United Kingdom: Cyber Security and Resilience Bill introduced to Parliament

On 12 November 2025, the Cyber Security and Resilience Bill was introduced to Parliament. The Bill will update the Network and Information Systems (NIS) Regulations 2018 by expanding the regulatory scope to include a broader range of essential and digital service providers, including online marketplaces, cloud computing services, and search engines, as well as managed service providers. Data centres will be designated as essential services. It expands the powers of cyber regulators, including enhancing incident reporting duties and updating cost recovery arrangements for oversight activities to allow full cost recovery for NIS duties. It places the Secretary of State in charge of maintaining consistency in implementation across sectors. The information that regulators may share and receive will be clarified, and the maximum financial penalty for violations will be amended. It will be implemented in phases, with measures on future proofing entering into force on day 1 and statements on strategic priorities and permitted information sharing entering into force in month 2. Implementation of the Secretary of State's powers of direction, regulatory conditions for data centres, managed and digital service provider updates, incident reporting, cost recovery, and additional details for specific critical sectors will be implemented via secondary legislation.