UK Cyber Security and Resilience Bill: key considerations for technology businesses

Proposals to overhaul the UK's cross-sector cyber security framework signal a decisive shift in protecting digital infrastructure in the UK, moving towards a more comprehensive, mandatory regime. For technology businesses operating in the UK, the implications are far-reaching. We take a look at the key practical considerations of the proposed bill for the technology sector.

Background to the Bill

On 12 November 2025, the UK Government introduced the Cyber Security and Resilience (Network and Information Systems) Bill (see our alert here), which will reform the Network and Information Systems Regulations 2018 (NIS Regulations) and strengthen the UK's regime to protect critical services. The NIS Regulations have been largely regarded as inadequate in the face of an evolving and increasingly sophisticated cyber threat landscape.

Broadly, the Bill expands the existing NIS Regulations to protect additional sectors and their supply chains, mandates broader incident reporting to improve threat visibility, strengthens powers for government and regulators to further extend requirements, and enhances investigatory and enforcement powers. Much of what the Bill contains was included in the government's April 2025 policy statement.

Although the government has indicated a desire for alignment with the EU NIS2 Directive (NIS2), certain distinct aspects of the UK proposals could mean many technology businesses effectively need to comply with two slightly different regimes.

Extended scope of application: which technology businesses might now be in-scope?

More technology businesses will be brought directly in-scope of the regime for the first time. The existing NIS Regulations apply to entities in the energy, transport, health, water and digital infrastructure (TLD registries, DNS service providers, and IXP operators) as 'operators of essential services' (OESs), and to 'relevant digital service providers' providing online search engines, online marketplace, and cloud computing services (RDSPs). The Bill proposes to extend this:

• Extension to data centre providers: reflecting the critical importance of data centre infrastructure, standalone providers of data centre infrastructure would be in-scope as a new category of OES, where the rated IT load of data centres exceeds 1 MW+ for non-enterprise basis  or 10 MW+ for enterprise services.  
• Extension to certain managed services: a new category of "relevant managed service provider" (RMSP) would capture providers of managed services in the UK, whether established in the UK or not. Broadly, managed services involve the B2B delivery of "ongoing IT system management" (including  support, maintenance, monitoring, and active administration) to customers through remote or on-premises access to the customer's network and information systems. The government estimates this would capture around 900-1100 RMSPs, which would be subject to relevant requirements, many for the first time. Micro or small enterprises would be excluded.
• Certain high impact suppliers (of any size) could be designated as "critical suppliers": a new designation regime would enable regulators to designate suppliers that provide goods or services to regulated entities (ie to an OES, RDSP, or RMSP), and which rely on network and information systems to provide services that, if disrupted, could significantly impact the UK's economy or society. The designation regime could include micro or small enterprises and would be subject to certain safeguards and exclusions, such as taking into account potential for alternative sourcing options and overlaps with other regimes.

  Examples might be a cloud infrastructure management company servicing a national transport operator or a large online prescription service, where a ransomware attack might disable its systems and disrupt rail ticketing and prescription orders for thousands of users.

  Some technology vendors might not have visibility of how their services are used or relied on by customers in sectors like energy or healthcare. Yet the "critical suppliers" concept means they might find themselves designated as in-scope based on the nature of customers' reliance on their services. This reflects a shift towards entities being in-scope of regulatory oversight based on the 'criticality' of their services, as already seen in the financial services sector.

• Extension to large load controllers: large load controllers (ie organisations managing electrical load for energy smart appliances) will also be bought in-scope as essential services, with a threshold requirement of 300 MW or more of electrical load to and from relevant electrical appliances. This is intended to reduce the risk of grid disruption and could capture for example, organisations managing electrical load to support electric vehicle charging during off-peak times.
• More clarity on the definition of "cloud computing service": the new definition is more closely aligned with (although not identical to) NIS2 and could make it harder for service providers to argue certain services are out-of-scope in the UK. Many SaaS providers, for example, will need to consider whether their services meet the relevant definition, such as enabling access to a "scalable and elastic" pool of shareable computing resources, and be prepared to justify this if challenged by the ICO. 
• Extraterritorial application: providers outside the UK can still be in-scope or designated; it’s the provision of services in the UK that is relevant. RDSPs and RMSPS established outside the UK must register with the ICO and nominate a UK representative within 3 months of becoming designated (and may need to pay a registration fee).  Enforcement outside the UK is possible; information and inspections can extend to documents and data held overseas, although physical inspections are limited to premises and equipment in the UK.
• Scope could be extended further: to future proof the regime as technology changes, the Bill enables the government to specify activities to be regulated going forwards ie the scope could be extended further.

Extended compliance obligations for in-scope organisations (and indirect implications for their technology vendors)

Companies that are in-scope should expect a significant uplift compared to existing NIS Regulations, although much of the detail will be set out in secondary legislation:

• Security and resilience requirements:  specific revisions are proposed to the general security duties under the existing UK NIS Regulations. Whereas the existing regime focuses on continuity of services, the Bill would extend the focus to security of services as well, with certain security duties for parties such as RMSPs.

  Expect more specific security requirements to come, with powers for the government to further expand the requirements under secondary legislation.  The Policy Statement for example talks about technical and methodological security requirements, including establishing the principles under the NCSC's Cyber Assessment Framework (CAF) on a firmer footing, and "bringing closer alignment with NIS2".

• Potential for in-scope entities to be subject to new "directions for national security purposes": where threats could pose a risk to national security, the Secretary of State would have new powers to give directions to specific in-scope entities and authorities where this is considered "necessary and proportionate" in the interests of national security.

  Directions could be wide-ranging. For example, relating to the management of relevant systems, to prohibit or restrict the use of certain goods/services/facilities, to provide certain information, and with a broad reference in the Bill to requiring "a thing to be done or not done". There is also a power to require the recipient of the direction to appoint a skilled person to assist with compliance with the direction.

• Testing: the Bill doesn’t explicitly mandate specific testing methodologies, although testing requirements could be included under further measures. The broad inspection powers could in some cases allow inspectors to carry out or require security testing of the relevant systems, including relevant components or connected systems.  
• Further detail and priorities could be specified in additional measures: to enable the requirements to be tailored for different sectors, the Secretary of State would be given various additional functions, such as to designate a 'statement of strategic priorities' and relevant Codes of Practice. Although sector-specific guidelines can help tailor expectations, this could raise challenges for technology providers with customers across many different sub-sectors.  

Enhanced incident reporting requirements, including 24-hour regulator notification and customer notification in certain cases

Technology businesses in the EU may already be adjusting their incident compliance procedures in light of incident reporting requirements under NIS2. The Bill would significantly tighten incident reporting requirements in the UK, with similarities to, but not mirroring, the NIS2 regime:

• Lowering the threshold for what needs to be reported: the existing NIS Regulations set the reporting threshold by reference to actual impacts of an incident on continuity of services. The Bill is expected to widen what needs to be reported to include incidents with the potential for significant disruption, and near-miss events that reveal systemic vulnerabilities. Factors that could indicate "significance" might include the extent of likely disruption, number of users likely affected, duration, geographical area, and whether user data is or is likely to be compromised.

  Different definitions of a reportable incident apply for an OES, RDSP, data centre provider and RMSP further complicating the task of working out what needs to be reported.

• Authority notification: notification to the competent authority must be made within 24 hours for the initial notification, beginning with the time of first awareness of the OES/RDSP incident, with the full notification within 72 hours.  For complex incidents that develop at pace, determining when an organisation is actually "aware" or "detects" an incident is often not straightforward, and 24 hours does not allow much time.
• Prescriptive notification format: information fields for each are specified depending on the relevant incident and entity type.  The information requested partially aligns with information requested under the NIS2 Directive, although is not fully aligned. This will further complicate reporting for entities subject to both regimes.
• Potential customer notification obligations: for OESs, RDSPs and RMSPs, as soon as reasonably practicable after the regulator notification, the entity must take "reasonable steps" to establish which customers in the UK are "likely to have been adversely affected" (taking into account certain factors), and notify those customers of the incident.

For incidents with a cross-border element, incident reporting and management therefore looks set to remain complex, notwithstanding proposals by the EU to simplify this under the Digital Omnibus package (see our article here).

Customer and supply chain considerations: indirect relevance for tech vendors

Technology vendors, regardless of whether they are directly in-scope or not, should expect an increase in compliance support requests from in-scope customers across sectors such as health, energy, utilities, digital infrastructure, etc.

Supply chain resilience and vulnerabilities is a significant focus of the Bill. From the April 2025 Policy Statement, we expect secondary legislation to include duties on both OESs and RDSPs to manage supply chain cyber risks, such as "appropriate and proportionate measures" to prevent vulnerabilities in suppliers from undermining essential or digital services. This could include contractual requirements, security checks, business continuity plans etc.

This means that even technology vendors that are not directly in-scope could still need to provide contractual commitments and meet relevant security requirements demanded by their in-scope customers. A certain standard of cyber security compliance will be needed to service key customers and maintain competitive advantage. For technology vendors with strong security credentials, this could present opportunities to help in-scope organisations comply.

Healthcare is a particular focus of the government's reporting on the Bill, given disruption caused by cyber attacks on healthcare infrastructure and the impact on people's lives. The government wants the proposals to drive a "step-change" in cyber maturity in the healthcare sector, and organisations like NHS trusts as well as any organisation providing technology to the healthcare sector should be closely aware of this Bill.

Enforcement

The Government is seeking to send a clear message that enforcement measures will be tougher than under the existing NIS Regulations:

• Tougher turnover-based penalties for non-compliance: the penalties regime introduces a two-band system for financial penalties, with the severity of the breach determining the band. Broadly, for more severe contraventions (like failing to report incidents, failure to comply with national security directions, or neglecting security duties), a higher band penalties regime of up to the greater of £17,000,000 or 4% of global annual turnover will apply.  For less severe breaches (like failing to register as a RDSP), the penalties will be up to the greater of £10,000,000 or 2% of the undertaking's global annual turnover.

  The new penalty bands are higher than the maximum penalty amounts under the NIS2 Directive, almost doubling the EU's maximum penalty for essential services (€10 million or 2% of total worldwide annual turnover, whichever is higher).

  Regulators would also be able to impose daily fines of up to £100,000 for ongoing contraventions.

• Broad information gathering and inspection powers: in-scope providers could be subject to information gathering and inspection powers from regulatory authorities in the UK for the first time.  

• Information sharing: enforcement authorities have wide information sharing powers, including with relevant authorities in the EU under NIS2 in certain cases as part of a wider trend towards cross-border collaboration on cyber threats.
• Cost recovery mechanism: organisations could be required to contribute to the costs of relevant authorities, with the Bill introducing powers for authorities to recover "relevant costs" in connection with the exercise of any of their functions.

Next steps, including commencement

The Bill is actively proceeding through Parliament, progressing through the Committee stage during January and February 2026. The Bill will likely receive Royal Assent in 2026, although phased implementation means it might not fully come into force until 2028.

Practical steps to help prepare

Although not expected to fully enter into force until 2028, there are steps to start thinking about now, including to help reduce duplication of effort for businesses that also need to comply with NIS2 in the EU. These include:

• Preliminary scoping exercise to understand whether your business is likely to be in-scope.  Although certain obligations apply at organisation level, others (eg incident reporting) could require organisations to assess which specific services might be in-scope.
• If expected to be in-scope or that a significant portion of customers will be, take this into consideration when building cross-border compliance programmes such as for NIS2. In particular, incident detection, reporting and response plans could be built with future-proofing for the UK regime in mind.
• Focus on supply chain mapping – both customer dependencies and upstream suppliers. With the focus on supply chain and potential for designation as a 'critical supplier', understanding dependencies throughout the supply chain becomes will be essential.
• Look to embed a culture of 'compliance as a competitive advantage', where cyber and resilience risk management is as much a part of meeting customers' needs as ticking the box of legislative compliance.

Follow our updates to keep pace of the fast evolving cyber risk and regulatory landscape.