Thursday 13 Nov 2025 @ 14:05
techUK
Printable version

What are the key areas of focus of government’s Cyber Security and Resilience Bill?

The measures set out in the Cyber Security and Resilience (Network and Information Systems) Bill, as Minister Narayan’s Written Statement states, ‘respond to the threat we face – protecting the public at home, putting national security first, and making the UK a safe and confident place to do business’.

Broadly, the measures are part of three key areas of reform: (1) expanding the regulatory scope; (2) empowering regulators and enhancing oversight; and (3) ensuring an adaptive regulatory landscape to respond to the evolving threat landscape. We highlight the key aspects for members below.

An expanded scope

Similarly to the NIS Regulations in 2018, the Bill’s scope will focus on the UK’s essential services or the sectors where their disruption would have an affect on daily lives – such as NHS, transport and energy. The Bill will also go further bringing Managed Services Providers (MSPs), load controllers, designated critical services and data centres into scope.

1. Managed Service Providers (MSP): Large and medium MSPs will be brought into scope of the regulation. Many companies now outsource their IT services to MSPs, who provide essential services such as IT helpdesks and cyber security services. These companies have access to their customers’ systems – making them a clear target for cyber attacks. You can access the fact sheet for relevant digital providers here.

An MSP is defined as a service which:

  • is provided by one organisation to another organisation via a contract; and
  • consists of ongoing management in relation to a customer’s information technology systems; and
  • is provided by means of the organisation, or a person authorised by the organisation, having a connection (or access) to the customer’s network and information systems, and that connection can be established on the customers premises or remotely.

2. Designated critical suppliers: The Bill will give competent authorities or the Information Commission the power to bring suppliers into scope of the regulation, if they are deemed to supply an essential service. This is a key part of the government’s ambition to improve supply chain security across essential and digital services. There will be a series of considerations that must be taken before designating a supplier as ‘critical’ - this includes a period of consultation and an assessment of the impact any disruption could have to the UK’s way of life. This clause will bring the UK in line with the UK’s financial sector’s Critical Third Parties and the EU’s NIS2 Directive’s approach to supply chain duties.

A designated critical supplier is defined as:

  • The supplier must provide goods or services directly to an Operator of Essential Services (OES) for which the authority is the designated competent authority.
  • The supplier must rely on network and information systems in order to provide these goods or services.
  • An incident affecting the operation or security of any network and information systems relied on by the supplier for the purposes of that supply must have the potential to cause disruption to;
    • the provision of any essential service, relevant digital service, or managed service by the person to whom the supply is made; or
    • the provision of essential services, relevant digital services, or managed services (whether of a particular kind or generally) by persons to whom the supplier provides goods or services.
  • That disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom. This includes both scenarios of direct service disruption and cyber risk introduced by the supplier’s systems.

3. Large load controllers: Load controllers are being brought into scope to reduce the risk of grid disruption through enhanced cyber security requirements.

A large load controller is defined as:

  • An organisation is deemed a large load controller if it manages electrical load for smart appliance – a key service as the UK continues it’s transition to Clean Power 2030 and Net Zero.

4. Data centres: Read techUK’s assessment of the requirements on data centres below.

 

Channel website: http://www.techuk.org/

Original article link: https://www.techuk.org/resource/what-are-the-key-areas-of-focus-of-government-s-cyber-security-and-resilience-bill.html

Share this article

Latest News from
techUK

Are you a cyber security company providing products or services related to software and AI security?

09/12/2025 16:05:00

The Department for Science, Innovation and Technology (DSIT) has launched a new survey to map the UK’s AI and software cyber security services.

Central Government programme wrapped – 2025 in review

09/12/2025 14:05:00

The Central Government programme reflects on a milestone year of collaboration, innovation and policy insight. 

Home Office launches consultation on legal framework for police use of facial recognition

08/12/2025 11:20:00

The Home Office has published new guidance, survey findings and an open consultation on a future legal framework for biometrics and facial recognition. techUK will submit a response and invites members to share their views to help shape a clear, trusted and future-proofed approach.

Budget breakdown: energy support for digital infrastructure left out of week of announcements

04/12/2025 13:05:00

In all of the major fiscal announcements last week, most notably Wednesday’s Budget, there was a notable lack of financial support for digital infrastructure, particularly around energy costs.

techUK statement on the UK–US pharmaceutical deal

03/12/2025 11:25:00

The UK-US pharmaceuticals agreement marks a major step forward for investment, innovation and patient access. With new tariff-free trade, updated NICE thresholds and VPAG reforms, the UK is creating the right environment for a thriving life sciences ecosystem.

Demystifying the adoption of AI in police forces across England and Wales

02/12/2025 16:25:00

techUK’s Justice and Emergency Services Committee (AI sub-group) has launched a report exploring how Artificial Intelligence (AI) is currently being used and how it is likely to be used in the future across Police Forces in England and Wales.

Global Tech & Trade Policy Update

01/12/2025 16:25:00

Hello from the sky over the Atlantic, where I’m writing this newsletter from. Hope you are all doing well and that work is slowly winding down into December. Below is your latest rundown of global tech, trade, and regulatory developments. 

 

techUK reacts to the Autumn Budget 2025

28/11/2025 16:25:00

It was 12 months ago that the Chancellor significantly raised business costs through a series of tax rises including raising employer national insurance contributions (NICs).

techUK insight: UK Government launches ‘AI for Science Strategy’

26/11/2025 14:15:00

On 20 November 2025, Ministers Kanishka Narayan MP and Lord Patrick Vallance published the UK's AI for Science Strategy, a plan designed to position the UK at the forefront of AI-driven scientific discovery. 

Privacy SS