2025 saw the UK Government take a long-anticipated step towards modernising its cybersecurity regulatory framework with the Cyber Security and Resilience (Network and Information Systems) Bill (Bill).
In the context of ongoing digital threats, the Bill represents more than just another tranche of tech legislation. It underscores the increasing convergence between cybersecurity resilience, data protection compliance, and regulatory accountability, areas already front of mind for most organisations in the wake of GDPR enforcement trends.
Here’s what you need to know and why it matters to your business in the event the Bill gets passed as legislation.
What is the Cyber Security and Resilience Bill?
The Bill is the Government’s vehicle for reforming and replacing the UK’s existing Network and Information Systems Regulations 2018 (NIS), the framework introduced to increase the resilience of essential services and digital infrastructure against cyber disruption.
In broad terms, the Bill aims to:
- Expand the scope of entities regulated under the NIS regime, specifically bringing in groups such as managed service providers (MSPs), data centres and other critical suppliers that were previously outside its reach;
- Tighten incident reporting requirements, mandating rapid notice to regulators and potentially to customers where their data or access may be affected;
- Enhance regulator powers, including stronger information-gathering, cost recovery, compliance direction and, critically, higher financial penalties for failures;
- Provide Government with flexible tools to respond to emerging threats without needing fresh legislation.
Conceptually, this shift mirrors aspects of the EU’s NIS2 regime and reflects lessons from real-world cyber incidents that have demonstrated how interconnected modern digital supply chains really are.
Why this matters for your business
Where your business is part of regulated sectors (e.g., financial services, health, telecoms) or serves them as MSPs or tech suppliers, the Bill’s changes could be material in multiple ways:
1. Expanded liability, bigger consequences
The Bill contemplates significantly increased penalties for non-compliance. These can reach the greater of millions of pounds or a proportion of global turnover, akin to GDPR’s cap, a stark contrast with the more modest fines previously available under the NIS Regulations.
Even where an incident does not directly affect service delivery, the broader reporting definitions mean that cyber events with only a potential impact may need to be reported within much tighter timeframes.
This raises obvious parallels with UK GDPR breach reporting, but with distinct legal obligations and enforcement avenues. Organisations will have to understand and comply with parallel, yet different, statutory reporting regimes.
2. Supply chain and MSP scrutiny
One of the Bill’s most consequential aspects is the inclusion of MSPs and other digital intermediaries in scope. These organisations sit at the heart of many clients’ technology estates and under the new regime they will for the first time face direct regulatory obligations.
From a contractual and regulatory risk perspective, this matters on two fronts:
- MSPs now need to demonstrate robust cyber risk management not just for themselves, but for clients whose systems they support; and
- Clients procuring MSP services may need to revisit contracts, Service Level Agreements and due-diligence processes to ensure that their suppliers can meet statutory resilience requirements.
This is a paradigmatic shift from the traditional service-level focus, pushing businesses to think about system-wide resilience as a matter of statutory compliance, not just best practice.
3. Incident reporting: faster, broader and more complex
The Bill introduces shorter incident notification windows (such as a 24-hour initial notice and a 72-hour full report) that look very similar to the GDPR breach reporting regime. However, the underlying legal triggers and notification content differ.
For data protection practitioners, this creates a compliance trap-door: teams must understand both regimes deeply, coordinate incident response plans and ensure reporting flows meet both cyber resilience and GDPR obligations in tandem.
In practice, this means incident playbooks must be reviewed and tested against dual-track reporting timelines and internal governance must be robust enough to support compliance with two fast-moving legal regimes.
The ICO’s view — constructive, but cautious
The Information Commissioner’s Office (ICO) welcomed the Bill and its aims, noting the expanding complexity of digital supply chains and the importance of oversight of managed service providers and other intermediaries.
Several aspects of the ICO’s comment are worth highlighting:
- The ICO sees the expanded role as aligned with its data protection remit, reinforcing the link between data security and cyber resilience;
- It supports the principle of proactive, risk-based oversight but emphasises the need for clarity and consultation on secondary legislation around definitions (e.g. “significant impact”) and duties.
- The ICO welcomes information-sharing enhancements that avoid duplicative regulatory demands, provided they are implemented in practice.
- It flags the requirement for appropriate resourcing of regulators to make the regime workable.
In short, the ICO is pragmatic: it supports the Bill’s objectives but recognises that ambiguity in key areas and the absence of detailed implementation guidance could pose practical challenges for regulated entities.
Things to note
As advisers, it is tempting to treat the Bill as “another tech regulation”. In reality, it sits at the intersection of cybersecurity, data protection, supply-chain risk and regulatory enforcement.
The shift means:
- Broader regulatory scope: organisations not previously regulated under NIS will need to assess their exposure, including data processors and support providers;
- Sharper incident response expectations: tighter deadlines and broader reporting criteria will require well-drilled internal processes.
- Higher financial risk: much greater potential penalties than under the current regime.
- Contract and procurement reconsiderations: greater emphasis on supplier security and resilience.
Most importantly, the Bill highlights that data protection and cybersecurity can no longer be siloed functions. Compliance teams, security functions and legal advisers must work together to map obligations, align reporting frameworks and support clients in designing robust governance frameworks that can withstand this evolving regulatory landscape.
If the Bill achieves Royal Assent in early 2026 and progresses as currently drafted, the regulatory landscape for information risk compliance in the UK will look markedly different; more demanding, more interconnected and more consequential.
How can we help?
Kevin Modiri is a Partner in our expert Dispute Resolution team, specialising in civil disputes, insolvency, inheritance disputes, data breach claims and defamation claims.
If you’re facing a defamation issue or need advice about protecting your reputation, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact usIf this article relates to a specific case/cases, please note that the facts of this case/cases are correct at the time of writing.