Government introduces the Cyber Security and Resilience Bill

13 Nov 2025 11:19 AM

The Cyber Security and Resilience (Network and Information Systems) Bill was yesterday introduced to Parliament.

The Bill, which supports the government’s Plan for Change, will strengthen national security and protect growth by boosting cyber protections for the services that people and businesses rely on every day.

In the face of increasing cyber threats, it will prevent disruption – keeping the taps running, the lights on and the UK’s transport services moving – while making sure those who supply our vital services have tougher cyber protections, by updating the Network & Information Systems Regulations 2018.  

There are three key areas of reform which include expanding the regulatory scope; empowering regulators and enhancing oversight; and ensuring and adaptive regulatory landscape to respond to the evolving threat landscape. Under the proposals: 

• Medium and large companies providing services like IT management, IT help desk support and cyber security to private and public sector organisations like the NHS, will also be regulated for the first time. Because they hold trusted access across government, critical national infrastructure and business networks, they will need to meet clear security duties. This includes reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences
• Regulators will be given new powers to designate critical suppliers to the UK’s essential services such as those providing healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria. This would mean they’d have to meet minimum security requirements – shutting down gaps in supply chains criminals could exploit which could cause wider disruption
• Enforcement will be modernised, including tougher turnover-based penalties for serious breaches so cutting corners is no longer cheaper than doing the right thing. That’s because companies providing taxpayer services should make sure they have tough protections in place to keep their systems up and running
• The Technology Secretary gets new powers to instruct regulators and the organisations they oversee, like NHS trusts and Thames Water, to take specific, proportionate steps to prevent cyber attacks where there is a threat to UK national security. This includes requiring that they beef up their monitoring or isolate high-risk systems to protect and secure essential services

Click here for the full press release