On 12th November 2025, the Government introduced the Cyber Security and Resilience (Network and Information Systems) Bill in the House of Commons. This is an important development in the evolution of the UK’s cyber security regulation. The Bill is currently at the Committee stage.
The Bill was trailed in the King’s Speech of July 2024, and was followed by the Government publishing its Cyber security and resilience policy statement. The Bill is designed to update the existing Network and Information Systems Regulations 2018 to raise cyber resilience across key parts of the economy, and to give government and regulators more agile powers to respond to evolving threats. Amongst other things, it will expand cyber security regulation to cover more digital services and supply chains, and mandate increased incident reporting to improve the government’s response to cyber-attacks including where a company has been held to ransom.
The Bill imposes new maximum penalties similar to GDPR levels. For more serious breaches, the maximum penalty is up to £17 million, or 4% of a regulated entity’s worldwide turnover, whichever is higher. For other breaches, the maximum penalty is up to £10 million, or 2% of a regulated entity’s worldwide turnover, whichever is higher.
Key Provisions
Expanded Regulatory Scope: The Bill will broaden the range of organisations and sectors under regulatory oversight, extending beyond essential services and digital providers to include a wider array of entities integral to national infrastructure.
Enhanced Regulatory Powers: Regulators will receive increased authority to ensure compliance with cybersecurity standards, including proactive investigation capabilities and mechanisms for cost recovery to support their activities.
Mandatory Incident Reporting: The Bill mandates comprehensive reporting of cyber incidents, notably ransomware attacks, to improve national threat assessment and response strategies.
Supply Chain Security: The Bill introduces measures to strengthen supply chain security, granting regulators the power to designate ‘Critical Suppliers’ whose services are integral to public sector operations.
Regulatory Oversight: The Information Commissioner’s Office will gain greater authority to investigate and enforce compliance among digital service providers, including those that supply technology to the public sector. The ICO recently published its response to the Bill.
For a detailed analysis of the Bill, read this article by law firm Clifford Chance.
We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about cyber security. See also our Managing Personal Data Breaches Workshop.
