The Cyber Security and Resilience (Network and Information Systems) Bill introduced by the Department for Science, Innovation and Technology in November 2025 represents a major enhancement of the UK's cyber regulatory framework. One of the most important aspects of the Bill is its broadening of the current Network and Information Systems Regulations 2018 (NIS Regulations) to cover more entities, notably medium and large managed service providers (MSPs), as well as data centres which are to be regulated as essential services. The government estimates that this will result in 900 to 1,100 additional firms coming under regulatory oversight.
Key Takeaways:
Broader Regulatory Scope
The Bill extends regulatory coverage to medium and large managed service providers (MSPs), data centres, and critical suppliers in supply chains, significantly increasing the number of businesses required to comply.
Operators of Essential Services:
- Data Centres: data centres above a certain threshold will be treated as essential services within the NIS Regulations’ data infrastructure subsector (rated load of 1 megawatt or more for commercial data centres; 10 MW or more for enterprise data centres).
- Large Load Controllers: load controllers[1] whose potential electrical control, in relation to relevant ESAs managed by the controller, is 300 MW or more are designated operators of essential services (OES) under the NIS Regulations. ESAs are the energy smart appliances: electric vehicles; EV charge points; electrical heating appliances (e.g. heat pumps); battery storage systems; and virtual power plants.
Digital Service Providers (cloud computing):
The definition of cloud computing services under the NIS Regulations is updated (essentially, they are services that provide access to a scalable and elastic pool of shareable computing resources such as networks, servers, storage, and software; are broadly accessible remotely; can be provided on demand and on a self-service basis; rely on computer resources which may be distributed across two or more locations; are not provided solely for the use of a single business; and are distinct from managed services, which are separately regulated).
Managed Service Providers:
The definition of relevant managed service provider (RSMP) under the NIS Regulations is updated. RMSPs are now explicitly defined as service providers that manage, control, or operate network and information systems on behalf of other organisations, such as IT infrastructure providers, cloud service managers, and managed security service providers, focusing on providers with significant control over client IT or operational technology (OT) environments.
Critical Suppliers:
These are suppliers providing goods or services directly to an operator of essential services (OES), relevant digital service provider (RDSP), or relevant managed service provider (RMSP) regulated by the same authority considering designation. These suppliers must rely on network and information systems to deliver their goods or services. Designation by the regulator will depend on the regulator’s assessment that a cyber incident impacting the supplier has the potential to significantly disrupt the essential, digital, or managed services provided by their customers. Additionally, the disruption is likely to have a significant impact on the UK's economy or day-to-day functioning of society.
Registration Requirements
New registration requirements are introduced for entities such as RDSPs, RMSPs, and data centres. These entities must register with their relevant sector regulator and provide detailed information, including a proper address for service of documents; the nature of their service, e.g., whether they provide cloud computing, online marketplaces, or other digital services; and other information as required by secondary legislation.
Incident Reporting
Significant cyber incidents must be reported within 24 hours to the relevant regulator and the National Cyber Security Centre (NCSC), with full reports due in 72 hours. This includes requiring more transparency, such as notifying impacted customers promptly.
Stricter Security Duties
The Bill imposes stronger cybersecurity obligations, including supply chain risk management, governance, and technical controls. Covered businesses should assess and improve their cyber resilience measures to meet these evolving standards.
Strategic Compliance Preparation
Businesses should start reviewing contracts, incident response plans, and cyber governance frameworks now. The Bill signals a shift from best practice to mandatory legal requirements, reinforcing the importance of proactive risk management. There will inevitably be a contracting piece to this once the Bill gains force, as obligations and policies will need to be flowed down into supply chain and outsourcing contracts.
Regulatory Powers
The Bill grants regulators significantly enhanced enforcement capabilities to ensure compliance and respond to emerging threats. These powers include the authority to issue emergency instructions during active cyber incidents, requiring immediate remedial action from regulated entities; to demand information and documentation on security measures, incidents, and risk assessments; to carry out on-site and remote inspections of systems and processes; to issue binding guidance and codes of practice setting out regulatory expectations; and to adapt requirements swiftly via secondary legislation in response to evolving cyber threats. Regulators can also impose specific security measures where entities fail to meet their obligations, ensuring a proactive rather than merely reactive regulatory approach. These enhanced powers will be exercised by both existing sector regulators and a new body called the Information Commission.
Information Commission
The Bill establishes the Information Commission as a distinct regulatory authority, separating cyber resilience oversight from the ICO's existing data protection responsibilities. While the ICO will continue to enforce UK GDPR and data protection laws, the Information Commission will focus specifically on network and information systems security, incident response, and operational resilience. This institutional separation acknowledges the specialized technical expertise and regulatory approach needed for cybersecurity matters, distinct from privacy-focused regulation.
Penalties
Non-compliance risks heavy fines, with the standard maximum amount reaching the greater of £10m and 2% of worldwide turnover although in certain more egregious cases this increases to the greater of £17m and 4% of turnover.
Conclusion
Given typical legislative timelines and current parliamentary workload, Royal Assent (i.e., the Bill becoming law) is not expected until at least early 2026. It is quite likely we will see some changes as the Bill passes through the legislative process. After Royal Assent, there is expected to be a phased introduction of new requirements with transition or grace period of several months to a year for the government to develop secondary legislation, codes of practice, and for businesses to prepare for compliance with the new obligations introduced by the Bill.
Overall, businesses in scope of the Bill should prepare for a tougher regulatory environment focused on resilience, rapid incident response, and accountability to avoid significant operational and financial risks. With this in mind, DSIT has published a number of factsheets to help businesses prepare for the new obligations: Cyber Security and Resilience (Network and Information Systems) Bill: factsheets - GOV.UK
[1] Load controllers are systems that remotely manage electricity demand by coordinating when connected devices (such as EV chargers, heat pumps, and batteries) consume or supply power, helping to balance the electricity grid and prevent overload during peak periods.
