A New Cyber Order: Inside The UK's Cyber Security And Resilience Bill

Article Insights

Pilar Arzuaga’s articles from McDermott Will & Schulte are most popular:

within Technology topic(s)
with Inhouse Counsel
with readers working within the Property industries

On 12th November 2025, the UK government introduced the Cyber Security and Re silience (Network and Infor mation Systems) Bill (‘the Bill') aimed at strengthening cyber resilience of organisations within key sectors in the UK. The Bill responds to a recent in crease in cyber threats and intends to modernise and expand the existing UK cybersecurity regime under the Net work and Information Systems Regu lations 2018 (the ‘UK NIS Regime').

The key change is that new categories of organisations, particularly managed service providers (‘MSPs') and those providing data centre services, will now be brought within the scope of the UK NIS Regime. Further, the UK gov ernment will be granted the power to impose the application of the UK NIS Regime on entities it considers ‘critical suppliers'.

The Bill is currently progressing through Parliament and is expected to become law in 2026. However, a num ber of requirements will be rolled out in phases via secondary legislation. The government has announced that con sultations on these measures will also take place in 2026.

Pilar Arzuaga, Partner at McDermott, Will & Schulte, provides an over view of the new UK Cyber Bill and advises on what organisations need to do now in order to prepare

The Bill forms part of the government's broader strategy to enhance national cyber resilience, protect critical nation al infrastructure, and reduce systemic cyber risk across the economy. It re flects concerns expressed by UK regu lators and government bodies that the current UK NIS Regime does not ade quately capture the complexity of mod ern digital supply chains, nor the con centration of cyber risk arising from reliance on a small number of critical technology and service providers.

The Bill is also intended to bring the UK regime more closely into alignment with international standards and com parable frameworks, including the EU's NIS2 Directive, while retaining a UK-specific approach following Brexit.

What is the scope of the cur rent UK NIS Regime?

As of today, the UK NIS Regime ap plies to the following types of organi sation (if they meet the necessary con ditions):

organsiations operating in the en ergy, transport, drinking water, and healthcare sectors;
the following digital-infrastructure providers: Domain Name System (DNS) service providers, Internet Exchange Point (IXP) operators, and Top-Level Domain (TLD) Name Registry operators; and
organisations providing the follow ing digital services: online market place, online search engines, and cloud computing services.

In practice, application of the current UK NIS Regime depends not only on the sector in which an organisation operates, but also on whether it meets certain thresholds and criteria relating to size, systemic importance, and the nature of the services provided in the UK. Where applicable, organisations may be designated as Operators of Essential Services (‘OES') or as Rele vant Digital Service Providers (‘RDSPs'), each category carrying different but overlapping compliance and reporting obligations.

Which new entities will be covered by the UK NIS Regime once the Bill is enacted?

The Bill will expand the scope of the UK NIS Regime to include:

data-centre operators and sup porting infrastructure providers;
MSPs that offer IT helpdesk and cybersecurity services; and
entities referred to as ‘large load controllers' managing substantial electricity demand in the context of smart infrastructure or connect ed systems (e.g., to support elec tric vehicle (EV) charging during peak times).

In addition, the Bill will grant the UK government the power to impose the application of the UK NIS Regime to other types of companies (referred to as ‘critical suppliers'), to be designated by the UK government individually, if they meet the necessary conditions.

As announced in the policy papers accompanying the Bill, this power will be used to extend the application of the UK NIS Regime to those cloud suppliers operating in the UK healthcare sector that are not covered by it currently (the current UK NIS Regime excludes from its scope the small est cloud computing services providers (i.e., those qualifying as mi cro or small enterpris es)).

“The proposed ‘critical supplier' designation power is particularly significant, as it enables the UK government to respond dynam ically to evolv ing cyber-risk landscapes and supply-chain dependencies. Rather than relying solely on sector-based classifications, regulators will be able to tar get individual organisations whose disrup tion could have a disproportion ate or cascading impact on essential ser vices, public safety, or eco nomic stability.”

The proposed ‘critical supplier' designation power is particularly significant, as it enables the UK government to respond dynamically to evolving cyber-risk land scapes and supply chain dependencies. Rather than relying sole ly on sector-based clas sifications, regulators will be able to target individual organisations whose disruption could have a disproportionate or cascading impact on essential services, pub lic safety, or economic stability. This may in clude technology ven dors, software provid ers, infrastructure oper ators, or service provid ers that sit upstream of regulated entities and whose services are inte gral to the delivery of essential or digital ser vices in the UK.

Are there any other changes?

Alongside extending the scope of the UK NIS Regime, the Bill will in crease cybersecurity related obligations, by implementing:

a broader definition of reportable incidents (including events with potential to cause serious disrup tion);
new two-stage incident-reporting obligations, with strict deadlines: initial notification within 24 hours, full report within 72 hours;
a requirement to inform customers or users if their services/ data are affected, if certain thresholds are met; and
the UK govern ment's ability to ex pand scope or update obligations over time via secondary legisla tion. Finally, the Bill will also make changes to the enforcement framework by intro ducing a possibility of:
fines up to £17 million or 4% of global annual turnover (whichever is greater) — for serious viola tions (including fail ures to notify reporta ble incidents);
fines up to £10 million or 2% of turno ver (whichever is greater) — for other material non compliance (including failure to notify the competent authority of being designated as an operator of essen tial services (OES)); and
periodic charges, daily fines, or addition al enforcement measures — where violations persist or where regulatory di rections are ignored.

These enforcement powers represent a material increase in regulatory risk and bring the UK NIS Regime closer in severity to data protection enforcement under the UK GDPR. In addition to financial penal ties, regulators will retain the ability to issue binding directions, conduct au dits, and require remedial action. Senior management may therefore face increased scrutiny in relation to cyber-risk governance, decision making, and accountability.

Cyber-security measures under the Bill

In addition to expanding the scope of the law and strengthening enforce ment, the Bill reinforces existing ex pectations that in-scope organisations implement cybersecurity measures that are appropriate and proportionate to the risks they face. Rather than mandating a single technical frame-work, the Bill maintains a principles-based approach under which organi-sations are expected to assess risks to their network and information sys-tems and to put in place technical and organisational measures that are suit able in light of their size, activities, and the importance of the services they provide.

Unlike the EU NIS2 framework, which provides for detailed technical and organisational requirements to be set through EU-level Implementing Acts, the Bill does not establish a single equivalent mechanism for prescribing uniform technical standards. Instead, it enables cybersecurity expectations to be clarified or updated over time through secondary legislation, codes of practice, and sector-specific guid ance.

Further, the Bill reinforces the im portance of managing cyber risk across supply chains and third-party relationships. Considering the role played by managed service providers, cloud services, and other suppliers in supporting essential and digital ser vices, organisations may be expected to demonstrate how cyber risk is iden tified, assessed, and addressed not only within their own systems, but also in relation to key service provid ers.

Governance and oversight considerations

While the Bill does not introduce an explicit statutory requirement for sen ior management or boards to formally approve cyber-security measures, it strengthens the ability of UK authori ties to assess compliance by refer ence to governance and oversight arrangements. This includes consider ation of how cybersecurity risks are identified, escalated, and managed within the organisation, and whether responsibilities for cyber-security deci sion-making are clearly defined.

This governance-focused approach is consistent with broader international regulatory developments, which in creasingly treat cyber resilience as an organisational risk rather than a purely technical issue. In practice, this may lead regulators to look more closely at whether cybersecurity measures are supported by appropriate internal pro cesses, senior-level awareness, and documented accountability.

Organisations with operations in multi ple jurisdictions may therefore find it helpful to ensure that cybersecurity measures are embedded within their broader governance frameworks, and that oversight and accountability ar rangements are sufficiently clear to withstand regulatory scrutiny under different but related regimes.

How should you prepare?

Given the expanded scope, stringent reporting requirements and high po tential penalties, organisations should consider taking these steps now:

undertake a scope and exposure assessment to identify whether their services, infrastructure or supply-chain profile may bring them within the new regime;
engage in monitoring the UK gov ernment proposals for secondary legislation, take part in consulta tions on issues impacting your organisation or sector;
start building or strengthening a cyber-resilience compliance pro gramme: including incident response capacity, vendor and supply-chain oversight, logging and monitoring, backup/recovery, and governance mechanisms;
be ready to update contracts and SLAs to embed compliance obli gations down the supply-chain where relevant;
prepare your business continuity and incident-response frame works to meet tight reporting deadlines (24h initial / 72h full report); and
engage senior leadership or the board early: treat cyber-resilience as a strategic imperative, not an IT-only concern.

Organisations with operations or cus tomers across both the UK and EU should also consider alignment be tween UK NIS requirements and the EU NIS2 Directive, particularly where they are already investing in NIS2 compliance programmes. A coordinat ed approach may help reduce duplica tion, ensure consistency across juris dictions, and support more efficient governance, reporting, and assurance processes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]