skip to main content

The Cyber Security and Resilience Bill – what to expect

9th Oct 2025 | Data Protection | Services for business
Image of a locked computer screen with data protection software

On 1 April 2025, the government published a policy statement covering its proposed legislative changes and measures for the Cyber Security and Resilience Bill, expected to be introduced to Parliament in mid-to-late 2025.

The policy statement was then updated on 9 April 2025, introducing further changes that in-scope organisations must be aware of.

Rhiannon Hastings, data protection paralegal in Muckle LLP’s commercial team, answers some questions about how these changes might affect you.

What does the current legislation say?

The Network and Information Systems (NIS) Regulations 2018 is the UK’s legislation, which provides legal measures to enhance the security (cyber and physical resilience) of network and information systems.

The NIS Regulations 2018 are based on the EU’s original NIS Directive which:

·        requires the UK government to publish an NIS national strategy;

·        imposes security and incident notification obligations for ‘in-scope organisations’ (for example, Operators of Essential Services (OESs) and Relevant Digital Service Providers (RDSPs); and

·        is enforced by relevant sector regulators for example the Information Commission (as it is now known following the implementation of the Data (Use and Access) Act 2025) regulating RDSPs.

Whilst a first draft has not been introduced to Parliament, the Cyber Security and Resilience Bill is anticipated to build on the NIS Regulations 2018 by incorporating some of the EU’s new NIS2 Directive (which updates the EU’s original NIS Directive). It is also set to include research captured by consultations carried out by the previous government.

Who does the Cyber Security and Resilience Bill apply to?

Given the Cyber Security and Resilience Bill is anticipated to build on the NIS Regulations 2018, in-scope organisations such as OESs and RDSPs will be required to comply with the legislation. It’s important for these organisations to make themselves familiar with the proposed changes to stay compliant.

It's also expected that the Cyber Security and Resilience Bill will require MSPs and either data centres above 1MW capacity or enterprise data centres (i.e. organisations solely managing the IT needs of their own business) above 10MW to comply with the same obligations.

What are the key changes?

The Cyber Security and Resilience Bill is anticipated to update and enhance the current incident reporting requirements for in-scope organisations by introducing a two-stage reporting structure for cyber incidents, namely:

·        notifying their regulator and the National Cyber Security Centre (NCSC) within 24 hours after gaining awareness of an incident; and

·        providing a detailed report to the regulator and NCSC within 72 hours or notification.

Widening the scope of cyber incidents 

Under the NIS Regulations 2018, in-scope organisations are only required to report cyber incidents if they interrupt the continuity of the essential or digital services. The Cyber Security and Resilience Bill is anticipated to widen this by covering cyber incidents that are capable of having a significant impact on the provision of the essential or digital services and that significantly affect the confidentiality, availability and integrity of the system. It also introduces a transparency obligation which will require in-scope organisations to alert the affected customers.

Greater powers of enforcement

Similar to the Data (Use and Access) Act 2025, the Cyber Security and Resilience Bill will widen the regulator’s powers of enforcement (for example serving information notices) as well as enhancing their oversight on cyber risks.

The Information Commission will have more authority to collect information from in-scope organisations to enable the Information Commission to take a more proactive approach to enforcement and to mitigate risks and prevent further cyber attacks.

The government also intends to improve the regulators’ cost recovery regime. This may include better enforcement-related cost recovery and may also allow regulators to set a fees regime and place a duty on regulated entities to pay the fee, all ensuring the costs of an increased regulatory burden does not fall on the taxpayer.

Staying compliant

It’s important for MSPs and data centres subject to the MW thresholds to understand what the new obligations proposed by the Bill may impose and how these fit with existing, but similar, obligations under other regimes such as the UK data protection legislation.

If you would like to take a look at the government’s Cyber Security and Resilience Policy Statement, please follow the link here.

For more information on how the Cyber Security and Resilience Bill might affect your organisation, please contact Rhiannon Hastings via [email protected].

 

Share this story...