UK Cybersecurity Reform: Incoming Changes via the Cyber Security and Resilience Bill 

Rachael Gibbons and Rory Coutts pick out the key points of the Cyber Security and Resilience Bill currently in Parliament.

The Background to the New Bill

On 12 November, the Government introduced the Cyber Security and Resilience Bill (“Bill”) to Parliament to update the UK’s current cybersecurity law, The Network and Information Systems Regulations 2018 (UK NIS 1). The Bill is part of a wider strategy to align the UK’s cyber security regime with international approaches – particularly the EU’s NIS 2 Directive (EU NIS 2) – and to raise overall UK cyber resilience. In effect, the Government proposes a “UK NIS 2”, which will cover new sectors and organisations, introduce enhanced obligations, and grant greater enforcement powers.

This legislative push is driven by a challenging threat landscape. The UK’s technical authority, the National Cyber Security Centre (NCSC UK), in publications like its NCSC Annual Review 2025, has repeatedly warned of converging risks: escalating threats, vulnerabilities in digital supply chains, and outdated defences. The Review noted a sharp50% year-on-year increase in “highly significant” cyber incidents for the third straight year and cited major ransomware attacks on UK brands like Co-op Group and Marks & Spencer. 

This challenging landscape is mirrored globally by a growing regulatory focus on ransomware, seen in measures like the Australia Cyber Security Act (2024) and the draft US Cyber Incident Reporting for Critical Infrastructure Act (expected 2026). While these international regimes tend to focus on mandatory post-payment transparency and reporting, the UK is considering charting a more restrictive course. The UK’s consultation (which closed in April 2025) even explored introducing pre-payment controls for all organisations and a targeted payment ban for public sector bodies and Critical National Infrastructure operators, directly weaving the ransomware threat into the UK’s broader legislative update. This difference in approach highlights a crucial policy question: is the regulatory goal transparency after the event, or proactive control over the flow of funds to criminal groups? For a more detailed breakdown of the UK’s ransomware proposals, see UK Government Ransomware Legislative Proposals: An Explainer.

Expanding the Scope and Definitions

The Bill’s core focus is on defining and regulating relevant digital services (“RDSPs”), relevant managed service providers (“RMSPs”) operators of essential services (“OES”) and their dependencies by expanding the scope of services currently caught by UK NIS 1 to align more closely with EU NIS 2. 

Service Category	Key Considerations
Cloud Computing Services (CCS)	Cloud computing services are already in scope under the current UK NIS 1 Regulations as RDSPs but would be covered by an updated definition. Current technical guidance, which often references delivery models like SaaS, PaaS, and IaaS, is no longer fit for purpose because nearly every modern digital service is offered on a SaaS basis. This risks an overly broad interpretation that could capture all applications, not just infrastructure. The Bill has an opportunity to clarify this definition so that organisations and regulators may distinguish between a true CCS (infrastructure/platform) and a standard application that merely happens to be cloud-hosted. This also results in a significant industry challenge in the ‘Regulatory Overlap Problem’: similar or identical definitions of “Cloud Computing Service” are used across the entire framework—not only in UK/EU NIS (focused on security and resilience), but also in horizontal regulations like the Digital Markets Act and Data Act (focused on competition, access, and data portability). This forces organisations to comply with the same term applied to tools aiming at radically different regulatory goals, leading to friction, complexity, and contradictory compliance requirements.
Managed Service Providers (MSPs)	The Government expects the Bill will bring approximately 500-1,000 MSPs into scope as relevant managed service providers (“RMSPs”), aligning with the EU NIS 2. The NCSC Review highlights the ongoing vulnerability of the supply chain, reinforcing the legislative need to regulate MSPs due to the access they have to critical customer systems. The definition of a managed service currently proposed is a service which:is provided to another organisation (i.e., not in-house services provided within the same legal entity);is for the provision of ongoing management of information technology systems for the customer (whether in the form of support and maintenance, monitoring, active administration or other activities); andrelies on the use of network and information systems to deliver the service;However, it is currently unclear whether the definition is intended to cover intra-group relationships between service providers and other group entities.
Designated Critical Suppliers (DCS)	The Bill envisages a high threshold for DCSs that have to be designated as such —only those who supply OES, RDSPs, or RMSPs and whose disruption would cause a “significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom.
Data Centres	Data centres above a certain capacity threshold would be in scope as OESs, aligning with the EU NIS2 Directive. This inclusion follows the official designation of data centres as Critical National Infrastructure (CNI) and the NCSC’s subsequent work to help shape the government’s understanding of cyber risk to that sector in advance of the Bill’s implementation.

Implications of an Expanded Scope 

A crucial implication is the need for clarity on scope under the new regime. A look at EU NIS 2 shows some areas where organisations have struggled. For example, the definition of ‘managed service providers’ has raised questions. Many SaaS vendors would appear to be both ‘cloud computing service providers’ and ‘managed service providers’ given the nature of their services but this seems unnecessary given the regulatory obligations are almost identical – whilst the Bill’s definitions attempt to draw distinctions between these services we expect that organisations will continue to grapple with how their services are classified under the Bill.  It’s also not clear whether an entity providing intra-group IT services should be a ‘managed service provider’. 

EU NIS 2 sets out both a general test for when an incident is a ‘significant incident’ (and therefore must be reported) and specific tests for different categories of the ‘essential entities’ covered by EU NIS 2. One would hope that the Bill will do the same given the expanded scope of reportable incidents. However, EU NIS 2 does not reference the geographical impact when deciding if an incident is reportable meaning an organisation based outside of the EU but subject to EU NIS 2, could have to report a ‘significant incident’ that occurred outside of the EU and has no impact on services provided inside the EU. Limiting incident reporting to those that have impact on users within a country prevents extraterritorial overreach and ensures that regulators act within their own legal mandate, while enabling efficient risk management and ensuring that regulators are only provided with relevant, actionable information on incidents . The Bill should be clearer on this point to reflect a focus on a proportionate and workable incident response framework (for both corporations and regulators alike).

The European Commission is already looking at simplifying reporting obligations under EU NIS 2, the Digital Operational Resilience Act (DORA), and the Cyber Resilience Act as part of its upcoming Digital Omnibus. For multinational organisations that will be subject to the new UK law as well as European legislation, it would be helpful if scope and reporting requirements would diverge from EU requirements only after assessing whether a specific EU requirement is not fit for purpose (whether because it does not achieve its goal or create too much of a regulatory burden for the industry). Even for organisations only subject to laws in the UK, there is the possibility of different reporting requirements across the Privacy and Electronic Communications Regulations, UK GDPR and the new Bill, alongside sector specific requirements such as in the FSA Handbook.

The Impact Assessment to the Bill states that it reflects insights from international partners, including lessons learnt from the implementation of EU NIS 2. As and when the Bill is published it will be interesting to see how and to what extent the Government’s approach reflects these insights in order to achieve the aim of strengthening the UK’s cyber defences. 

Under the existing UK NIS 1, and the EU NIS 2, some organisations have struggled when it comes to intra-group services which might be deemed to meet the technical definition of a regulated service but which are not actually commercially offered on the market. For example, centralised management of IT security could be deemed to fall into scope of a widely interpreted MSP definition but may not be offered externally outside of the corporate group.

For good reason, under telecoms law the UK maintains a regulatory distinction between the provision of public infrastructure on the one hand and internal, private infrastructure on the other. Where electronic communications networks or data centres are not commercially offered to third parties but used exclusively for an organisation’s own services, there is no need to regulate directly. Instead, business continuity and security risk are addressed by the regulation of the relevant in-scope service which is underpinned by that private infrastructure. For private networks, the core principle is that the regulated service is in scope, not the network. We anticipate and welcome further guidance. 

The principle of legal certainty requires laws to be made clear so that all subject to it can manage their affairs with certainty. As the Bill expands the scope of UK NIS 1, legislative care should be given to remove ambiguity as to whether the intent is to regulate intra-group services or not. For instance, in Singapore, amendments to the country’s Cybersecurity Act in 2024 to include any data centre facility service explicitly “excludes a service provided from a facility which is owned by the sole party using the service”. We expect it is more effective to maintain historic practice and regulate the service in scope that is offered on the market instead of the whole corporate group and would advocate that this be expressly provided for in the Bill or through regulatory guidelines.

Enhanced Cybersecurity Risk Management and Incident Reporting Obligations 

The Bill outlines plans to enhance requirements for organisations that are subject to UK NIS 2, pushing for a more robust risk-based approach to cybersecurity risk management.

• Supply chain duties: The Government would be given powers to set duties to manage their supply chains. The NCSC Annual Review 2025 emphasizes the need to enforce security across the ecosystem, noting that ransomware continues to be the most immediate, disruptive threat to Critical National Infrastructure (CNI) sectors, often exploiting vulnerabilities in supply chains.
• Technical requirements: The Bill aims to ensure the statutory framework will enforce best practice against the most current threats. For example, the Bill plans to place the NCSC’s Cyber Assessment Framework (“CAF”) and technical standards on a stronger statutory footing, aligning them with the more granular requirements under the EU’s NIS2. The NCSC proactively released CAF v4.0 in August 2025 with significant updates to ensure it remains relevant, including new sections on secure software development, security monitoring/threat hunting, and coverage of AI-related cyber risks. There should also be clarity on whether or not the UK will adopt a similar approach as EU NIS2 with detailed implementing regulations that set more granular obligations for organisations in scope, or how far the Secretary of State will use powers under the Bill to set a code of conduct which might set more detailed expectations for organisations.
• Post-Quantum Cryptography (PQC) and Cryptographic Agility: The Bill will expand the scope of the legislative mandate to ensure “appropriate and proportionate” security measures for critical entities (including those in the supply chain). While the Bill may not explicitly name PQC, this expansion could effectively place the technical and risk-based requirements of the NCSC’s PQC roadmap on a regulatory footing. The NCSC Annual Review 2025 confirmed the publication of the three-phase migration timeline (with a complete transition target of 2035) and explicitly stated that these timelines “will underpin the work within government and regulated sectors to enable a smooth migration.” A core recommendation for successful PQC migration is enabling Cryptographic Agility, the principle that requires systems to be able to switch or upgrade algorithms seamlessly, which is necessary to future-proof digital infrastructure and is a direct goal of both UK and EU roadmaps.
• Incident reporting: A two-tiered reporting timeframe is planned (24 hours and 72 hours), aligning with EU NIS2. The NCSC Annual Review 2025 provides the rationale for this urgency by detailing that the exploitation of legacy system vulnerabilities and complex attacks requires rapid coordination. 

Additional Enforcement and Oversight Powers

The Government also intends to revamp the powers of the Secretary of State, regulators, and fees for registering as an in scope provider. This enhanced oversight and greater power to impose penalties aligns with the NCSC’s call to action, which urges organisations to “prioritise cyber risk management, embed it into your governance, and lead from the top.”