United Kingdom: Department for Science, Innovation & Technology published policy statement on Cyber Security and Resilience Bill

On 1 April 2025, the Department for Science, Innovation & Technology published a policy statement detailing the confirmed and proposed measures in the Cyber Security and Resilience Bill. The Bill is expected to update the Network and Information Systems (NIS) Regulations 2018 by expanding the regulatory scope to include a broader range of essential and digital service providers, including Managed Service Providers (MSPs) and other actors in digital supply chains. It proposes to expand the powers of cyber regulators, including enhancing incident reporting duties, clarifying and strengthening the Information Commissioner's Office’s powers to request information, and updating cost recovery arrangements for oversight activities. The Bill would include delegated powers to amend obligations through secondary legislation in response to changes in the threat or technology landscape. The Government is also consulting on additional measures, such as the inclusion of data centres within scope, the introduction of a statement of strategic priorities for regulators, and a national security direction power enabling ministers to issue legally binding instructions to entities or regulators in specified cases.