In 2024, the UK was targeted by cyber-attacks more than any other country in Europe, with over 40% of organisations suffering a significant incident.

The average cost of a cyber-attack is also surging, with figures estimating a breach costs UK organisations over £190,000. This amounts to around £14.7 billion a year across the economy – equivalent to 0.5% of the UK’s GDP.

It is with this in mind that the UK's Cyber Security and Resilience (Network and Information Systems) Bill was presented to Parliament in November.

Originally proposed in the 2024 King’s Speech and fleshed out with further details earlier this year, the Bill aims to make the UK more resilient to incidents such as the ransomware hit on Synnovis – which was so serious it contributed to a patient’s death.

“In the face of increasing cyber threats, it will prevent disruption – keeping the taps running, the lights on and the UK’s transport services moving – while making sure those who supply our vital services have tougher cyber protections,” the government said when introducing the Bill.

What The Bill Says

Intended as an update to the UK’s current cyber resilience law, the 2018 NIS regulation, the Bill has just been published for the first time. It is therefore yet to be scrutinised and undergo further iterations in Parliament, Luke Dixon, partner and head of data and information at Freeths, explains.

In its current form, the Bill includes new laws to strengthen cyber defences for essential public services such as healthcare, digital infrastructure, drinking water providers, transport and energy, says Dixon.

Aligning closely with the EU’s NIS 2, the Bill builds upon the current obligations of regulated entities to report cyber incidents.

The Bill introduces a two-stage reporting process – a “light touch” notification within 24 hours and a full report within 72 hours. “This broadly mirrors the EU’s move to faster warnings under NIS2, though the legal details differ,” says Pieter Arntz, senior malware researcher at Malwarebytes.

The Bill aligns with NIS2 on stricter security duties, faster reporting and tougher penalties – but it retains UK-specific approaches and does not exactly replicate NIS2’s full suite of senior management liability measures, Arntz says.

Broader Scope

The Bill’s scope is materially broader than before. Managed service providers (MSPs), hosting companies, cloud infrastructure operators and other high-impact suppliers will come under direct duties for resilience and incident reporting, says Edward Lewis, CEO at cybersecurity consultancy CyXcel. “Boards and senior executives will face clearer lines of accountability, with regulators empowered to scrutinise governance, test resilience measures and levy more meaningful penalties for failures.”

Organisations that were previously outside NIS may now find themselves in scope, and many will need to re-assess their supply chain exposure, Lewis warns.

Where the original NIS regime focused narrowly on operators of essential services, the new Bill responds to newer issues such as supply chain compromise, ransomware and service outage events. “It widens the regulatory perimeter to include critical dependencies, introduces outcome-based duties, and moves away from checklists towards demonstrable resilience,” says Lewis.

However, the government has not, at this stage, included the proposed reforms on ransomware payments or pre-notification requirements, Lewis points out. “Their absence from the first reading suggests they may appear through later amendments or in separate legislation.”

One significant change is that load controllers – organisations that manage electrical load for smart appliances – are now in the scope of the Bill, Jonathan Lee, Trend Micro’s director of cyber strategy says. “They will now be treated as regulated organisations because of their critical role in national infrastructure, meaning they must comply with stricter security and resilience requirements.” 

However, the definition of MPSs and certain digital service providers “isn’t particularly well defined” and needs to be refined as part of the consultation process –  as does the definition of how a critical supplier comes to be designated as such, says Lee “Some of what’s proposed remains vague, with matters such as information-sharing gateways and high-level security and resilience requirements deferred to secondary legislation. This will create some uncertainty for CISOs who are looking to be well prepared.”

The Bill’s Timeline

The Bill is on its way, but it won’t arrive for a while. Following its introduction to Parliament in November, it will take time for both Houses to approve it before it’s written into law, says Crystal Morin, senior cybersecurity strategist at Sysdig.

Once the Bill is in force, the UK government intends to implement it in phases. Some parts, regarding future-proofing and post-implementation review, will come into force on day one, says Dixon.

Elements regarding information sharing and statement of strategic priorities will be implemented from month two following enactment. Other parts, for example, in relation to data centres and incident response, will be brought in via secondary legislation, says Dixon. “The measures coming into force via secondary legislation will be those that require further detail to be implemented and operationalised.”

Following the Bill’s first reading in November, the detailed obligations will be shaped through Committee Stage in early 2026, says Lewis. “Secondary legislation defining thresholds and sectors is expected mid-2026, with phased implementation likely across 2026 and 2027. Even so, the policy intent is settled. Organisations that wait for the final wording risk falling behind a regime designed to move quickly once enacted.”

CISO Actions 

Before the new laws arrive, firms should assess whether they are in scope. It’s imperative for CISOs to determine whether their organisations and providers or suppliers fall under the newly-regulated sectors, says Morin. For those already regulated under NIS 2018 or NIS2, this will be an extension of current strategies and should not be a huge operational burden, Morin says.

For those not previously covered under the regulations – any companies in the electric vehicles sector, for example – this may be “a more substantial uplift” in security planning, Morin says. “Talk to your industry peers, read available security leadership content and collect advice wherever you can. That will make the shift less daunting.”

One useful tool for CISOs is the National Cyber Security Centre’s Cyber Assessment Framework (CAF). “CISOs can use this as a roadmap to map their processes and security controls,” says Morin. “The CAF is the standard for audits and regulatory investigations, and they can save a lot of time by using it to guide their decisions.”

Those in scope should implement a robust risk management framework and ensure the board has visibility of cyber resilience, says Dixon. “Revisit your cyber risk management programme and document processes around threat identification and vulnerability management; patch management and secure configuration; access control and identity governance; and continuous monitoring and logging.”

As recent high profile cyber-attacks show, it is also crucial to conduct comprehensive supply chain risk assessments, Dixon says. “Where you find gaps, update your contracts to include minimum security standards and audit rights.”

Meanwhile, CISOs should update incident response plans to include a wider range of events and be able to meet the 24 and 72 hour reporting deadlines, says Morin. “They must also ensure their organisation has clear customer notification procedures in place in the event of a mandatory reporting incident. This is something where the security team must integrate with business operations.”

At the same time, organisations must prepare for the increased fines, says Dixon. “Once the Bill is enacted, look out for secondary legislation, codes of practice and guidance from regulators.”

Kate O'Flaherty Cybersecurity and privacy journalist