Cyber Security and Resilience Bill introduced to Parliament

In the face of increasing cyber threats, the Cyber Security and Resilience Bill will prevent disruption, while also making sure that those parties who supply vital services benefit from tougher cyber protections.

The proposed laws would cover certain digital and essential services including healthcare, transport, energy and water. Under the Government’s proposals, medium-sized and large-scale companies delivering services such as IT management, IT Help Desk support and cyber security to private and public sector organisations – the National Health Service (NHS) being a prime example – will also be regulated for the first time.

Due to the fact that they hold trusted access across Government, Critical National Infrastructure (CNI) and business networks, such organisations will need to meet clear security duties. These include reporting significant (or potentially significant) cyber incidents promptly to Government and their customers as well as having robust plans in place to deal with the consequences.

For their part, regulators will be afforded new powers to designate critical suppliers to the UK’s essential services (such as those providing healthcare diagnostics to the NHS or chemicals to water businesses) where they meet the criteria. This would mean they would have to meet minimum security requirements, shutting down any gaps in supply chains that criminals could exploit.

Enforcement will be modernised, including tougher turnover-based penalties for serious breaches so that ‘cutting corners’ is no longer cheaper than ‘doing the right thing’. Companies providing taxpayer services should make sure they have tough protections in place to keep their systems up-and-running.

The Technology Secretary will be afforded new powers to instruct regulators and the organisations they oversee (eg NHS Trusts and Thames Water) to take specific and proportionate steps to prevent cyber attacks where there’s a threat posed to the UK’s national security. This includes requiring that they ‘beef up’ their monitoring or otherwise isolate high-risk systems in order to protect and secure essential services.

Independent research

The Office for Budget Responsibility estimates that a cyber attack on the UK’s CNI could temporarily increase borrowing by over £30 billion. That’s equivalent to 1.1% of GDP. New and independent research shows that the average cost of a significant cyber attack in the UK is now upwards of £190,000. This amounts to around £14.7 billion per annum across the economy (equivalent to 0.5% of the UK’s GDP).

Science, Innovation and Technology Secretary Liz Kendall said: “Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target. We all know the disruption daily cyber attacks can cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses and a faster national response when threats emerge.”

Richard Horne, CEO of the National Cyber Security Centre, stated: “The real-world impacts of cyber attacks have never been more evident than in recent months. At the National Cyber Security Centre, we continue to work non-stop to empower organisations in the face of rising threats.”

Horne continued: “As a nation, we must act at pace to improve our digital defences and resilience. The Cyber Security and Resilience Bill represents a crucial step forward when it comes to better protecting our most critical services. Cyber security is a shared responsibility and a foundation for prosperity. On that basis, we urge all organisations – no matter how big or how small they may be – to follow the advice and guidance available at www.ncsc.gov.uk and act with the urgency that the risk requires.”

Huge opportunity 

Phil Huggins, national Chief Information Security Officer for health and care at the Department of Health and Social Care, observed: “The Cyber Security and Resilience Bill represents a huge opportunity to strengthen cyber security and resilience in order to protect the safety of the people who we care for on a daily basis. The reforms will make fundamental updates in terms of our approach towards addressing the greatest risks and harms, such as by introducing new powers to designate critical suppliers.”

Further, Huggins affirmed: “Working with the healthcare sector, we can drive a step change in cyber maturity and help to keep services available, protect data and maintain trust in our systems in the face of an evolving threat landscape.”

Earlier this year, the Government published the Cyber Governance Code of Practice setting out clear steps organisations should take to manage digital risks and safeguard their day-to-day operations. While it’s for individual companies to ensure they have proper protections in place, the Bill targets those that will have the maximum impact on improving cyber resilience, bringing the services that retailers, hospitals, councils and others depend on into scope. Raising their baseline protects thousands of businesses in the long-term.

Recent cyber attacks on Managed Service Providers clearly make the case for updated laws. In 2024, hackers accessed the Ministry of Defence’s payroll system via a Managed Service Provider, while other recent attacks such as the Synnovis incident in the NHS resulted in over 11,000 disrupted medical appointments and procedures (with some estimates suggesting the resulting costs amounted to £32.7 million). This brings into sharp focus the impact cyber incidents can have on members of the public and essential public services.

Organisations in scope will need to report more harmful cyber incidents to their regulator and the National Cyber Security Centre within 24 hours – offering a full report within 72 hours – in order to ensure support can be on hand more quickly and assist in building a stronger national picture of cyber threats.

Data Centres

Data Centres keep the UK running, handling everything from patient records and payments through to e-mail services and Artificial Intelligence (AI) development. The Cyber Security and Resilience Bill will bring them into scope of the regulations, duly ensuring that they meet robust cyber security standards.

If Data Centres face a significant (or potentially significant) attack, their management teams will have to notify customers likely to be impacted on a prompt basis such that organisations can then act fast in order to protect their business, people and services.

New safeguards will also cover organisations that manage the flow of electricity to smart appliances like electric vehicle charging points and electrical heating appliances in domestic premises. This will reduce the risk of disruption to consumers using smart energy appliances, as well as the national grid, in turn bolstering the UK’s energy security.

The Cyber Security and Resilience Bill, then, represents a step change in how the Government protects people in an increasingly dangerous world, actively supporting the National Security Strategy. It will help to deliver greater economic stability, protect businesses and working people from the impact of cyber attacks and support further investment into the UK’s cyber security sector, which has contributed a substantial £13.2 billion to the economy in the latest financial year alone.

Simon Sheeran, head of cyber security oversight at the Civil Aviation Authority, commented: “The aviation sector contributes billions of pounds towards the UK’s economy and, of course, provides CNI. This Bill will help to improve cyber defences that are essential for maintaining the already very high safety standards in aviation. The Civil Aviation Authority protects people and enables aerospace within a global ecosystem. It’s fair to say that the need for aviation to defend as one is a national imperative.”

Jill Popelka, CEO of Darktrace, explained: “In an era where cyber criminals move faster, experiment freely and increasingly leverage AI to their advantage, the Cyber Security and Resilience Bill is an essential piece of legislation. It will improve the UK’s defences, enabling businesses and public services alike to securely harness the opportunities provided by technology and innovation.”

Popelka went on to state: “In recent years, we’ve seen cyber attackers increasingly target supply chains and Managed Service Providers. It’s promising to see the Bill recognise the risk across the digital ecosystem. It’s also good to see the Government’s focus on future-proofing the regulatory environment for cyber security and creating a stronger role for the National Cyber Security Centre’s own Cyber Assessment Framework. These changes will help to give organisations more confidence to adopt new technologies, while always remaining prepared for the next evolution in threats.”

Signal of ambition

Julian David OBE, CEO of techUK, said: “techUK welcomes the introduction of the Cyber Security and Resilience Bill to Parliament, which signals the Government’s ambition to modernise and future-proof the UK’s cyber laws, while in parallel fostering the resilience that will underpin our economic growth. This move marks a significant step forward when it comes to prioritising the security of our nation’s essential services.”   

Further, David affirmed: “techUK looks forward to continuing to engage with the Government as the Bill makes its way through Parliament in order to help ensure that the measures are fit for purpose, practically implementable and can deliver their intended outcomes, thereby protecting the UK from a diverse range of threats and enabling organisations to harness the benefits that technology can offer in the real world.”

Sarah Walker, CEO of Cisco for the UK and Ireland, commented: “We welcome the Government taking action to overhaul the UK’s cyber framework with the Cyber Security and Resilience Bill. This is a significant step in securing the UK against ever-increasing cyber threats.”

Walker added: “Our latest research shows the scale of the challenge ahead. Only 8% of UK organisations are classed as being ‘Mature’ in their cyber security readiness. As AI reshapes both attack and defence, we need regulation that keeps pace with this changing threat landscape. We’re looking forward to collaborating with the UK Government and working with our international partners to continue securing the digital economy.”

Jamie MacColl, senior research Fellow focused on cyber and tech at the Royal United Services Institute, said: “The events of 2025 have proven beyond doubt that improving national cyber security and resilience is essential for the UK’s economic security. The arrival of new legislation to better protect CNI is an important step in improving cyber resilience in the UK. However, it’s also vital that organisations outside the scope of the Bill ‘up their game’ on cyber security and resilience. We urgently need to build collective resilience to inspire confidence in the face of threats from hostile states and criminals.”