On 1 April 2025, the UK Government published a policy statement providing further details of the UK’s proposed new Cyber Security and Resilience Bill.
This new Bill will extend the scope of the UK cyber security regulatory framework and in many respects mirrors the EU’s upgrade of the NIS regime with the introduction of the NIS2 Directive.
What are the key changes?
UK law already reflects the original NIS (Network and Information Security) regime which was introduced in the EU in 2016 when the UK was still part of the EU. The new Labour Government announced the introduction of new cyber security legislation in the King’s Speech on 17th July 2024.
Amongst the changes planned are the following:
- More IT service providers in scope: The new Bill will expand the scope of the legislation to cover managed service providers (MSPs). The formal definition of MSPs will encompass a significant number of B2B IT service providers. The government is still working on its formal definition of MSPs but estimates that an additional 900-1100 MSPs will come within the scope of the new regime. How it can get to a fairly precise estimate without having settled on a precise definition seems currently to be unexplained. The government also intends to include in the Bill a provision allowing the Secretary of State to widen the scope of the legislation without going back to Parliament.
- Tight incident reporting deadlines: The new Bill will also introduce a two-stage reporting structure. When a significant incident occurs, in-scope companies will have to make an initial report within 24 hours, and another more detailed report within 72 hours of the incident. Reports will also have to be made to NCSC (National Cyber Security Centre) as well as the relevant regulator. In some circumstances customers will also have to be told. The policy paper has specifically referenced its similarities with the NIS2 incident reporting timelines.
- More powers for the ICO: The new Bill will aim to enhance the Information Commissioner’s Office (ICO, the main data protection authority in the UK) powers to gather information and serve notices, as well as an expanded duty for certain firms to share information with the ICO. The ICO will also be the enforcement body for MSPs under the Bill. It is worth mentioning that another Bill, the Data Use and Access Bill, plans to replace the current Information Commissioner with a more board-like Information Commission in a similar vein to Ireland’s replacement of its Data Protection Commissioner with a Data Protection Commission.
- Data Centres: The government is currently considering whether data centres will be explicitly classified as critical national infrastructure in the Bill. If they are they will attract more regulatory oversight.
- Critical Services Providers: The Bill will include new powers for regulators to designate a supplier as a designated critical service provider (DCS) “if the supplier’s goods or services are so critical that disruption could cause a significant disruptive effect on the essential or digital service it supports.” A DCS could be an SME even if it would be too small to fall under the UK’s existing NIS regime. This might mean that some smaller businesses come within the regime for the first time. It may also give regulators the power to single out some organisations for particular scrutiny.
- Making the regulated contribute to their regulation: The Bill will include an enhanced registration regime. The intention seems to be that the system will “reduce the need to pass regulatory costs to the taxpayer” with organisations paying registration fees to support the regulatory regime. New powers are proposed for the ICO to enforce the payment of registration fees. The power to raise more money in registrations, coupled with the ability to designate even a micro business as a DCS could mean a significant financial burden for some organisations. The government says “This regime is intended to ensure that regulators operate at cost and are able to carry out the full extent of their functions.”
What about the relationship with NIS2?
Due to Brexit, the EU’s first Network and Information Systems Directive (NIS1) applied to the UK while NIS2 does not apply. This Bill’s goal is to extend and strengthen the existing cybersecurity framework and it will act much like the UK’s NIS2. Many providers of digital services or B2B IT services who offer services in both the UK and EU will have already started incorporating NIS2 compliance into their policies and procedures.
In our view the effort to harmonise some aspects of the new Bill with NIS2 is to be welcomed – differing regimes with different reporting requirements add complexity. It is important to remember that for many organisation resources are finite. We know that some organisations have taken front-line resources away from cybersecurity to look at their obligations under NIS2 and additional new EU legislation, so a key task for the Government will be to introduce measures which add strength to the UK’s cyber security resilience without simply adding administration.
Technology minister Peter Kyle has spoken about the relationship with NIS2 saying that: “Our legislative proposals reflect the insights we have gathered from our international partners, including valuable lessons from the European Union on the implementation of its NIS2 regime.”
What’s missing?
There are still some questions to be answered about the Bill including:
- Personal liability: An increasing focus of law makers, prosecutors and regulators around the world has been personal liability for failure. NIS2 allows for personal liability provisions although some EU Member States have opted-out. It is not yet clear whether the UK plans also include personal liability for failure to meet obligations set out in the Bill. There’s a discussion on personal liability trends in the Life with GDPR podcast at Life With GDPR: Navigating CCO and CISO Liability Trend.
- Penalties: The government seemed initially to be proposing fines of up to 10% of ‘relevant turnover’. This however isn’t now mentioned in the policy statement and it is unclear what the penalties will be for non-compliance.
- Reporting authority: Currently under the UK’s NIS regime there are 12 different regulators responsible for enforcing the regime including general data regulators like the ICO and sector specific regulators like the Civil Aviation Authority. It seems that the government does intend to adopt the same approach with the new legislation, although again with power for the Secretary of State to change the regime without going back to Parliament. If the same regime continues resourcing will be key given criticism of the lack of resources at some regulators including the ICO. The ICO admitted that it was failing to meet some KPIs in its statement on 1 April 2025. Allowing regulators to collect greater registration fees is unlikely to help with the current resourcing issues in the short term as resources will be needed to collect and enforce those fees.
What happens next?
A draft Bill is expected to be presented for parliamentary scrutiny in 2025.
What can businesses do to prepare?
Some practical tips to keep in mind:
- Monitor developments with the Bill to work out the likely scope and impact on your organisation.
- Look at your processes & procedures: Most organisations now have a data breach reporting procedure to meet GDPR reporting deadlines. Like NIS2, the proposed new reporting obligations have tighter time limits and are likely to be wider in nature. Make sure that your procedures reflect this. While doing this review, you may also want to review any additional reporting requirements e.g.: those under DORA, or the EU AI Act.
- Train your people.
- Look at your response team. Make sure that you are ready to report when required in 24 hours.
- Rehearse incidents: Our experience shows us that organisations which regularly rehearse cyber security incidents handle them more effectively.
- Look at & amend supplier contracts: You may need suppliers to tell you more quickly about incidents given your reporting obligations.
- Look at the technical and organisational measures (TOMs) you use to keep secure: As technology moves on you’ll need to check you’re still best placed to defend your organisation from current threats, including AI based threats. NCSC has information on current risks (see NCSC Annual Review 2024) and practical guidance on prevention.
- Tell the board & audit committee about any increased liability, make sure you have people on the board who understand the requirements of the Bill and cybersecurity risk more generally.
Further information
There is more information on Punter Southall Law’s cybersecurity practice at Cyber Security Lawyers.
The policy statement can seen at: Cyber Security and Resilience Bill: policy statement.
The ICO statement on KPI failures can be found at Statement from the ICO on data protection complaint response times.