The Cyber Security and Resilience (Network and Information Systems) Bill, which was announced by the government in the King's Speech following the last general election, was introduced to Parliament on 12 November 2025. The Bill will reform and add to the Network and Information Systems Regulations 2018, to increase UK defences against cyber attacks and protect essential public services.
The proposed laws will cover certain digital and essential services including healthcare, transport, energy and water. The following measures are proposed:
- Medium and large companies providing services like IT management, IT helpdesk support and cyber security to private and public sector organisations will be regulated. They will need to comply with clear security duties, including reporting cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences;
- Regulators will be given new powers to designate critical suppliers to the UK's essential services, meaning that they will have to meet minimum security requirements;
- Enforcement will be modernised, including tougher turnover-based penalties for serious breaches;
- The Technology Secretary will be given new powers to instruct regulators and the organisations they oversee to take specific, proportionate steps to prevent cyber attacks where there is a threat to UK national security. This includes requiring that they improve monitoring or isolate high-risk systems to protect and secure essential services.
Recent research shows that the average cost of a significant cyber attack in the UK is over £190,000. This amounts to around £14.7 billion a year across the economy – equivalent to 0.5 per cent of UK GDP.
Comments