United Kingdom: Information Commissioner's Office issued response on Cyber Security and Resilience Bill

On 23 December 2025, the Information Commissioner's Office (ICO) issued its response on the Cyber Security and Resilience Bill, which was laid before Parliament on 12 November 2025. The Bill will update the Network and Information Systems (NIS) Regulations 2018 by expanding the regulatory scope to include a broader range of essential and digital service providers, including online marketplaces, cloud computing services, and search engines, as well as managed service providers. In its response as the competent authority for digital service providers and data protection, the ICO stated its approval of the Bill's expansion of the ICO's power to serve information notices, expansion of communication channels between the ICO and UK public authorities, introduction of new powers to enforce registration requirements, and expansion of its regulatory cost-recovery powers. Regarding other parts of the Bill, the ICO requested further clarity on certain aspects of the Bill, such as the factors and thresholds for determining a "significant impact" for incident reporting, security requirements, and the criteria for assessing critical suppliers. Additionally, the ICO requested clarity on the application of the new penalty measures and the impact of enhancements to the ICO's information gathering powers.