29.01.26

UK Government Introduces Cyber Security and Resilience Bill to Parliament

On 12th November 2025, the UK government formally introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament. First proposed in July 2024, the legislation aims to address the growing threat of cyber-attacks against critical national services, including health care, transportation and energy.

The bill’s introduction follows a spate of large-scale cyber-attacks, including the August 2025 attack on Jaguar Land Rover, which cost the UK economy an estimated £1.9 billion.

The Bill’s Proposals Explained

If passed, the bill will amend the Network and Information Systems (NIS) Regulations 2018. A central pillar of the legislation is its expanded scope. While the existing NIS regulations already cover essential services such as the NHS, transport systems and the energy network, cyber-criminals continue to exploit weaknesses in national infrastructure through supply chain attacks and other sophisticated methods. In response, the bill will extend the NIS regulations to include data centres, managed service providers and large load controllers.+

Additionally, regulators will receive expanded authority to identify and classify other suppliers of essential goods and services as “critical.” Recognised providers will be required to implement appropriate, proportionate and robust cyber-security measures.

Key Provisions

Additional key provisions within the bill include the following:

• Mandatory incident reporting – Recognised organisations must notify their regulator and the UK National Cyber Security Centre of any significant incident within 24 hours, followed by a full report within 72 hours.
• Stricter enforcement – Serious breaches could result in penalties of up to £17 million or 4% of an organisation’s global turnover, while less severe incidents may incur fines of up to 2% of annual turnover.
• Expanded powers – The Technology secretary will gain new authority to direct regulators and the organisations they oversee to take specific steps when a clear threat to national security is identified. Such measures may include isolating high-risk systems or increasing threat monitoring.

Richard Horne, the chief executive of the National Cyber Security Centre, responded the bill’s introduction. “The real-world impacts of cyber-attacks have never been more evident than in recent months,” he said. “We urge organisations – no matter how big or small – to follow the advice and guidance available at www.ncsc.gov.uk and act with the urgency that the risk requires.”

The bill’s introduction comes amid mounting evidence of the economic toll of cyber-crime. According to the Association of British Insurers, almost £200 million was paid out in cyber-insurance claims in 2024 alone. Underscoring the urgency of stronger protections, the average cost of a significant cyber-attack for UK businesses is approximately £195,000, according to government data.

Cyber Security and Resilience Bill – the Next Steps

Although not yet enacted, organisations that the bill may impact should begin assessing their current cyber-security posture and incident-reporting capabilities. Regardless, all organisations should review their cyber-security measures in light of rising cyber-threats and consider the merits of cyber-insurance.

Contact us today for further cyber-security and insurance solutions.

Information provided by Zywave with a contribution from Lisa Langley, (Cert CII) Team Leader, Professional Risks, Cox Mahon Ltd.