The government introduced the Cyber Security and Resilience Bill to Parliament for its first reading on 12 November 2025.

The Cyber Security and Resilience Bill will reform and add to the existing Network and Information Systems (NIS) Regulations 2018, to increase UK defences against cyber attacks, better protecting the services the public rely on to go about their normal lives – to switch on lights, turn on the tap to safe water, and know the NHS is there to support them.

The Bill will deliver a fundamental step change in the UK’s national security – making essential and digital services more secure in the face of cyber criminals and state actors who want to disrupt our way of life. Reforms will underpin greater economic stability, helping grow the economy for working people, by reducing business cost and disruption, and supporting investment.

Key provisions and impacts include:

Expanded Scope: The regulations are expanding beyond traditional operators of essential services to include Managed Service Providers (MSPs) and data centres. The government retains the power to add new sectors via secondary legislation.

Strict Incident Reporting: Organisations face significantly tighter reporting deadlines. Companies will be required to submit an initial notification of a harmful cyber breach within 24 hours, followed by a full report within 72 hours.

Stricter Enforcement: The legislation grants regulators and government authorities enhanced investigatory and enforcement powers, allowing them to tackle non-compliance more aggressively.\

You can track the bill’s exact parliamentary progress and read the full text on the UK Parliament Cyber Security and Resilience Bill page. For a breakdown of how the changes will affect specific industries, check out the GOV.UK Cyber Security and Resilience Bill Publications.