ARTICLE
4 March 2026

Cyber Security And Resilience Bill Progresses Through Parliament

M
Macfarlanes LLP

Contributor

Macfarlanes LLP logo
Macfarlanes is a pre-eminent law firm advising a global client base across Private Capital, Private Wealth, M&A and Disputes. We are large enough to handle the most complex and demanding mandates yet focused enough to remain agile and responsive. Our size enables us to know each other well, collaborate seamlessly and adapt quickly to our clients’ evolving needs. Our independence shapes the way we work. We foster genuine partnership, encourage individual responsibility and empower our people to think creatively in pursuit of practical, effective solutions.
Explore Firm Details
The Cyber Security and Resilience (Network and Information Systems) Bill is making its way through Parliament, with MPs currently picking apart the details in the committee stage.
United Kingdom Technology
Tom Crowe and Martha Campbell
Macfarlanes LLP are most popular:
  • within Strategy topic(s)

The Cyber Security and Resilience (Network and Information Systems) Bill is making its way through Parliament, with MPs currently picking apart the details in the committee stage.

The Bill builds upon the foundation laid by the Network and Information Systems Regulations 2018 (the NIS Regulations), the rules that currently underpin cyber security for critical infrastructure and digital services. If it passes, organisations should expect a wider net of businesses brought within the scope of the regulations, tighter cyber incident reporting rules, and beefed-up enforcement powers for regulators.

A quick refresher on the current rules

The NIS Regulations came into force back in May 2018, bringing the EU's NIS Directive into UK law. They were part of the Government's push to bolster the UK's cyber defences, recognising that the networks running our hospitals, power grids, and banking systems were increasingly in the crosshairs of attacks by cyber threat actors. The rules created security and reporting duties for two main groups: operators of essential services (transport, energy, water, health and digital infrastructure) and digital service providers (such as online marketplaces, search engines, and cloud computing platforms). The basic idea? These organisations are required to take appropriate and proportionate measures to manage risks to the security of their network and information systems, and to notify the relevant competent authority of any incident having a significant impact on the continuity of their services.

What's changing?

In light of evolving cyber threats, and in order to keep pace with legislative developments in other jurisdictions (like the EU), the UK Government is aiming to uplift their cyber laws. Following post-implementation reviews of the NIS Regulations conducted by the Government in 2020 and 2022, the Cyber Security and Resilience Bill was announced in the King's Speech in July 2024. It was formally introduced to Parliament in November 2025 and is now being scrutinised by MPs. The Bill amends and expands the existing framework established by the NIS Regulations rather than replacing it entirely. This differs from the approach taken by the EU, which replaced the original NIS Directive and its previous categories of regulated entities wholesale with NIS2, introducing new terminology and bringing an increased focus on supply chain management. However, in practice, both the UK Bill and the EU's NIS2 aim to achieve the same objectives: more robust cyber regulation by expanding the categories of regulated entities, enhancing transparency and oversight in respect of cyber breaches, and bolstering regulator enforcement.

So what changes are actually proposed in the Bill? For starters, an increased scope for the existing NIS framework, with more organisations brought within its remit. Medium and large managed service providers, data centres above certain size thresholds, large-scale electricity load controllers (300MW or more), and "critical suppliers" (those whose systems, if compromised, could cause serious disruption to the economy or society) will all come under the regime for the first time.

Reporting rules would also be stricter under the Bill's proposals. If hit by a cyber breach "having, or capable of having an actual adverse effect on the operation or security of network and information systems", organisations within its scope would need to notify regulators within 24 hours, with a full report due within 72 hours. This goes further than the current notification requirements under the NIS Regulations, which presently only mandates notification of incidents actually having an adverse effect on the security of network information systems within 72 hours of the regulated entity becoming aware of the incident.

The Bill is also likely to provide regulators with greater flexibility to respond to emerging threats. In particular, it is envisaged that the Secretary of State would have new powers to update the NIS Regulations without going through the full parliamentary process and to direct organisations to act in response to national security threats.

The penalties for organisations failing to comply are significant. The Bill amends the penalties regime under the NIS Regulations by replacing it with higher penalties for non-compliance, including:

  • for less serious breaches, a standard maximum penalty of:
    • where the person is an "undertaking" (the definition of which has not yet been set out in the Bill or regulations), £10m or 2% of worldwide annual turnover; and
    • in all other cases, £10m;
  • for more serious breaches, a higher maximum penalty of:
    • where the person is an "undertaking", £17m or 4% of worldwide annual turnover; and
    • in all other cases, £17m;
  • for failure to comply with national security directions, up to £17m, or if regulations are in force, the greater of £17m and 10% of the worldwide turnover of the undertaking; and
  • a power exercisable by regulators to impose daily fines of up to £100,000 for continuing contraventions.

What this means for businesses

The Public Bill Committee is expected to wrap up its work by early March 2026, after which the Bill is anticipated to move through its remaining parliamentary stages. The Government has been clear it intends UK cyber law to sit more comfortably alongside international frameworks, particularly the EU's NIS2. This means that businesses caught by the expanded scope of the regulations will need to prepare for enhanced cyber security and incident reporting compliance obligations. It's not just about an organisation's own systems - supply chains matter too. The Government has indicated its intention to use the powers conferred by the Bill to enact secondary legislation addressing supply chain cyber risks. This secondary legislation may require certain regulated entities to adopt additional measures, such as contractual requirements, security checks, or continuity plans, to mitigate risks arising from their supply chains. In the lead up to the Bill becoming law, organisations should consider whether existing supplier contracts reflect cyber security best practice and adequately support compliance with evolving cyber security requirements, rather than leaving them exposed to potential enforcement action by regulators down the line.

Macfarlanes is a pre-eminent law firm advising a global client base across Private Capital, Private Wealth, M&A and Disputes.

Visit our website to learn more about our services and how we can assist.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Tom Crowe
Tom Crowe
Photo of Martha Campbell
Martha Campbell
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More