The UK government is taking steps to improve the country’s cyber defences through the introduction of the Cyber Security and Resilience Bill (the Bill), introduced to parliament on 12 November 2025.
This legislation aims to protect critical infrastructure, align standards with our European counterparts and ensure that organisations across sectors are equipped to withstand and respond to cyber threats.
The importance of the Bill
The origins of the Bill lie in the growing frequency and severity of cyber attacks targeting UK institutions. High-profile incidents in recent years have impacted hospitals, universities, government departments and even the Ministry of Defence, to name a few. A ransomware attack on NHS systems in 2024 alone, led to thousands of postponed procedures, highlighting the real-world consequences of digital vulnerabilities.
The existing Network and Information Systems (NIS) Regulations 2018, inherited from EU law, have proven insufficient in scope and its ability to adapt to evolving threats. This has resulted in the development of the Digital Operational Resilience Act (DORA) and the NIS2 Directive in the European Union. With cyber crime remaining a key area of concern for many organisations in the UK in 2025, the government recognised the urgent need for a more robust, domestic-tailored framework, while ensuring we are aligned with our European neighbours.
Key provisions organisations must consider
The Bill introduces important changes to legislation that will affect a wide range of organisations, particularly those involved in critical national infrastructure and providing digital services. Key provisions included in the Bill.
- Expanded scope of regulation
The Bill will bring more entities into regulatory scope, including Managed Service Providers (MSPs) and Data Centre Operators. These organisations often have significant access to client systems, making them prime targets for attackers. - Mandatory incident reporting
Organisations will be required to quickly report a broader range of cyber incidents (successful and near misses), including ransomware attacks. This will help authorities build a clearer picture of the threat landscape and respond more effectively. - Strengthened regulatory powers
Regulators will gain enhanced authority to investigate vulnerabilities proactively. Cost recovery mechanisms may also be introduced to ensure regulators have the resources needed to enforce compliance. - Supply chain security
Organisations must ensure that their suppliers and partners also adhere to the new standards. This reflects the growing risk posed by supply-chain attacks, which have become a favoured tactic of cyber criminals in recent years. - Alignment with international standards
While tailored to UK needs, the Bill draws inspiration from the EU’s NIS2 Directive, aiming to align incident reporting timelines and best practices across borders.
Repercussions of non-compliance
Failure to comply with the Cyber Security and Resilience Bill will carry serious consequences.
- Financial penalties
Non-compliant organisations may face substantial fines, especially if their negligence leads to a breach affecting public services or personal data. - Operational disruption
A cyber attack resulting from poor security practices can significantly disrupt operations, damage reputation and cause a loss of customer trust. - Legal and regulatory action
Regulators will have the power to investigate and enforce corrective measures, which could include audits, sanctions, or even criminal proceedings in severe cases. - Loss of business confidence
Cyber security has increasingly become a key market differentiator given the growing importance of keeping data and information secure. Organisations that fail to meet the new standards may struggle to attract investment or retain clients.
Why acting now matters
The Bill introduces new important safeguards for critical infrastructure in the UK and is an important step to improving the cyber resilience of organisations supporting our critical infrastructure. However, irrespective of industry, there are key lessons to carry forward for all types of businesses, such as stronger supply chain oversight and the ability to respond more effectively to incidents.
Rather than waiting for the Bill to pass, organisations should be proactive. Cyber security isn’t just a compliance issue; it’s become an essential part of business and operational continuity.
If you would like some further advice or support on preparing for the Bill, our Cyber Security consulting team is always available for a conversation to help ensure your organisation is effectively managing cyber risks and is prepared to respond in the event of an incident.
Contact us
