Threads / Cyber Security and Resilience (Network and Information Systems) Bill / Cyber Security and Resilience (Network and Information Syst…

Research & Analysis Published 17 Dec 2025 House of Commons Library ↗ View on Parliament

Cyber Security and Resilience (Network and Information Systems) Bill 2024-26

Type: Commons Briefing Paper (CBP-10442) A bill to improve cyber security and resilience is going through the Commons; it updates previous cyber security legislation and if passed will become UK law in 2026.

Attachments

↓ CBP-10442.pdf
application/pdf

▤ Verbatim text from source document

Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 - House of Commons Library

Documents to download

Cyber Security and Resilience (Network and Information Systems) Bill 2024-26
(928 KB
, PDF)

Download full report

Download ‘Cyber Security and Resilience (Network and Information Systems) Bill 2024-26’ report (928 KB
, PDF)

The
Cyber Security and Resilience (Network and Information Systems) Bill 2024-26
was introduced to the House of Commons on 12 November 2025. The bill extends to the whole of the UK.

It is scheduled for second reading on 6 January 2026.

The bill would update the UK’s cyber security legislation covering critical national infrastructure, primarily by amending the
Network and Information Systems Regulations 2018
.

The government has published the following documents providing further information about the bill:

Cyber Security and Resilience Bill policy statement

Factsheets

Explanatory notes
[PDF]

Impact assessment

Delegated powers memorandum
[PDF]

What is cyber security and resilience?

Cyber security and resilience mean defending information technology (IT) systems from, and mitigating the impact of, attempts to gain unauthorised access to or control of those systems (cyber attacks).

Malicious actors including state-sponsored groups
, cyber criminals, and activists, seek to compromise and disrupt IT systems for reasons including financial gain to espionage.

With the UK economy and society increasingly dependent on digital processes,
the potential impact of successful cyber attacks is significant
. The National Cyber Security Centre (NCSC; the UK’s technical authority on cyber security) has
warned of a widening gap
between the increasingly complex cyber threats and the UK’s defensive capabilities, particularly in
critical national infrastructure
.

Current regulatory framework

Organisations in specified critical sectors have statutory cyber security responsibilities under the
Network and Information Systems Regulations 2018
(the NIS Regulations).

The sectors are energy, transport, health, drinking water, digital infrastructure, and some digital services (online marketplaces, search engines, and cloud computing services). Each sector has a regulator called a ‘competent authority’ which is responsible for guidance, monitoring and enforcement.

Successive governments have argued that the NIS Regulations need to be updated. In 2022, the Conservative government published a
post-implementation review
of the regulations in 2022. The review argued that:

The number of sectors in scope should be expanded, in response to changing cyber risks and the sectors considered to be ‘essential’.

Risks arising from organisations in essential service providers’ supply chains should be accounted for.

Cyber security standards should be applied more consistently across sectors, and regulators should have the funding, skills, and powers they need to do this.

Regulated organisations should report more cyber incidents to improve the data available to government and regulators.

The NIS Regulations were made under the
European Communities Act 1972
, which has been repealed. The government therefore does not have
delegated powers
to update them, meaning that it needs
primary legislation
, that is, an act of Parliament, to implement many of the post-implementation review’s recommendations. The previous government published a
consultation with proposals for reform
, but legislation was not introduced before the July 2024 election.

Measures in the bill

The measures in the bill are largely based on the previous government’s review and consultation, and lessons learned from the
European Commission’s updates to EU cyber security legislation
.

The bill would:

Expand the scope of the NIS Regulations to include:

data centres (which “host and support the digital infrastructure that underpins modern life”)

large load controllers (organisations that can control the energy use of smart appliances such as batteries and electric vehicles)

managed service providers (organisations that provide third-party IT services to other businesses)

suppliers that are critical to a regulated organisation’s ability to provide its essential service

Enhance regulators’ ability to implement and enforce the NIS Regulations consistently across sectors by:

requiring regulated organisations to report more cyber incidents

enabling regulators to recover costs, share information, and impose higher fines

empowering the Secretary of State to publish a statement of strategic priorities setting out objectives for regulators to achieve when carry out their functions under the NIS Regulations

Grant the Secretary of State powers to direct regulated organisations and regulators to take specified actions in the interests of national security.

Grant the Secretary of State powers to update the NIS Regulations through secondary legislation rather than primary.

Stakeholder response

Stakeholders have generally welcomed the bill, having previously
criticised delays
in introducing the reforms first proposed in 2022.

The NCSC said the measures would ensure “
more effective and consistent application across the different NIS-regulated sectors
”. techUK, the trade body for the tech sector, said the bill was a “
significant step forward in prioritising the security of our nation’s essential services
”.

Some have
criticised the bill’s focus on critical national infrastructure
sectors. For example, Marks and Spencer and Jaguar Land Rover, both of which suffered damaging cyber attacks in 2025, are not in sectors in scope of the bill.

Others have
called for a single cyber security regulator
to drive consistency. The government argues that
the current sectoral approach is appropriate
due to the different risks faced by different sectors.