The UK Parliament introduced the Cyber Security and Resilience (Network and Information Systems) Bill on 12 November 2025. The legislation aims to strengthen cyber defences across Britain’s critical sectors, including public services such as healthcare, drinking water, transport, and energy. This legislation follows a series of high-profile cyberattacks this year and forms part of a broader effort to bolster the nation’s cybersecurity.
UK government ministers recently urged business leaders, including all FTSE 350 CEOs, to act decisively to protect their organisations and the UK economy from cyberattacks. They stressed the importance of having a robust cyber incident response plan, stating: “In this increasingly hostile landscape, organisations recover better from incidents when they have planned for the worst and rehearsed their business continuity and recovery.”
The UK National Cyber Security Centre, in its latest review, also warned that chief executives who fail to prepare their companies for cyber threats are “jeopardising their business’s future,” and called on the private sector to take cyber defences more seriously.
The new legislation will underpin a wide range of initiatives aimed at improving cyber resilience. Below is a summary of the bill’s main provisions and key considerations for risk managers and their organisations.
Key elements of the bill
1. Regulation of cybersecurity and IT service providers
For the first time, companies providing IT management, help desk support, and cybersecurity services to both private and public sector organisations — including the NHS — will be regulated. They must fulfil clear security obligations, including the prompt reporting of significant or potentially significant cyber incidents to the government and customers. As a result, these companies will need strong incident response plans, continuous monitoring, and close coordination with regulators and the National Cyber Security Centre (NCSC). Smaller providers will be exempt.
2. Supply chain reviews and critical supplier designation
Regulators will gain new powers to designate critical suppliers to essential UK services — such as diagnostic labs serving the NHS or chemical suppliers to water companies — if they meet specific criteria. Designated suppliers must comply with minimum security standards, closing supply chain gaps that cybercriminals could exploit to cause wider disruption. This requires organisations to conduct thorough supply chain reviews to close potential security gaps.
3. Modernised enforcement
Enforcement will include tougher turnover-based penalties for serious breaches, ensuring compliance is more cost-effective than cutting corners. Adhering to the 12 key cybersecurity controls is vital for companies delivering essential services to maintain system security and reliability.
4. New powers for the technology secretary
The bill grants the technology secretary new authority to direct regulators and the organisations they oversee — such as NHS trusts and Thames Water — to implement measures preventing cyberattacks when UK national security is threatened. This includes enhanced monitoring and isolating high-risk systems to protect essential services.
Implications for different sectors
The bill will have diverse impacts on various sectors.
Healthcare
The healthcare sector, including hospital trusts and diagnostic suppliers, will face stricter regulation. The bill empowers the regulator to designate critical suppliers, such as diagnostic labs, and require them to meet minimum cybersecurity standards.
Hospitals and healthcare providers will face increased scrutiny of their supply chains, including third-party diagnostic software and outsourced IT services. Many healthcare organisations operate legacy systems, work with tight budgets, and prioritise patient care above other considerations, making compliance challenging.
Energy and utilities
Energy companies, water suppliers, and “smart” infrastructure (for example, EV charging networks and data centres) are explicitly included within the bill’s scope.
The bill broadens regulatory responsibilities to include managed service providers (MSPs) and data centre operators, rather than focusing solely on operators of essential services.
Utilities need to review supply chain dependencies — such as chemical suppliers for water treatment and third-party IT support for grid systems — and prepare for ministerial powers that may direct actions like enhanced monitoring or system isolation.
Transport
Transport networks (rail, road, ports, and aviation) are included as critical infrastructure. Operators must ensure that third-party providers comply with standards, have incident-reporting frameworks in place, and maintain business continuity plans to address cyber disruptions.
Water and waste
Water companies and their associated suppliers fall under the bill’s remit. Focus extends beyond core water networks to supply chains and digital systems such as Supervisory Control and Data Acquisition (SCADA) and remote monitoring. Contingency planning, resilience, and vendor governance are key priorities.
Managed services/IT-support ecosystem
One of the most significant structural changes brought about by the bill is that medium and large managed service providers (MSPs), help-desk firms, and cybersecurity support vendors will be explicitly subject to mandatory standards.
This means MSPs are regulated not only by customer contracts but also by statutory obligations, requiring them to enhance security measures, incident management, reporting, and vendor governance. Critical infrastructure operators must vet these providers more thoroughly.
New legislation brings opportunity to improve cybersecurity, but challenges remain
Cyber risk is one of the most significant threats facing UK organisations today, affecting nearly every sector and type of organisation. As the National Cyber Security Centre review found, the UK experienced 204 “nationally significant” cyber incidents in the 12 months up to August 2025 — of which 18 were classified as “highly significant,” representing a 50% increase compared to the previous 12 months.
The bill will strengthen cybersecurity measures essential for maintaining high safety standards, but it will also present challenges. Boards, executives, and risk managers must ensure that they have conducted thorough due diligence to identify their specific risks and implement the correct cybersecurity measures. Failure to do so may leave organisations vulnerable and potentially in breach of the law. Incident reporting requirements will tighten, including mandatory initial notifications within 24 hours.
Speak to an expert about managing cyber risk in your business. Call 0330 8187676 or enquire online, and one of our cyber team will be in touch.
Not sure where to start with cyber cover?
Get in touch with our cyber experts and we'll help arrange a cyber insurance policy that is truly right for you.
