Cyber Security and Resilience (Network and Information Systems) Bill 2024-26

The Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 was introduced to the House of Commons on 12 November 2025. It had second reading on 6 January 2026 and committee stage took place from 3 to 24 February 2026.

The bill is scheduled for report stage and third reading on 10 June 2026.

The bill would update the UK’s cyber security legislation covering critical national infrastructure, primarily by amending the Network and Information Systems Regulations 2018. The bill extends to the whole of the UK.

The government has published the following documents providing further information about the bill:

• Cyber Security and Resilience Bill policy statement
• Factsheets
• Explanatory notes [PDF]
• Impact assessment
• Delegated powers memorandum [PDF]

What is cyber security and resilience?

Cyber security and resilience mean defending information technology (IT) systems from, and mitigating the impact of, attempts to gain unauthorised access to or control of those systems (cyber attacks).

Malicious actors including state-sponsored groups, cyber criminals, and activists, seek to compromise and disrupt IT systems for reasons including financial gain to espionage.

With the UK economy and society increasingly dependent on digital processes, the potential impact of successful cyber attacks is significant. The National Cyber Security Centre (NCSC; the UK’s technical authority on cyber security) has warned of a widening gap between the increasingly complex cyber threats and the UK’s defensive capabilities, particularly in critical national infrastructure.

Current regulatory framework

Organisations in specified critical sectors have statutory cyber security responsibilities under the Network and Information Systems Regulations 2018 (the NIS Regulations).

The sectors are energy, transport, health, drinking water, digital infrastructure, and some digital services (online marketplaces, search engines, and cloud computing services). Each sector has a regulator called a ‘competent authority’ which is responsible for guidance, monitoring and enforcement.

Successive governments have argued that the NIS Regulations need to be updated. In 2022, the Conservative government published a post-implementation review of the regulations in 2022. The review argued that:

• The number of sectors in scope should be expanded, in response to changing cyber risks and the sectors considered to be ‘essential’.
• Risks arising from organisations in essential service providers’ supply chains should be accounted for.
• Cyber security standards should be applied more consistently across sectors, and regulators should have the funding, skills, and powers they need to do this.
• Regulated organisations should report more cyber incidents to improve the data available to government and regulators.

The NIS Regulations were made under the European Communities Act 1972, which has been repealed. The government therefore does not have delegated powers to update them, meaning that it needs primary legislation, that is, an act of Parliament, to implement many of the post-implementation review’s recommendations. The previous government published a consultation with proposals for reform, but legislation was not introduced before the July 2024 election.

Measures in the bill

The measures in the bill are largely based on the previous government’s review and consultation, and lessons learned from the European Commission’s updates to EU cyber security legislation.

The bill would:

• Expand the scope of the NIS Regulations to include:
  • data centres (which “host and support the digital infrastructure that underpins modern life”)
  • large load controllers (organisations that can control the energy use of smart appliances such as batteries and electric vehicles)
  • managed service providers (organisations that provide third-party IT services to other businesses)
  • suppliers that are critical to a regulated organisation’s ability to provide its essential service
• Enhance regulators’ ability to implement and enforce the NIS Regulations consistently across sectors by:
  • requiring regulated organisations to report more cyber incidents
  • enabling regulators to recover costs, share information, and impose higher fines
  • empowering the Secretary of State to publish a statement of strategic priorities setting out objectives for regulators to achieve when carry out their functions under the NIS Regulations
• Grant the Secretary of State powers to direct regulated organisations and regulators to take specified actions in the interests of national security.
• Grant the Secretary of State powers to update the NIS Regulations through secondary legislation rather than primary.

Stakeholder response

Stakeholders have generally welcomed the bill, having previously criticised delays in introducing the reforms first proposed in 2022.

The NCSC said the measures would ensure “more effective and consistent application across the different NIS-regulated sectors”. techUK, the trade body for the tech sector, said the bill was a “significant step forward in prioritising the security of our nation’s essential services”.

Some have criticised the bill’s focus on critical national infrastructure sectors. For example, Marks and Spencer and Jaguar Land Rover, both of which suffered damaging cyber attacks in 2025, are not in sectors in scope of the bill.

Others have called for a single cyber security regulator to drive consistency. The government argues that the current sectoral approach is appropriate due to the different risks faced by different sectors.