Proposal for New UK Cybersecurity Laws

By Carlotta Kozlowskyj | 24 November 2025

Summary

• The UK government introduced the Cyber Security and Resilience Bill to Parliament on 12 November 2025. 

• The legislation aims to strengthen the resilience of the UK public services against cyberattacks and expand the scope of companies protected by cyber regulations.

• If approved, the Bill would require regulated entities to report significant cyber incidents within a strict timeframe and would grant regulators enhanced powers to fine organisations that fail to comply.

Context

On 12 November 2025, the UK government introduced the Cyber Security and Resilience Bill to Parliament for its first reading. The Bill proposes amendments to the existing Network and Information Systems (NIS) Regulations 2018, representing the most significant upgrade to the UK’s cyber regime since NIS was introduced.  This initiative follows several recent cyberattacks that major UK organisations, including Marks & Spencer and Jaguar Land Rover. In 2024, hackers breached the Ministry of Defence's payroll system and disrupted over 11,000 National Health Service (NHS) medical appointments and procedures. 

The Bill aims to enhance the UK’s defences against cyberattacks for essential public services, as only 8% of these organisations are currently considered “Mature” in their cybersecurity readiness. The regulations would apply to five primary sectors: transport, energy, drinking water, health and digital infrastructure. For the first time, companies providing IT and cybersecurity services to both public and private organisations, including the NHS, would be regulated and required to meet strict security standards. This includes reporting significant cyber incidents within a 24-hour timeframe to the National Cyber Security Centre (NCSC), providing a full incident report within 72 hours, and maintaining operational continuity plans to manage the aftermath of attacks. Public sector bodies and operators of critical national infrastructure would also be prohibited from paying ransom demands to cybercriminals. 

In addition, regulators would be granted expanded powers to fine companies that fail to meet the required security requirements and to designate key suppliers as “Designated Critical Suppliers” (DCSs). It would grant regulators the ability to take direct actions and fine companies up to 4 per cent of their annual turnover if they fail to comply with the rules. The Secretary of State would also be granted new authority to issue guidance and instructions to regulated entities on addressing cybersecurity risks.

Implications

The Cybersecurity and Resilience Bill reflects rising state-level concerns about cyber operations targeting UK infrastructure. If adopted, the legislation would strengthen protections for public services against cybercriminals and state-backed actors, reducing operational disruptions and enhancing national resilience. As the most significant reform since 2018, the Bill signals a shift towards a more interventionist cybersecurity model by directly linking cybersecurity regulations to national strategic priorities. This represents a departure from the UK’s traditional decentralised and partnership-based approach to cyber governance, as the state would now play a more direct role in shaping cyber norms and setting security standards. 

Additionally, the Bill introduces mandatory reporting and grants regulators the authority to enforce cybersecurity standards, although these measures may face significant implementation challenges. Regulators and government bodies will require substantial resources and technical capacity to enforce these standards and oversee an expanded range of regulated entities, particularly IT and cybersecurity suppliers that were not previously subject to strict regulations. This expansion raises concerns about regulatory overload, especially if cyber incident notifications increase sharply. Smaller IT suppliers may also be disproportionately affected, as compliance costs and administrative burdens may undermine their operational capacity. 

The estimated annual cost of cyberattacks to the UK economy is almost GBP 15b per year (~USD 19.7b, 16/11/2025). By prohibiting ransom payments to cybercriminals, the Bill seeks to reduce the financial incentive driving many cyberattacks and could reshape the cybercriminal business model. This initiative was also widely welcomed by industry leaders, who described it as an essential regulatory framework for addressing AI-driven cybersecurity threats and securing critical supply chains. However, the rules will not apply to companies classified as critical infrastructure, such as M&S. This reflects the UK government's chosen model to counter cybersecurity threats, which prioritises centralised enforcement but is narrower in scope. If implemented, the success of the Bill will mainly depend on the regulatory capacities and guidance provided by the government to regulators

Forecast

• Short-term (Now - 3 months)

  • It is highly likely that the Cyber Security and Resilience Bill will pass Parliament with minor amendments, given strong support from governmental agencies and industry stakeholders.  

  • There is a realistic possibility of amendments redefining the criteria for “Designated Critical Suppliers” and the cost-recovery mechanism, as both grant significant authority to regulators and the Secretary of State. 

  • It is likely that small and medium-sized technology suppliers will oppose the new legislation as they raise concerns about compliance costs and administrative burdens.

• Long-term (>1 year)

  • It is likely that if the Bill passes, UK critical infrastructures will experience fewer large-scale cyber disruptions and improved incident response capabilities. 

  • It is likely that legal accountability for failing to meet cybersecurity standards, including sanctions and penalties, will increase for public and private organisations. 

  • It is likely that the regulatory framework will expand to additional sectors, as cyber threats grow in scale and sophistication. 

  • It is unlikely that the UK will fully centralise cybersecurity governance under a single state entity, such as NSCS, due to bureaucratic and capacity constraints.