Cyber Security and Resilience (Network and Information Systems) Bill

Additional author credit: Luke Moore – Head of Digital Forensics and Incident Response, Sedgwick International UK & Paul Squires – Partner, Sedgwick Legal Services

A strategic insight into the UK’s cyber security regime and what is to come.

Executive summary

The UK Government’s Cyber Security and Resilience (Network and Information Systems) Bill (the Bill) represents a substantial update to the UK’s cross‑sector cyber regime since the Network and Information Systems Regulations 2018 (the NIS Regulations). It does so by widening regulatory scope, increasing incident‑reporting requirements, providing heightened supply‑chain responsibilities and strengthening enforcement powers. 

It forms part of the government’s broader national security agenda, and its effort to close the gap between escalating cyber threats and existing response capabilities.

This insight explains the rationale behind the reforms, the key changes proposed, who will be affected and how organisations should prepare.

Why is the NIS regime being updated 

The cyber threat environment facing UK organisations has intensified significantly, amidst the rapid pace of technological development and increased state-backed actors. The UK National Cyber Security Centre has reported a surge in cyber incidents, with increasingly severe high-profile incidents affecting essential services.

At the same time, regulators such as the ICO, have stressed the need to accelerate improvements in supply chain resilience – recognising that dependencies in long, interconnected supply chains are a major source of exposure. This is among recurring concerns, raised in Government policy discussions, that the current incident‑reporting requirements are not providing sufficient visibility into systemic risks facing the most affected services.

The Bill seeks to ensure the regulations are modernised and reflective of the structural realities of today’s digital infrastructure, where disruption at a single service provider can cascade into far‑reaching cross‑sector consequences.

Expanded scope

The Bill significantly widens the scope of organisations subject to regulation. In addition to operators of essential services and existing relevant digital service providers, the regime has its attention drawn to supply chain security, similar to the EU NIS2. For example, covering:

• Managed Service Providers (MSPs) – medium and large providers (designated as Relevant Managed Service Providers)
• Data-Centre Service Providers – including those above defined capacity thresholds
• Certain Large Load Controllers
• Designated Critical Suppliers – where service disruption could materially affect essential or digital services

The scope will be flexible, with regulators given the authority to expand the regime, allowing them to designate organisations they deem as critical suppliers.

Strengthening incident reporting

The Bill introduces earlier incident reporting, broader reporting thresholds and enhanced information‑sharing.

Under the existing NIS regulations, incidents that meet the thresholds for reporting should be reported to the regulator within 72 hours. The new Bill would alter this position (to an extent), aligning itself with the requirements we see in the EU NIS2 Directive, that provide for an initial 24-hour notification and a follow-up within 72 hours.

As for customer notifications, under current NIS Regulations, the provider is required to notify the relevant regulator. That regulator may then proceed to notify the public or require the provider to do so. The Bill proposes to change this, placing the obligation on the provider themselves to notify customers directly.

Secretary of State enforcement mechanisms and powers

The Secretary of State will also have additional powers. This includes the ability to issue statutory Codes of Practice, as well as Statements of Strategic Priorities, that outline the government’s objectives for strengthening resilience and security across vital services.

Further, the Bill introduces a toughened enforcement regime. Regulators will have enhanced investigatory powers, a new statutory cost‑recovery mechanism through charging schemes and access to a revised penalty structure linked to organisational turnover. Maximum fines increase substantially, with serious breaches attracting penalties of up to £17 million or 4% of global turnover (whichever is higher), and additional daily penalties for continuing non‑compliance and breaches.

Practical implications

Organisations already regulated under the NIS framework should assess how the Bill may alter their operational, governance and reporting obligations, particularly those services delivered through Managed Service Providers. 

Luke Moore, Head of Digital Forensics & Incident Response Services at Sedgwick, comments that “The new legislation reinforces that cyber security is now, more than ever, ultimately a board‑level responsibility. Meeting these requirements starts with clarity around your infrastructure and the data you hold, because you cannot comply without knowing what you operate and protect. The Bill highlights a shift towards early action, stronger monitoring and tested response capabilities.

We are working with our clients to take steps now, to verify their controls and understand their infrastructures and operational risk, so they will be in a far stronger position when the new regulatory duties come into force.”

Of course, the Bill is only at the beginning of its parliamentary journey, with its second reading completed in early January 2026. The Bill will now enter Committee Stage, where a detailed clause-by-clause examination will take place. We encourage organisations to monitor how the Bill evolves as it progresses through Parliament, ensuring they are ready for proposed reforms and prepared for a more rigorous compliance environment ahead.

How we can help

Sedgwick advises organisations to approach the Bill not simply as a compliance hurdle, but as a strategic opportunity to strengthen resilience, governance and confidence in light of emerging risks. Our specialist digital forensics and legal teams assist with:

• Resilience audits of cyber governance and reporting frameworks
• Contractual reviews for supply chain security clauses and escalation triggers
• Development of incident playbooks and board-level reporting protocols
• Interpretation of sector-specific obligations and thresholds

In addition, we offer integrated legal and compliance services that enable businesses to:

• Proactively meet regulatory expectations
• Communicate readiness to clients, boards and stakeholders
• Align technology investments with emerging legal obligations
• Enhance resilience across operations, technology and supply chains

Alongside the legal and regulatory support provided by Sedgwick Legal Services, you can strengthen your position by adopting complementary operational measures that help demonstrate real‑world capability via Sedgwick Digital Forensics & Incident Response Services:

• Independent cyber assessment audits validating control effectiveness and identifying weaknesses 
• Proactive testing and continuous monitoring to demonstrate resilience against emerging threats 
• Targeted data mining assessments to map the data you hold, where it resides and where exposure may exist 
• Improved internal reporting so technical findings translate into clear, actionable information for governance

Cyber resilience is now a business requirement. The Bill signals a shift from passive compliance to active capability. Organisations that combine strong legal guidance with evidence‑based operational insight will be better positioned to lead in confidence, continuity and control.