load controllers.
• Critical suppliers, meaning organisations that support or underpin the delivery of essential or digital services and whose disruption could have a significant impact on the economy or the day-to-day functioning of society in all or part of the UK.

This means that organisations that are not currently regulated under NIS, particularly suppliers and technology providers, may find themselves brought within scope for the first time.

What are the new requirements?

Under NIS, incident notification is required without undue delay where an incident has a significant impact on the continuity of essential or digital services.

The Bill replaces this with a more structured and time-critical reporting framework. In-scope organisations will be required to:

• Submit an initial notification within 24 hours of becoming aware of a significant cyber incident;
• Provide a full incident report within 72 hours; and
• Notify both their competent authority and the National Cyber Security Centre.

The Bill also introduces new obligations to notify affected customers where they are likely to be adversely affected by an incident.

Data centre operators will be subject to a different reporting regime, including reporting incidents that have had, could have had, or are likely to have a significant impact on the operation, security, or continuity of data centre services in the UK. In these cases, affected customers must also be informed.

What are the implications of getting this wrong?

The Bill significantly strengthens the enforcement regime and increases the consequences of non-compliance.

Regulators will be granted broader investigatory and audit powers, alongside a revamped penalty framework designed to create stronger incentives for compliance.

The proposed penalty regime includes:

• Maximum fines of the greater of £17 million or 4% of worldwide annual turnover for serious breaches;
• Maximum fines of the greater of £10 million or 2% of worldwide annual turnover for less serious breaches; and
• Daily penalties in specified circumstances for continuing non-compliance (£50,000 per day).

Interestingly, these figures exceed the higher maximum fines available across the European Union under NIS2.

Separate penalties may also apply for failures to comply with information notices or non-disclosure requirements.

So, when will the new Bill be in force?

The government has indicated that the Bill will be implemented using a 'sequenced' and phased approach, to allow regulators and industry time to prepare. While precise commencement dates have not yet been confirmed, the Bill is expected to receive Royal Assent at some point in 2026, with many obligations brought into force (as with the Data (Use and Access) Act 2025) through secondary legislation thereafter. A further consultation on implementation proposals is anticipated.

The Bill will go through the legislative process, with the second reading expected to take place on 6 January 2026.

As we are increasingly aware, the volume and sophistication of attacks continue to accelerate, and the Bill is positioned to address the threat of such attacks. 

What should organisations do now?

Given the possibility of receiving GDPR-level fines, organisations should begin preparing for the new cyber framework in the UK by:

• Identifying whether they are likely to fall within the Bill's expanded scope;
• Reviewing incident response processes and policies;
• Mapping critical suppliers and ensuring contracts contain appropriate reporting controls; and
• Monitoring the progress of the Bill and beginning to implement any required measures.

The current version of the Bill may be found here.