Cyber Security and Resilience (Network and Information Systems) Bill: HL Bill 32 of 2026–27

Approximate read time: 50 minutes

Cyber security is becoming increasingly important as society becomes more dependent on digital systems. Essential services are particularly attractive targets for cyber criminals, activists or hostile states aiming to cause disruption to the UK economy and public safety.

Legislation protecting essential services from cyber attacks is provided for in the 2018 NIS regulations. These impose duties on providers of essential services and relevant digital services to have cyber security measures in place and to promptly report serious incidents.

The bill would update the 2018 NIS regulations to improve their functioning and respond to changes in cyber threats since 2018. First, it would expand the scope of the regulations. For example, it would bring data centres, electrical load control, and third-party IT products and services under the regulations and require a broader range of incidents to be reported. Second, it would grant the secretary of state powers to update the regulatory framework with secondary legislation to allow the regulations to adapt to changing threats. Third, it would confer powers to the secretary of state to issue directions to certain organisations to provide information or take specific actions in the interest of national security.

The general principle of the bill has received cross-party support and has been welcomed by industry and regulators. However, key points of contention include whether more sectors should be brought in scope, such as retail and manufacturing, and the potential impacts of increased administrative burdens for businesses and regulators. Some have also criticised a lack of legal clarity as many details would be determined later in secondary legislation.

Image by Sasun Bughdaryan on Unsplash.