The bill represents the Government’s effort to tool up to strengthen cybersecurity, as regulated firms struggle to keep pace with intensifying attacks

The Cyber Security and Resilience Bill targets the £14.7bn businesses in the UK lose to cyber attacks each year

On 12 November 2025, the UK Government introduced the Cyber Security and Resilience Bill into Parliament. The proposed legislation was included in the Government’s parliamentary agenda to deliver on its Plan for Change and has been presented as a tool to enhance national security and protect economic growth. According to research published by the Department for Science, Innovation and Technology (DSIT) in coordination with the bill’s introduction, the average cost of a successful cyber attack on a business in the UK is greater than £190,000, equalling £14.7bn annually in total costs to the economy. The information sector, including telecoms, averages an even greater loss per attack at £336,773, and attacks on the sector often produce significant knock-on costs for other economic sectors, as discussed in the research. The Government has faced criticism for delays in introducing the bill, as well as in response to a recent joint ministerial letter to large UK businesses urging voluntary action on cybersecurity as firms struggle to keep pace with rising threats. Nonetheless, upon introducing the bill, Liz Kendall (Secretary of State, DSIT) declared that the proposed measures sent a clear message to would-be attackers that “the UK is no easy target”, responding to the reality that the UK was the most targeted European country for cyber attacks last year. 

Data centres will be brought into the scope of NIS regulations and overseen by DSIT and Ofcom

The legislation would update and expand the Network and Information Systems (NIS) regulations to capture more types of firms and further empower regulators to enforce high security standards. Following up on the designation of data centres as critical national infrastructure (CNI) in 2024, the bill would bring data centres into the scope of NIS regulations, though secondary legislation will be required to further define how security obligations would be applied. DSIT and Ofcom would become jointly responsible for overseeing the NIS regime for data centres, with Ofcom serving as the “operational regulator”. Only data centres over a given rated IT load (RITL) threshold, which refers to the power supply of the equipment within the data centre, will be within scope of the regulations; however, that threshold will be reviewed in light of market, technological and security developments over time. Managed service providers, such as firms that provide outsourced IT and cybersecurity support to other businesses, as well as select suppliers of firms in designated sectors will also be brought into the scope of NIS rules. 

Expanded powers, including bigger fines and a new statement of strategic priorities, for regulators 

Administratively, the bill would raise and commit more public resources to cybersecurity and to overseeing the resilience of regulated firms. DSIT would be responsible for communicating cross-sectoral priorities for cybersecurity enforcement through a statement of strategic priorities, similar to those issued on the telecoms sector and online safety. Sectoral regulators responsible for overseeing regulated firms, including Ofcom and the Information Commissioner’s Office (ICO), would be permitted to recover the full costs of their NIS work from regulated firms via fees and issue larger fines for non-compliance in line with the maximum allowable penalties under similar legislation, including the GDPR. In the event of a cyber attack, firms would be also expected to report incidents that could have, but have not yet had, a significant impact on the UK to regulators. Under current regulation, firms are only required to report incidents that have already caused significant disruption, meaning attacks using ransomware (which may only disrupt services if a ransom is not paid) and other delayed tactics would require notification within 24 hours of the threat being detected. Though much of the bill addresses reactive measures to active threats, DSIT would be empowered to issue proactive directions to regulators as well as directly to regulated firms on measures to enhance resilience in light of emerging threats to national security. Though DSIT’s impact analysis states that implementing the bill would cost less than £150m annually, the framework of the legislation does not respond to criticism that increasingly sophisticated cyber attacks, including those directed by hostile governments, are outpacing the capacities of UK businesses. As the Government tools up to take on cybersecurity and bring the UK back up to speed with the EU in protecting CNI through the proposed legislation, the ability of businesses to keep up with accelerating and intensifying threats as an extension of compliance costs remains an open question.