Cyber threats are constantly evolving. With the Cyber Security and Resilience Bill expected to take effect in early 2026, planning ahead is essential to stay compliant and safeguard your business. From reviewing your supply chain to updating your incident response plan, we share practical steps to help you prepare.

The Government’s highly anticipated Cyber Security and Resilience Bill was introduced to Parliament on 12 November 2025 and proposes significant changes to the current NIS Regulations 2018 (NIS).

If passed, it’ll expand the scope of organisations that must comply with its security obligations by bringing new services into scope (load control, data centres and managed services). It will allow regulators to designate organisations as “critical suppliers” who then must observe specific security obligations. Not surprisingly, it also broadens the rights of the government to implement new cybersecurity regulations and requires regulators to comply with directions and information requests. There will be a new incident reporting regime and changes to the fines and penalties that can be imposed.

This reflects the government’s view that it needs proactive regulatory powers and flexibility to deal with the ever-increasing sophistication of the security threats that are emerging. The view is that the current regime is not robust enough to protect the country from these attacks evidenced in part by the disparity between the number of reported issues under the current NIS Regulations compared with the number of cyber attacks UK businesses have faced in the last year or so.

Current regulation

The current NIS regulations impose security and incident notification obligations on:

1. Operators of essential services (OES) in energy, transport, health, drinking water and digital infrastructure.
2. Online marketplace, cloud, and search engine providers (relevant digital service providers – RDSP).

In both cases you need to take appropriate and proportionate measures to manage the risks posed to the security of the networks and systems on which your services rely.

Proposed changes to NIS

If implemented, the changes will have significant implications for business. Here’s what you need to know:

• Data centre services categorised as essential services: Certain data centre services (dictated by capacity) are now classed as essential services. If you operate these services, you’ll need to comply with obligations similar to those imposed on operators in the energy, transport, health, drinking water and digital infrastructure sectors. The relevant capacity level is set at 1 MW but rises to 10 MW where the data centre service is provided by an organisation for its own use.
• New rules for large load controllers: If you control electrical load of more than 300 MW to and from energy smart appliances, you’re now in scope. This means you must meet NIS obligations because your services rely heavily on IT systems.
• Clearer definition of cloud computing services: the current definition of cloud computing in NIS is vague and potentially applies more broadly than intended. A new definition has been added to make it clear that you are only in scope if your service is available to a wide range of businesses, offers a shared, scalable solution and is not a managed service..
• Managed service providers now in scope: The Bill will impose obligations on medium and large managed service providers (RMSPs) which are the same as those currently applicable to RDSPs. For the purposes of the Bill, a managed service provider is an organisation that is contracted to manage IT systems for its customers on an ongoing basis and in order to provide that service it needs to connect to its customer’s IT systems. Examples of the types of managed services that will be in scope are application management, IT helpdesk, and IT security. RMSPs will be required to register with the Information Commission.
• Critical Suppliers: The Bill introduces a concept of “critical supplier”. You may be designated and regulated as a critical supplier if:
  • You supply goods or services to an OES, RDSP, or RMSP.
  • You rely on IT systems to do that.
  • A failure in those systems could disrupt essential services, digital services or managed services.
  • That disruption could significantly impact the UK economy or the day to day functioning of society in the UK.
  • This is designed to protect critical supply chains into essential services and into digital and managed services. The obligations that critical suppliers will need to comply with (including security and incident reporting) will be set out in subsequent regulation.
  • It is feasible that an organisation that is already regulated under the Bill as an RDSP or RMSP could be designated as a critical supplier later. If this happened it would no longer be considered an RDSP or RMSP (as applicable) and would only be required to comply with the relevant critical supplier regulation.

• Scope: If you operate essential services or offer relevant digital or managed services in the UK – even if you’re based outside the UK – you’re in scope. Public sector bodies are excluded from RDSP and RMSP obligations on the basis that the government is implementing its own cyber security plan.
• Cost Recovery: You’ll need to pay periodic fees to regulators (including the Information Commissioner’s Office) to cover the cost of managing compliance under the new rules.
• Tougher fines: The Bill includes a new fine regime. For breaches which are considered less serious, a fine can be imposed of the greater of £10 million or 2% of the relevant entities’ worldwide turnover. For more serious breaches the fines are set at the greater of £17 million and 4% of worldwide turnover. The more serious and less serious issues are categorised in the Bill.
• Incident notification requirements: The incident notification obligations have been expanded and updated. Incident reporting will be done in two stages, an initial brief report to your regulator within 24 hours, with a fuller report required within 72 hours of becoming aware of the incident. Under NIS you only have to report an incident if it has caused significant disruption to an essential or digital service. This does not necessarily capture incidents that might cause threats or compromises in the future. So under the Bill you must notify the relevant authority if a significant incident affects the IT systems on which an OES, RSDP, or RMSP relies. At the time of notification, a copy must be given to the National Cyber Security Centre (part of GCHQ).
• Customer notifications: If you’re a Data Centre OES, RDSP, or RMSP and an incident occurs, you must take reasonable steps to identify and notify affected customers and consumers. Notifications must explain the incident and its impact. There are no timescales set out in the Bill in relation to the customer notifications.
• Wide powers to introduce new regulations and request information: The government can impose new regulations to manage and reduce security risks. This power applies to IT systems that sit in the supply chains for OES, RDSPs, and RMSPs. Further the power to make new regulations can extend to imposing requirements on OES, RDSP, RDMSP and critical suppliers. There are wide powers under these sections of the Bill including the ability to fine critical suppliers if they’re caught by new regulations. It’s not clear exactly what regulations may be imposed but it seems reasonable to assume that they will be comparable to those imposed on RDSPs and RDMSPs.
• Transparency and Information gathering: You may receive instructions from the Secretary of State if there’s a security threat which presents a risk to national security. Such instruction must be necessary and proportionate to protect national security. There are also rights to request information, carry out inspections and impose non- disclosure obligations.

You must comply, provide information, allow inspections and maintain confidentiality or face fines:

• Failure to comply: up to £17 million or 10% of worldwide turnover.
• Failure to provide information or breach non-disclosure: up to £10 million, plus daily fines for ongoing breaches.

The Bill has completed its Committee Stage in the Commons. Key themes emerging from that stage are:

• Ofcom will act as the sole regulator for data centres and data infrastructure,
• There are ongoing concerns that being able to designate organisations as critical suppliers who fall under the legislation, and the power to enact secondary legislation creates uncertainty for organisations. Organisations may be unclear as to whether they could be in scope limiting their ability to plan and budget. They might be disinclined to offer technical services to OES in case they find themselves with a critical supplier designation at a later stage.
• Strong support for streamlining the cyber reporting obligations so that one organisation does not have to report to multiple regulators,
• A number of amendments were tabled so that food supply chain, retail and manufacturing, local government and electoral infrastructure would be classified as essential services and fall under the scope of the Bill. This was rejected.

How you can prepare for the Bill

• Determine whether the Act applies to your business or customers within your supply chain.
• The Act is expected to come into force in 2026, so start planning for any necessary changes to business processes and systems.
• If your business is already in scope of NIS, it’s time to review policies, governance and processes to ensure that you can comply with the new provisions if they are enacted.
• If you’re a data centre provider or a managed service provider then you need to assess whether your business is likely to be brought into scope. If so, conduct a gap analysis to identify additional steps needed for compliance.
• Consider whether your business could be designated a critical supplier and try to plan for how you could implement the necessary measures and processes. This is not an easy task.

Strengthen supply chain security

• Review and update contract templates to include additional security provisions and risk management protections.
• Consider whether additional obligations need to be placed on your supply chain to support compliance and determine how to implement these efficiently.

Revise incident response and reporting

• Assign board level responsibility for cyber resilience and make key decisions about cyber response now, before an incident occurs.
• Prepare for more extensive notification requirements by updating incident response processes.
• Consider how notifications to customers will be managed.

Update training

Training staff on the new regulations and keeping them up to date with cyber threats and protocols for protecting business will be critical.