Cyber Security Incentives and Regulation

The regulatory baseline is the Network and Information Systems Regulations 2018, as comprehensively amended by SI 2020/1245 on 31 December 2020. Those amendments are doctrinally important: they replaced the independent-reviewer model with a First-tier Tribunal appeal on judicial-review grounds (regs 19A–19B), recast the enforcement-notice and penalty regime into a two-stage process with mandatory pre-notice representations (regs 17–18), broadened the inspection power into a fully intrusive entry/examination/test regime (reg. 16), and required non-UK headquartered OES in energy and digital infrastructure to nominate a UK representative (reg. 8A). Thresholds for the oil, gas and digital infrastructure subsectors were rebased — including the 30% UK-market-share IXP test and the 14-billion-queries TLD registry threshold (reg. 20). On top of that statutory baseline sits the strategic frame: the National Cyber Security Strategy 2016–2021 and its 2022 successor, the 2022 Cyber Security Incentives and Regulation Review 1, and the McPartland Review of Cyber Security and Economic Growth 2. Operationalising these are the five Cyber Security Codes of Practice (Cyber Governance, Software Vendors, AI, App Store, Cyber Essentials) mapped in DSIT's modular approach diagram 3, the Cyber Essentials Supply Chain Commitment with leading banks 4, and place-based programmes like Cyber Local 5. Telecoms providers sit outside NIS under ss.105A–105C Communications Act 2003, and consumer connectable products are regulated under Part 1 PSTI Act 2022 — with s.70 of that Act still uncommenced.

The most material recent development is the introduction of the Cyber Security and Resilience (Network and Information Systems) Bill, with Keeling schedules and a DSIT impact assessment published in November 2025 and January 2026. Read against the 2022 consultation outcome 1 and the second Post-Implementation Review of NIS 2, the Bill is the legislative answer to longstanding scope concerns — bringing managed service providers, data centres and designated critical suppliers within NIS's reach. On the incentives side, the Code of Practice for Software Vendors government response (March 2025) 3 and the Software Security Ambassadors Scheme (February 2026) 4 mark a meaningful step in the supply-chain assurance agenda. The DSIT-Nigeria statement of intent on cyber-enabled fraud and scams (March 2026) 5 adds an international-cooperation dimension. By contrast, a March 2026 written question confirms that section 70 of the PSTI Act 2022 remains uncommenced and that DSIT is still 'considering options' — a sign the consumer-product regime is not yet complete.

Three calendar items dominate the next 12 months. First, the Cyber Security and Resilience Bill's passage: the live questions are scope (data centres, MSPs, designated critical suppliers) and regulator capacity — NCSC, the Information Commissioner and sector competent authorities will absorb the operational load, and Parliament will look closely at the delegated powers underpinning designation. Second, government movement on the McPartland Review 1: the review reframes cyber security as a growth enabler but its recommendations on fiscal levers (tax relief, insurance alignment, procurement) have not yet produced a published government response. The April 2026 written question on aligning Cyber Essentials with insurance underwriting standards signals where parliamentary pressure is building. Third, the long-running PSTI section 70 commencement decision: written questions repeatedly press for commencement, and a decision either way will signal how aggressively the consumer-product regime is treated as complete. Beyond those three, watch (i) the next statutory NIS review under reg. 25 (intervals not exceeding five years after the May 2022 second report) 2; (ii) the codes-of-practice ecosystem and whether the Software Security Ambassadors Scheme converts voluntary uptake into procurement leverage 34; and (iii) any Public Accounts Committee report following its 2025 evidence session on government cyber resilience.

Doctrinal risk: the regime is layered (NIS, telecoms security, PSTI), and the carve-out in reg. 8(1A) means that an entity moving between regimes (e.g. a digital infrastructure provider acquiring telecoms-network functions) could face uncertainty over which regulator and duty applies. Capacity risk: SI 2020/1245's expansion of the inspection power and the future Bill's expanded scope will test NCSC, ICO and sector-regulator resourcing. Inferred from corpus gap: no NAO value-for-money review of the NIS regime or the Cyber Local programme has been retrieved into this build — independent audit coverage is therefore thinner than for comparable regulatory regimes. Inferred from corpus gap: scope notes for the Cyber Security and Resilience Bill's commencement clauses are not in the retrieved corpus (the Keeling schedules show amended NIS text but commencement detail must be read from the Bill itself). Finally, the McPartland Review's incentives recommendations remain unanswered in the public record, leaving the 'incentives' half of this thread under-resolved 1.