The UK Cyber Security and Resilience Bill 2025 represents a major shift from sector-based cyber regulation to a broader national resilience framework. By expanding the NIS regime to data centres, managed service providers and critical suppliers, strengthening incident reporting, and introducing strategic governance and national security powers, the Bill closes long-standing gaps but raises challenges around proportionality, skills, regional delivery and SME impact.
Executive Summary (TL;DR)
The Cyber Security and Resilience (Network and Information Systems) Bill marks the most significant shift in UK cyber regulation since NIS 2018. It moves the UK from a narrow, sector-based model to a centrally steered national resilience framework by expanding regulation to data centres, managed service providers and critical suppliers, strengthening incident reporting, and granting government new strategic governance and national security direction powers.
The Bill closes several long-standing gaps. Supply-chain risk is regulated directly for the first time. Government gains clearer authority, stronger regulatory tools, sustainable funding mechanisms and a continuous strategic steering model backed by parliamentary oversight. In regulatory terms, the Bill finally provides the structural backbone that earlier strategies assumed but never delivered.
However, the Bill also introduces material and immediate risks, particularly for managed service providers, suppliers and SMEs newly brought into scope. The expanded perimeter is broad and designation-based, meaning organisations may become regulated without having previously identified themselves as critical. This creates a real discovery risk for firms embedded in regulated supply chains. This is designation-by-dependency, not self-identification.
Operational pressure increases sharply. The 24-hour and 72-hour incident reporting timelines, combined with mandatory customer notification duties, are demanding even for mature organisations. For smaller providers without 24/7 response, legal support or crisis communications capability, these obligations carry commercial, contractual and reputational risk if not carefully implemented.
Regulators are also granted wide information-gathering powers, including the ability to require the creation or retention of information, alongside new cost-recovery charging schemes whose scale is not yet defined. National security direction powers may require action under strict non-disclosure conditions, creating governance, insurance and accountability challenges for affected organisations.
The Bill’s success therefore depends less on its intent than on how it is delivered. Proportionality for SMEs, consistent implementation across regulators, early and practical guidance, and realistic assumptions about skills and capacity are all critical. The legislation assumes delivery infrastructure, skills pipelines, practitioner capacity and regional support, that are currently uneven.
The good news is that the Bill also creates real leverage. It gives regions, cyber hubs, professional bodies and specialist SMEs a clear mandate to support compliance, capability-building and shared resilience. It enables clearer supplier assurance, stronger customer protection and a more predictable national baseline. Used well, compliance can become a differentiator rather than a drag.
In short, the Bill is a necessary and overdue foundation. It gives the UK authority and structure where there was fragmentation. Whether it produces resilience rather than regulatory friction will depend on how deliberately government, regulators and the ecosystem pair that authority with proportionality, guidance, skills investment and practitioner-led delivery. This article shows where the risks lie, and where the opportunities to get this right still exist.
Measured against earlier analysis of the Midlands defence cluster, the Bill reinforces rather than undermines existing concerns. It formalises the risk that mid-tier suppliers and SMEs can become critical through dependency rather than scale, while imposing incident response, reporting and disclosure duties that assume levels of capacity many firms do not currently have. At the same time, it strengthens the case for regional, practitioner-led delivery models. For clusters like the Midlands, the Bill increases short-term exposure but also provides the strongest mandate yet for shared resilience infrastructure, coordinated response capability and trusted regional cyber hubs.
Immediate Implications for SMEs, Suppliers and Boards (Read This First)
This section distils the practical consequences of the Bill for SMEs, suppliers and boards, focusing on where risk concentrates first and what must change immediately.
How The Bill Is Punitive In Practice (What This Really Means)
The Bill’s primary punitive effect is not fines, but enforced exposure and compressed response under regulatory control. Once an organisation is designated, it operates inside unforgiving incident-reporting timelines, mandatory customer notification duties and broad information-gathering powers, regardless of size or intent.
Compliance introduces unavoidable overhead through cost recovery schemes, operational strain through 24/72-hour reporting clocks, and commercial risk when incidents become disclosed events rather than internal technical matters. In rare cases, national security directions may also require action under non-disclosure constraints, complicating governance, insurance and audit.
In practice, the regime punishes fragility rather than wrongdoing: capacity assumptions are imposed by dependency, not by preparedness, and the consequences fall hardest on organisations with the least spare operational margin.
What SMEs Should Worry About
You may already be in scope… without knowing it
If you supply regulated organisations, MSPs, defence primes or critical infrastructure, you can be designated a critical supplier regardless of size or sector. Regulation is dependency-based, not self-declared.
Incident response clocks are unforgiving
Initial notification within 24 hours and full reporting within 72 hours is challenging without 24/7 monitoring, legal input and communications support. Missed or poor reporting now carries regulatory and contractual consequences.
Customer notification is mandatory
MSPs and digital service providers must identify and notify affected customers. This turns cyber incidents into commercial and reputational events, not just technical ones.
Information-gathering powers are broad
Regulators can require information to be produced or retained, potentially creating cost, governance and confidentiality pressure: even where no incident has occurred.
Costs are uncertain but real
Charging schemes allow regulators to recover costs. For SMEs newly in scope, this introduces financial exposure before fees, thresholds or exemptions are fully defined.
National security directions may override normal governance
In rare but serious cases, firms may be required to act under non-disclosure constraints, complicating board oversight, insurance, audit and internal accountability.
What SMEs Should Do Now
Map your criticality, not just your size
Understand who depends on you, where aggregation risk exists, and whether you sit in regulated or defence-adjacent supply chains.
Stress-test your incident response realistically
Ask whether you can meet a 24-hour regulatory notification with evidence, judgement and accuracy: not just technical alerts.
Clarify customer notification pathways
Know who decides, who signs off, and how customers will be informed when incidents cross reporting thresholds.
Prepare for regulatory engagement
Ensure governance, contact details, decision authority and record-keeping are clear and current. Ambiguity increases risk.
Use compliance as a trust signal
Early alignment with the Bill’s expectations can become a commercial differentiator, especially in regulated and defence supply chains.
Do not do this alone
Shared services, regional hubs, professional bodies and trusted advisors reduce cost and risk far more effectively than isolated compliance efforts.
Why The Bill Is Good News for Regions & Cyber SMEs
The Bill creates sustained demand for compliance support, incident readiness, assurance, testing and supplier governance, exactly the services regional cyber SMEs and hubs are positioned to provide. It strengthens the case for shared regional infrastructure, practitioner-led delivery and cluster-level resilience, turning cyber capability from a discretionary service into essential economic infrastructure. Regions that organise early can reduce SME burden, raise resilience collectively and capture long-term value from the regulatory shift.
Board-Level Risk Statement
If your organisation is critical to someone else’s operations, this Bill regulates you whether you planned for it or not, and the clock starts at first incident, not first warning.
Contents
- Executive Summary (TL;DR)
- Immediate Implications for SMEs, Suppliers and Boards (Read This First)
- Why The Bill Is Good News for Regions & Cyber SMEs
- Board-Level Risk Statement
- Contents
- 1. Introduction
- 2. Summary of the Bill
- 2.1 Key Items
- 2.1.1 Extends the NIS Regulations
- 2.1.2 Clarifies and strengthens incident reporting
- 2.1.3 Places new duties on managed service providers and digital services
- 2.1.4 Introduces essential activities and regulated persons
- 2.1.5 Establishes a strategic governance framework
- 2.1.6 Creates powers to make further regulations on security and resilience
- 2.1.7 Provides for a statutory code of practice
- 2.1.8 Strengthens regulatory tools and resourcing
- 2.1.9 Creates a national security directions regime
- 2.1 Key Items
- 3. Comparison with the Network and Information Systems Regulations 2018
- 3.1 Overall structural comparison
- 3.2 Detailed comparison aligned to the key points
- 3.2.1 Extends the NIS Regulations
- 3.2.2 Clarifies and strengthens incident reporting
- 3.2.3 Places new duties on managed service providers and digital services
- 3.2.4 Introduces “essential activities” and “regulated persons” concepts
- 3.2.5 Establishes a strategic governance framework
- 3.2.6 Creates powers to make further regulations on security and resilience
- 3.2.7 Provides for a statutory code of practice
- 3.2.8 Strengthens regulatory tools and resourcing
- 3.2.9 Creates a national security directions regime that:
- 3.3 Summary of the Key Differences
- 3.3.1 Scope becomes much wider
- 3.3.2 Supply chain risk is finally regulated directly
- 3.3.3 Incident reporting becomes more structured and more demanding
- 3.3.4 Government gains stronger tools and clearer authority
- 3.3.5 Strategic direction becomes centralised and continuous
- 3.3.6 Regulators gain more power and stable funding
- 3.3.7 National security becomes an explicit pillar
- 4. Strengths and Weaknesses of the Bill
- 4.1 Strengths
- 4.1.1 Broader and more realistic coverage of critical digital infrastructure
- 4.1.2 Clear and consistent incident reporting requirements
- 4.1.3 Stronger protection for customers via direct notification duties
- 4.1.4 Strategic leadership and parliamentary accountability
- 4.1.5 Expanded powers for regulators and sustainable funding
- 4.1.6 Dedicated national security powers
- 4.1.7 Ability to adapt quickly through new regulation making powers
- 4.2 Weaknesses
- 4.2.1 Increased regulatory burden, especially for SMEs
- 4.2.2 Potential uncertainty during transition
- 4.2.3 Risk of inconsistent implementation across regulatory authorities
- 4.2.4 Broad information gathering powers may raise concerns
- 4.2.5 Cost recovery could introduce financial pressures
- 4.2.6 National security directions may require action without transparency
- 4.2.7 Risk of overlap with other regulatory regimes
- 4.3 Addressing the Weaknesses
- 4.3.1 Reducing the compliance burden on SMEs and smaller suppliers
- 4.3.2 Improving clarity and certainty during the transition period
- 4.3.3 Ensuring consistent implementation across regulatory authorities
- 4.3.4 Reassuring organisations about the scope of information gathering powers
- 4.3.5 Managing financial impacts arising from cost recovery mechanisms
- 4.3.6 Balancing national security directions with organisational governance needs
- 4.3.7 Minimising overlap with other regulatory regimes
- 4.1 Strengths
- 5. Reviewing the Bill Through Different Lenses
- 5.1 The West Midlands Cyber Hub – A Cyber Community Endeavour
- 5.2 Cyber Tzar – A Cyber SME Perspective
- 5.3 The IET, BCS or Other Professional Membership Organisations
- 5.4 The WMCA or Similar Regional Authorities
- 5.5 Organisations, SMEs and Enterprises
- 5.6 DSIT (Department for Science, Innovation and Technology)
- 5.7 NCSC (National Cyber Security Centre)
- 5.8 UKTL (UK Technology Leadership bodies: DSIT, CDDO, GDS, UK Cyber Security Council and aligned authorities)
- 5.9 Other HMG Bodies (Cabinet Office, Home Office, MoD, sector regulators and national authorities)
- 5.10 Combined Stakeholder Impact Table
- 5.10.1 Stakeholder Impact Table
- 6. How this analysis compares with previous work on Horkan.com
- 7. Recommendations
- 7.1 Ensure proportionality for SMEs and smaller suppliers
- 7.2 Provide early, detailed guidance and transitional support
- 7.3 Establish consistency across regulatory authorities
- 7.4 Strengthen transparency and safeguards around information-gathering powers
- 7.5 Use cost recovery in a fair and predictable way
- 7.6 Embed practitioner expertise in policy and delivery
- 7.7 Create clear links between regulation and the skills pipeline
- 7.8 Develop a national and regional benchmarking model
- 7.9 Support regional cyber ecosystems and hubs
- 7.10 Align national strategy, regional growth plans and regulatory obligations
- 7.11 Establish a clear narrative framing cyber as economic infrastructure
- 7.12 Use the Bill as a platform for innovation and resilience testing
- 8. Conclusions
- 9. Appendix: Author’s Note: Why I Wrote This
1. Introduction
The Cyber Security and Resilience (Network and Information Systems) Bill (CRSB) is the most significant change to the UK’s cyber regulatory framework since the Network and Information Systems Regulations were introduced in 2018. It expands the scope of regulation beyond a narrow set of essential services to include data centres, managed service providers and critical suppliers, and introduces new governance, enforcement and national security powers.
This article examines what the Bill does, how it alters the structure of the existing NIS regime, and what those changes mean in practice. It does not treat the Bill as a list of policy measures, but as an attempt to reshape the UK’s approach to cyber resilience by redefining who is regulated, how responsibilities are allocated, and how government steers and enforces resilience across sectors.
The analysis begins with a structured summary of the Bill, followed by a direct comparison with the NIS Regulations 2018 to clarify what has changed and why. It then assesses the Bill’s strengths and weaknesses, with particular attention to proportionality, implementation risk, regulatory consistency and the impact on organisations newly brought into scope, especially SMEs.
The article also considers the Bill from different perspectives, including regional cyber hubs, cyber SMEs, professional bodies, regulators and central government, before situating it within the wider body of work on horkan.com that argues cyber must be treated as economic infrastructure rather than a purely technical or sector-specific concern. The conclusion sets out where the Bill strengthens the national framework, and where delivery, skills and regional capacity will determine whether it succeeds.
2. Summary of the Bill
The Cyber Security and Resilience (Network and Information Systems) Bill (CRSB) amends the existing Network and Information Systems Regulations 2018 (NIS) and builds a broader statutory framework for the security and resilience of network and information systems that support “essential activities” in the UK.
Part 2 updates the NIS Regulations. It widens the scope of who is regulated (including data centre operators, certain load controllers in the energy system, relevant digital service providers, managed service providers, and “critical suppliers”) and tightens obligations on incident reporting, information provision and cooperation. It also introduces clearer, more expansive information-gathering powers and formal mechanisms for recovering regulatory costs and applying financial penalties.
A key structural change is the explicit regulation of data centre services as an “essential service” with threshold requirements (1 MW for general data centres, 10 MW for enterprise data centres), and the creation of the categories Relevant Digital Service Providers (RDSPs) and Relevant Managed Service Providers (RMSPs), each with explicit duties to manage cyber risks and mandatory registration with the ICO (which must share registers with GCHQ).
The Bill also creates a new concept of “critical suppliers” – organisations whose failure could significantly disrupt essential services or key digital/managed services – and allows competent authorities or the ICO to designate and regulate them directly, subject to consultation and coordination requirements.
Part 3 steps beyond NIS and gives the Secretary of State a broader framework to regulate the security and resilience of network and information systems used for “essential activities” (defined by secondary legislation). This includes: specifying which activities are regulated; designating “regulatory authorities”; issuing a Statement of Strategic Priorities; making further regulations on security and resilience across sectors; issuing a statutory code of practice; and producing periodic reports on NIS-related legislation.
Part 4 gives the Secretary of State significant national security direction powers. Where NIS-type threats pose national security risks, the SoS can direct regulated persons and regulatory authorities to take specific actions, require secrecy about the existence/content of directions, and disapply conflicting regulatory requirements so that compliance with the national security direction takes priority. There are supporting powers around monitoring, inspections, information-gathering and enforcement (including penalties).
Part 5 deals with extent, commencement and short title, and confirms that the legislation applies across the UK and will become the Cyber Security and Resilience (Network and Information Systems) Act 2026 once enacted.
2.1 Key Items
2.1.1 Extends the NIS Regulations
- Large data centres
Including enterprise data centres that host or process significant volumes of critical digital infrastructure. - Managed service providers
Relevant providers that remotely manage customers’ IT systems and introduce significant supply chain exposure. - Digital service providers
A refreshed category covering online marketplaces, online search engines and cloud computing services. - Critical suppliers
A new class of suppliers whose disruption could significantly impact essential services or the wider economy and society.
2.1.2 Clarifies and strengthens incident reporting
- Broader definition of incidents
Includes events that affect, or could affect, the operation or security of network and information systems. - Clear significance thresholds
Based on disruption level, number of users affected, geography, duration and impact on confidentiality, integrity or availability. - Structured reporting timelines
Initial notifications within 24 hours and full notifications within 72 hours for qualifying incidents across all regulated groups. - Formalised CSIRT role
CSIRT receives notifications, supports coordinated response and facilitates cross border information sharing.
2.1.3 Places new duties on managed service providers and digital services
- Manage risk appropriately
Identify and take proportionate measures to secure the network and information systems used to provide their services. - Maintain accurate regulatory information
Register with the Information Commissioner, keep contact and governance details up to date and cooperate with authorities. - Notify affected customers
Inform customers likely to be impacted by an incident and provide meaningful information on nature and expected impact.
2.1.4 Introduces essential activities and regulated persons
- Expand scope beyond original NIS sectors
Enables the Secretary of State to specify additional essential activities as required. - Ensure broad regulatory coverage
Treats operators of essential services, digital service providers, managed service providers and critical suppliers as regulated persons for new security and resilience duties.
2.1.5 Establishes a strategic governance framework
- Creating a statement of strategic priorities
Sets government priorities for cyber security and resilience of systems supporting essential activities. - Directing regulator behaviour
Requires regulatory authorities to consider and work towards the objectives set out in the strategic priorities. - Supporting parliamentary oversight
Mandates annual reports to Parliament on regulators’ performance and plans relating to these priorities.
2.1.6 Creates powers to make further regulations on security and resilience
- Targeted requirements on regulated persons
Allows the Secretary of State to impose technical, organisational and reporting obligations, and require appointment of UK representatives. - Addressing operational compromise
Provides scope for regulations to handle security or operational compromise and to manage risks relating to activity critical supplies.
2.1.7 Provides for a statutory code of practice
- Applies across the regulatory landscape
Covers persons with duties under the new regulations and the existing NIS Regulations. - Drives consistency
Must be considered by regulators when performing their functions to encourage uniform expectations and enforcement.
2.1.8 Strengthens regulatory tools and resourcing
- Expanded information gathering powers
Includes extraterritorial reach and the ability to require organisations to generate or retain relevant information, with legal privilege safeguards. - Cost recovery mechanisms
Allows regulators to recover the cost of their functions through periodic charges on regulated entities. - Updated penalties and appeals
Modernises enforcement notices, financial penalties and the appeals framework.
2.1.9 Creates a national security directions regime
- Enables binding national security directions
Allows the Secretary of State to require specific actions from regulated persons and regulatory authorities when cyber threats risk national security. - Ensures enforceable compliance
Includes monitoring, inspection, enforcement powers and strict non disclosure provisions.
3. Comparison with the Network and Information Systems Regulations 2018
3.1 Overall structural comparison
The Network and Information Systems Regulations 2018 (NIS 2018) implemented the original EU NIS Directive and created the UK’s first national framework for network and information systems security. They did three main things:
- Identified operators of essential services (OES) in specific critical sectors such as energy, transport, health, drinking water and digital infrastructure, with security and incident reporting duties.
- Designated relevant digital service providers (RDSPs), namely certain online marketplaces, online search engines and cloud computing services, with lighter but still significant obligations.
- Established the national strategy, competent authorities, Single Point of Contact (SPOC) and CSIRT, together with an enforcement regime of information notices, compliance notices and financial penalties.
The Cyber Security and Resilience (Network and Information Systems) Bill sits on top of and amends this regime rather than replacing it entirely. Structurally:
- NIS 2018 is a set of regulations focused on specific sectors and RDSPs, with limited flexibility to expand scope or shape supply chain obligations.
- The new Bill keeps that core but:
- Expands who is regulated under NIS 2018, including data centres, managed service providers and critical suppliers.
- Adds a new Part 3 framework for essential activities, strategic priorities, new regulation making powers and a statutory code of practice.
- Adds Part 4 to create a national security directions regime, giving the Secretary of State powers to direct both regulated entities and regulators.
In short, NIS 2018 is a set of sectoral cyber regulations. The Bill converts that into a broader national cyber resilience architecture with more actors, more tools and more active central steering.
International context (EU NIS2 comparison): Unlike EU NIS2, the UK framework remains more flexible and narrower in sectoral scope, relying on secondary legislation and designation rather than fixed expansion to manufacturing, food or waste. This reduces immediate burden but increases uncertainty for cross-border firms.
3.2 Detailed comparison aligned to the key points
Using your 1.a list as the spine, this is how the new Bill differs from the original NIS Regulations.
3.2.1 Extends the NIS Regulations
Under NIS 2018
- The regime focused on:
- Operators of essential services (OES) identified in specific sectors and subsectors listed in Schedule 2, such as energy, transport, health, water, and certain digital infrastructure providers.
- Relevant digital service providers (RDSPs), defined quite narrowly as certain online marketplaces, online search engines and cloud computing services that met EU-level thresholds.
- Data centres appeared only indirectly, where they formed part of digital infrastructure or supported essential services, but they were not explicitly regulated as a distinct category.
- Managed service providers were not directly regulated. Any security obligations were indirect, via contracts with OES or RDSPs or other regulatory regimes.
- There was no formal category of critical suppliers. Supply chain risks were recognised in the guidance and in the duties of OES and RDSPs, but suppliers themselves were not separately regulated as such.
Under the new Bill
- Large data centres are explicitly brought in as operators of essential services in a new data infrastructure subsector, including enterprise data centres.
- Managed service providers that meet defined criteria become relevant managed service providers (RMSPs) with direct regulatory duties.
- Digital service providers are retained but reframed as providers of relevant digital services, still covering online marketplaces, online search engines and cloud computing services, with updated obligations.
- A new class of critical suppliers is created. These are suppliers whose failure could significantly disrupt essential services, relevant digital services or managed services and therefore impact the wider economy or society.
Net effect: the scope shifts from a relatively narrow set of operators and RDSPs to a wider ecosystem of infrastructure, platforms, managed services and key suppliers.
3.2.2 Clarifies and strengthens incident reporting
Under NIS 2018
- OES and RDSPs had duties to notify incidents which had a significant impact on the continuity of essential services or on the provision of RDSP services.
- Thresholds for what counted as a significant incident were set out in the Regulations and, for RDSPs, further specified by the EU Implementing Regulation on substantial impact.
- The Regulations required prompt notification, but the timelines and staging of reports were less standardised and less detailed than under the new Bill.
- The CSIRT and SPOC had roles in receiving and coordinating information, including the possibility of reporting to European bodies, but cross border information flows were constrained by the EU framework and subsequent Exit amendments.
Under the new Bill
- The definition of an incident is broadened to include events that affect or are capable of affecting the operation or security of network and information systems, not just service continuity.
- The Bill introduces clear, unified significance criteria for all regulated groups, based on disruption, number of users affected, geography, duration and impact on confidentiality, integrity and availability.
- It sets structured timelines:
- An initial notification within 24 hours, followed by
- A full notification within 72 hours, for qualifying incidents across OES, data centre operators, digital service providers and managed service providers.
- It formalises the role of CSIRT in receiving copies of notifications, supporting responders, providing feedback and coordinating information sharing with relevant authorities in other countries, where impact is cross border.
- The Bill also explicitly provides for public interest disclosure of incidents, either by authorities or by direction to the regulated entity, which goes beyond the more limited and EU focused reporting structure in NIS 2018.
Net effect: incident reporting moves from a mainly continuity focused, EU derived scheme to a broader, security and resilience focused scheme with defined timescales and stronger coordination tools.
3.2.3 Places new duties on managed service providers and digital services
Under NIS 2018
- RDSPs had security and incident reporting duties, but:
- The scope was relatively narrow and heavily aligned to the EU definitions and impact parameters.
- There were no explicit duties to notify customers directly about incidents, beyond what might be implied by general data protection or contractual obligations.
- Managed service providers were not regulated under NIS 2018, so:
- There were no direct statutory duties to take specific cybersecurity measures.
- Any duties came indirectly through contracts with OES, RDSPs or other regulated organisations.
Under the new Bill
- Managed service providers:
- Must take appropriate and proportionate measures to manage risks to the network and information systems they use to provide managed services.
- Must register with the Information Commissioner, keep contact and governance information updated, and cooperate with authorities.
- Have a specific duty to identify which customers are likely to be adversely affected by an incident and notify them, with meaningful information on nature and impact.
- Relevant digital service providers:
- Keep and refine their security and incident reporting duties under a domestic framework rather than relying on the EU Implementing Regulation.
- Are more tightly connected to the new concepts of critical suppliers and essential activities.
Net effect: the Bill converts managed service providers from an unregulated but important risk channel into first class regulated entities, and strengthens the customer facing obligations of both MSPs and digital services.
3.2.4 Introduces “essential activities” and “regulated persons” concepts
Under NIS 2018
- The focus was on essential services as defined in Schedule 2, and relevant digital services, each associated with sector based competent authorities.
- There was no overarching concept of essential activities outside this list, and no unified category of regulated persons beyond what the Regulations described for OES and RDSPs.
Under the new Bill
- Part 3 defines essential activities as activities which the Secretary of State considers essential to the economy or the day to day functioning of society, with power to specify these in regulations.
- It treats:
- Essential services under NIS 2018
- Relevant digital services
- Managed services
as essential activities by default, and designates a wider set of regulatory authorities to oversee them.
- It introduces the notion of regulated persons, bringing together operators of essential services, relevant digital service providers, relevant managed service providers and critical suppliers into a single regulatory category for the purposes of new security and resilience regulations.
Net effect: the system moves from a fixed list of sectors and services to a flexible, activity based model that can be extended as dependencies change.
3.2.5 Establishes a strategic governance framework
Under NIS 2018
- There was a duty to designate and publish a national strategy for the security of network and information systems across the specified sectors and digital services.
- There were review provisions, including regulatory impact review obligations, but these were more focused on regulatory effectiveness than on continuous strategic steering.
Under the new Bill
- The Secretary of State can issue a statement of strategic priorities for the security and resilience of network and information systems used for essential activities.
- Regulatory authorities must have regard to this statement and must seek to achieve the objectives it sets when exercising their functions.
- The Secretary of State must produce an annual report to Parliament explaining how regulators have complied with the duties relating to the statement and how they plan to comply in the future.
Net effect: strategic governance evolves from a one off national strategy document to an ongoing, Parliamentary facing framework, giving central government a clearer steering role.
3.2.6 Creates powers to make further regulations on security and resilience
Under NIS 2018
- Powers to make regulations were more limited and largely tied to:
- Amending schedules or thresholds.
- Implementing or adjusting for EU level obligations.
- The Regulations were relatively static and focused on the initial sectors and RDSP definition.
Under the new Bill
- The Secretary of State gains broad regulation making powers to:
- Impose specific security and resilience requirements on regulated persons.
- Set technical and organisational measures.
- Define reporting obligations and require appointment of UK representatives.
- Address security or operational compromise and activity critical supplies.
- These powers can be used to adapt the regime over time without needing a completely new primary legislation cycle.
Net effect: the regime becomes much more adaptable, able to track technological and threat changes more quickly.
3.2.7 Provides for a statutory code of practice
Under NIS 2018
- There was provision for guidance by competent authorities and the Information Commissioner, but not a single statutory code of practice with defined legal status across the whole regime.
Under the new Bill
- A code of practice can be issued, covering:
- Persons with duties under the new security and resilience regulations.
- Persons with duties under the existing NIS Regulations.
- Regulators must have regard to the code, and guidance issued under NIS 2018 must be consistent with it where relevant.
Net effect: the system gains a formal, cross sector benchmark for what good looks like, intended to support more consistent regulation.
3.2.8 Strengthens regulatory tools and resourcing
Under NIS 2018
- The enforcement regime included:
- Powers to require information from OES and RDSPs.
- Enforcement notices and financial penalties.
- However:
- Information gathering powers were narrower and less explicit about reaching beyond the regulated entity or requiring new information to be generated.
- There was no general, structured cost recovery mechanism allowing periodic charges to fund the regulators’ work.
Under the new Bill
- NIS information gathering provisions are replaced and expanded so that:
- Competent authorities and the Information Commissioner can require information or documents that are reasonably needed, including from third parties likely to hold relevant information.
- In some cases, entities can be required to generate or retain information that they would not otherwise keep, subject to safeguards such as legal professional privilege.
- A new charging scheme power allows NIS enforcement authorities to impose periodic charges to recover their relevant costs for exercising functions under NIS 2018 and the new Act.
- Enforcement and appeals are consolidated and refreshed, with updated penalty provisions and clearer procedural rules.
Net effect: regulators gain stronger tools and sustainable resourcing, making enforcement more practical and predictable.
3.2.9 Creates a national security directions regime that:
Under NIS 2018
- National security concerns were implicit in the importance of the sectors covered, but:
- There was no dedicated regime giving the Secretary of State power to issue binding directions to NIS regulated entities for national security reasons.
- Any such directions would have to rely on other legislative powers outside the NIS framework.
Under the new Bill
- Part 4 creates a self contained national security directions regime, under which:
- The Secretary of State can give binding directions to regulated persons where threats to network and information systems pose a risk to national security.
- Directions can also be issued to regulatory authorities themselves, requiring them to act or refrain from acting in particular ways.
- There are powers for monitoring, inspection, enforcement of directions, and enforcement of non disclosure requirements about the existence or content of those directions.
Net effect: national security is given dedicated, explicit tools within the NIS framework, rather than being handled solely through separate legislation.
3.3 Summary of the Key Differences
The new Cyber Security and Resilience Bill significantly expands, strengthens and modernises the original NIS 2018 regime. In simple terms:
3.3.1 Scope becomes much wider
- The 2018 Regulations focused on a narrow set of essential services and a limited set of digital service providers.
- The new Bill brings in large data centres, managed service providers and critical suppliers, creating a much broader and more realistic picture of the digital ecosystem.
3.3.2 Supply chain risk is finally regulated directly
- NIS 2018 relied on operators to manage supplier security through contracts.
- The new Bill places direct obligations on managed service providers and critical suppliers, closing a major gap in the original framework.
3.3.3 Incident reporting becomes more structured and more demanding
- NIS 2018 required timely reports but lacked standard timings and consistent criteria.
- The new Bill requires 24 hour initial reports and 72 hour full reports, with unified significance thresholds and a formal role for the CSIRT.
3.3.4 Government gains stronger tools and clearer authority
- NIS 2018 had limited flexibility to expand scope or impose new requirements.
- The new Bill gives the Secretary of State broad regulation making powers, a statutory code of practice and the ability to define essential activities.
3.3.5 Strategic direction becomes centralised and continuous
- NIS 2018 required a national strategy, largely static once published.
- The new Bill introduces a statement of strategic priorities with mandatory annual Parliamentary reporting.
3.3.6 Regulators gain more power and stable funding
- NIS 2018 had weaker information gathering powers and no periodic charging.
- The new Bill expands data collection powers, allows cost recovery, modernises penalties and strengthens enforcement.
3.3.7 National security becomes an explicit pillar
- NIS 2018 had no dedicated national security mechanism.
- The new Bill creates a full national security directions regime with binding powers and confidentiality requirements.
4. Strengths and Weaknesses of the Bill
4.1 Strengths
4.1.1 Broader and more realistic coverage of critical digital infrastructure
The Bill extends the NIS regime to large data centres, managed service providers and critical suppliers. This closes major gaps in the original framework and reflects the reality that modern digital services depend heavily on outsourced infrastructure and supply chains. The explicit regulation of data centres and managed service providers strengthens the UK’s baseline cyber resilience.
4.1.2 Clear and consistent incident reporting requirements
The Bill introduces a structured reporting regime, requiring initial notifications within 24 hours and full reports within 72 hours. It also formalises the role of the CSIRT in receiving notifications and supporting coordinated responses. This creates a much more predictable incident management framework across all regulated persons.
4.1.3 Stronger protection for customers via direct notification duties
Managed service providers must identify potentially affected customers and notify them with meaningful details, including the nature and impact of incidents. This introduces transparency where the original regime offered little, and supports quicker mitigation for organisations affected by supplier incidents.
4.1.4 Strategic leadership and parliamentary accountability
The Bill creates a statement of strategic priorities for cyber security and resilience, with annual reporting to Parliament. This adds top level direction, regular review and clear accountability for regulators, addressing the static nature of the 2018 strategy requirement.
4.1.5 Expanded powers for regulators and sustainable funding
The Bill strengthens the tools available to enforcement authorities, including broader information gathering powers and the ability to require generation or retention of information. It also introduces charging schemes that allow regulators to recover costs across both the amended NIS Regulations and the new framework. This supports consistent oversight and avoids reliance on general government budgets.
4.1.6 Dedicated national security powers
The Bill introduces a national security directions regime, enabling binding instructions to regulated persons and regulators where network and information systems pose national security risks. This gives government the legal tools to intervene rapidly and confidentially in high risk scenarios.
4.1.7 Ability to adapt quickly through new regulation making powers
Unlike the original NIS Regulations, the Bill allows the Secretary of State to specify essential activities, designate regulatory authorities and impose further security and resilience requirements. This provides the flexibility needed to respond to new technologies, emerging risks and changing dependencies without requiring new primary legislation.
4.2 Weaknesses
4.2.1 Increased regulatory burden, especially for SMEs
The inclusion of managed service providers and critical suppliers introduces significant new compliance requirements. Smaller providers may struggle with the cost and complexity of risk management duties, incident reporting obligations, customer notification requirements and potential charges under cost recovery schemes.
4.2.2 Potential uncertainty during transition
Although the Bill provides for transitional arrangements, the expansion of scope to new sectors may create uncertainty for organisations that are regulated for the first time. Defining thresholds, understanding obligations and adjusting internal processes may take time, and guidance may not be available early enough for smooth adoption.
4.2.3 Risk of inconsistent implementation across regulatory authorities
The Bill designates multiple regulatory authorities for essential activities and imposes new duties on competent authorities and the Information Commission. Without strong coordination and clear guidance, regulated persons could face inconsistent expectations, procedures or enforcement outcomes across different sectors.
4.2.4 Broad information gathering powers may raise concerns
Regulators gain extensive powers to request information, including the ability to require the creation of new information. Although safeguards exist, some organisations may be concerned about proportionality, confidentiality and the operational impact of compliance with wide ranging information requests.
4.2.5 Cost recovery could introduce financial pressures
Regulators can impose periodic charges to recover costs incurred in exercising their functions. For organisations newly brought into scope, especially critical suppliers and managed service providers, this may introduce new financial burdens that are difficult to predict or budget for until charging schemes are published.
4.2.6 National security directions may require action without transparency
The national security directions regime includes strict non disclosure requirements. While necessary for sensitive operations, these provisions may limit transparency within organisations and complicate governance, risk management and internal accountability.
4.2.7 Risk of overlap with other regulatory regimes
Organisations that are already regulated under other cyber or resilience frameworks, such as financial services or telecommunications, may face overlapping requirements or duplicated reporting duties. Without strong harmonisation, this could create inefficiencies or conflicting expectations.
4.3 Addressing the Weaknesses
This section provides practical ways to mitigate or eliminate the weaknesses identified in the Bill. Each point aligns directly with the earlier weaknesses analysis, allowing the article to flow into recommendations later.
4.3.1 Reducing the compliance burden on SMEs and smaller suppliers
The Bill could include clearer proportionality mechanisms for smaller providers. Regulators should publish sector specific guidance that sets out minimum expectations for different sizes and types of organisations. This would help ensure that small firms are not held to the same operational scale as large providers unless the risk impact genuinely requires it. Incentives, templates and shared services through cluster organisations or regional bodies could reduce the cost of compliance.
4.3.2 Improving clarity and certainty during the transition period
The transition from the 2018 regime to the new framework will be smoother if the Government and regulators publish guidance early, ideally before commencement dates. Clear sector thresholds, decision trees and examples of what constitutes essential activities or regulated persons would reduce uncertainty. Transitional support channels, including phased compliance windows, could allow newly regulated entities more time to adjust their processes.
4.3.3 Ensuring consistent implementation across regulatory authorities
The Bill already encourages coordination, but this could be strengthened through shared guidance, joint inspections and cross authority protocols. A central forum or working group could support consistent interpretation of duties, ensuring that organisations regulated by multiple authorities receive aligned direction. Adoption of the statutory code of practice should help unify interpretation across sectors.
4.3.4 Reassuring organisations about the scope of information gathering powers
Regulators should publish clear criteria for when information gathering powers will be used and how proportionality will be applied. Explaining how confidential information is handled, protected and retained, and how legal privilege is respected, will help build trust in the expanded powers. Regular audits or transparency reports could also reduce concern.
4.3.5 Managing financial impacts arising from cost recovery mechanisms
Charging schemes should be transparent, predictable and proportionate. Regulators could adopt tiered charging that reflects organisational scale or risk level. Publishing expected cost ranges in advance would help organisations budget effectively. Government could consider transitional subsidies or partial fee waivers for smaller organisations in the early years.
4.3.6 Balancing national security directions with organisational governance needs
The confidentiality of national security directions is important but can create challenges for internal decision making. Providing regulated entities with clear guidance on how to manage internal accountability when under a non disclosure requirement would mitigate this. Establishing secure communication channels and named points of contact within regulators and government could also help organisations respond effectively while maintaining secrecy.
4.3.7 Minimising overlap with other regulatory regimes
Government should work closely with existing regulators to eliminate duplicated reporting, conflicting obligations or unnecessarily repeated assessments. Harmonised reporting formats, integrated incident reporting portals and cross regime recognition of equivalent controls would help organisations that operate across multiple frameworks. Consistency in terminology across regimes would reduce confusion.
5. Reviewing the Bill Through Different Lenses
The Cyber Security and Resilience Bill has broad implications across the UK cyber ecosystem. Different communities, organisations and professional bodies will view the Bill through their own priorities, constraints and ambitions. This section explores how the Bill appears when viewed from several key perspectives.
The following perspectives illustrate how the same legislation creates very different risks, incentives and delivery challenges depending on where an organisation sits in the cyber ecosystem.
5.1 The West Midlands Cyber Hub – A Cyber Community Endeavour
From a community and ecosystem-building perspective, the Bill strengthens the argument for regional collaboration on cyber resilience. The inclusion of data centres, managed service providers and critical suppliers creates a wider group of organisations that need support, training and guidance. This aligns well with the mission of community cyber hubs, which aim to connect local stakeholders and raise the regional security baseline.
The Bill also reinforces the need for shared incident response readiness. Community hubs can help coordinate exercises, facilitate information sharing and enable consistent interpretation of duties, especially for smaller organisations that lack internal expertise. The introduction of strategic priorities and annual reporting to Parliament provides communities with a clearer view of national direction, enabling local hubs to align their programmes accordingly.
5.2 Cyber Tzar – A Cyber SME Perspective
For cyber SMEs, the Bill presents a mixture of commercial opportunity and operational challenge. On one hand, the expanded scope means more organisations will be seeking support with compliance, operational resilience and continuous security improvement. This increases market demand for specialist services, assessments, tooling and advisory expertise.
However, the Bill also introduces potential burdens for SMEs that operate as managed service providers or critical suppliers. They may face new registration requirements, customer notification duties and charges under cost recovery schemes. Cyber SMEs must therefore understand whether they are regulated persons, prepare for incident reporting obligations and ensure they can meet appropriate and proportionate measures. For firms that position themselves as trusted suppliers, compliance can become a commercial differentiator, but resource constraints may make implementation demanding.
5.3 The IET, BCS or Other Professional Membership Organisations
Professional bodies such as the IET and BCS will recognise the Bill as a significant evolution of the UK’s cyber resilience framework, but their reactions are likely to diverge based on past positions. The IET in particular was vocal during previous consultations about the disproportionate impact that the NIS Regulations had on smaller businesses. Their principal concern was that compliance obligations risked overwhelming SMEs that lacked the financial resources, specialised staff or operational resilience typically found in larger organisations.
From that standpoint, the IET may approach the new Bill with cautious optimism. The inclusion of codes of practice, clearer regulatory powers and a more structured approach to strategic priorities provides opportunities for consistent guidance and professional standards. At the same time, the expansion of scope to managed service providers and critical suppliers raises familiar concerns about regulatory burden on smaller firms, especially those newly entering the regulated perimeter.
The IET and similar organisations will likely push for strong proportionality in both enforcement and guidance, ensuring that expectations for SMEs remain realistic and risk based. They may also advocate for improved professional development pathways, updated competency frameworks and accessible certification programmes to help smaller businesses meet the new requirements. For the BCS and other bodies focused on digital professionalism, the Bill supports ongoing efforts to promote secure engineering practice and continuous professional learning, but they too will be sensitive to the need for fair treatment of smaller organisations.
Overall, professional membership organisations will welcome the Bill’s intent, but will judge its success on how well it mitigates unintended impacts on small businesses, a concern that remains central to their role as advocates for practitioners across organisations of all sizes.
5.4 The WMCA or Similar Regional Authorities
For combined authorities such as the WMCA, the Bill provides both a policy lever and an operational challenge. The expanded list of regulated persons includes many entities embedded within regional supply chains, infrastructure and local digital ecosystems. This increases the importance of regional coordination on cyber resilience, linked to economic development, local government services and public sector transformation programmes.
Regional authorities may also wish to support SMEs and critical suppliers in understanding their new obligations. Guidance, regional programmes, co funded training, and resilience partnerships could help reduce compliance burdens and raise maturity levels. The strategic priorities framework offers a clear national direction that regional bodies can integrate into their digital and infrastructure strategies.
The national security directions regime also intersects with local emergency planning and crisis response structures, meaning regional authorities may need to strengthen coordination mechanisms with central government and regulated entities.
5.5 Organisations, SMEs and Enterprises
For most organisations, whether regulated directly or indirectly, the Bill changes the landscape in several important ways. Managed service providers and critical suppliers will face new obligations, so customer organisations must account for this in procurement, contract management and due diligence processes. Enterprises relying heavily on digital services and outsourced IT will benefit from clearer duties on suppliers, especially around incident notification and risk management.
However, organisations newly entering the regulated perimeter may need to invest in governance, incident response planning, supply chain oversight and compliance processes. Larger enterprises may welcome the clarity and strengthened national posture, while smaller organisations may need external support to understand and meet their obligations. Clear guidance and proportionality will be crucial for fair and workable compliance.
For all organisations, the shift from continuity to broader resilience encourages a more holistic approach to cyber risk, covering data, cloud, supply chain and operational integrity.
5.6 DSIT (Department for Science, Innovation and Technology)
For DSIT, the Bill represents a consolidation of its role as the central authority for cyber resilience. It provides DSIT with a clearer regulatory spine, stronger levers for shaping national policy and a framework that connects security, resilience and economic growth. Bringing data centres, managed service providers and critical suppliers into scope closes gaps that have long undermined national resilience and aligns with DSIT’s ambition to modernise the UK’s digital infrastructure.
However, the Bill also introduces challenges. DSIT must coordinate multiple regulatory authorities, each with different levels of maturity, sector contexts and internal capacity. Without careful management, there is a risk of uneven implementation or policy divergence. DSIT must also ensure that guidance is timely, practical and informed by practitioner insight. The department’s credibility will depend on its ability to produce proportional and workable expectations, especially for SMEs. DSIT now carries a responsibility to engage deeply with industry, regions and professional bodies so the Bill delivers consistent and realistic outcomes.
5.7 NCSC (National Cyber Security Centre)
The NCSC is likely to view the Bill as a welcome strengthening of the national approach to cyber resilience. Clearer incident reporting requirements improve visibility of systemic risk, and direct regulation of managed service providers and critical suppliers aligns with what the NCSC has been advising for years. The Bill formalises the role of CSIRT and enhances the national ability to coordinate responses across sectors and borders.
Yet the Bill also shifts the NCSC’s position within the broader governance landscape. The NCSC remains the UK’s primary technical authority, but enforcement powers sit with regulators and DSIT rather than with the NCSC itself. The centre must therefore work through others to ensure that technical reality is reflected in regulatory expectations. This requires strong collaboration with regulators, consistent translation of best practice into sector guidance and ongoing support for industry in understanding what “appropriate and proportionate measures” mean in real operational terms. The increased volume of incident reporting may also strain resources unless capacity is expanded.
5.8 UKTL (UK Technology Leadership bodies: DSIT, CDDO, GDS, UK Cyber Security Council and aligned authorities)
Across the wider constellation of UK technology leadership organisations, the Bill presents both an opportunity and a test. It offers a regulatory framework that these bodies can anchor into, allowing more coherent messaging on resilience, best practice and secure-by-design principles. It also creates a clearer foundation for professionalisation, enabling the UK Cyber Security Council and professional bodies to align competency frameworks, certifications and training pathways with regulated duties.
The challenge is avoiding fragmentation. DSIT, CDDO, GDS and the Cyber Security Council have overlapping responsibilities and varied remits. Without strong coordination, guidance may diverge, resulting in confusion for regulated persons. The Bill’s ambitions will only be realised if these organisations harmonise expectations, share intelligence and develop consistent standards. This will require deliberate effort, shared programmes of work and a commitment to practitioner-informed policy design. The potential prize is a more unified national approach to cyber resilience and professional standards across government and industry.
5.9 Other HMG Bodies (Cabinet Office, Home Office, MoD, sector regulators and national authorities)
Beyond DSIT and the NCSC, the Bill affects a wide range of government departments and regulators whose responsibilities intersect with national resilience, critical infrastructure and economic security. For these bodies, the Bill provides a more robust foundation for overseeing the resilience of the sectors they regulate. It clarifies expectations for incident reporting, introduces duties for previously unregulated parts of the supply chain and strengthens the tools available for intervention.
However, the Bill also places significant demands on departments and regulators with varying levels of cyber maturity. Some may need to upgrade internal capability to interpret technical obligations, manage increased information flows or support regulated entities during transition. The national security directions regime in particular requires close coordination between central government, regulators and operators to ensure that sensitive interventions are effective and confidential. Departments will need to collaborate more closely, build stronger links with industry and align their internal systems with the resilience standards they expect others to meet.
5.10 Combined Stakeholder Impact Table
This table summarises how the Cyber Security and Resilience Bill affects each stakeholder group across four dimensions: opportunities, concerns, required actions and likely long-term impact.
5.10.1 Stakeholder Impact Table
| Opportunities | Concerns / Risks | Required Actions | Long-Term Impact | |
| West Midlands Cyber Hub (community endeavour) | Wider regulated perimeter brings more organisations into the ecosystem; stronger case for regional coordination; increased demand for community training, exercises and guidance. | Smaller organisations may struggle to interpret obligations; risk of inconsistent guidance from multiple regulators; need for rapid community support. | Provide regional briefings, workshops and exercises; help SMEs understand proportionality; coordinate local interpretation and readiness. | Strengthens the Hub as a convening force and capability uplift mechanism for the region; raises the baseline of community resilience. |
| Cyber Tzar (cyber SME / advisory lens) | Increased demand from newly regulated MSPs and suppliers; stronger need for advisory, compliance support, incident readiness and testing services. | Compliance burden for SMEs acting as MSPs; cost recovery charges; need for more formal processes and documentation. | Clarify whether the business is a regulated person; build compliance playbooks; offer customer notification frameworks and risk assessments as services. | Growth opportunity for specialist SMEs that can support regulated entities; differentiation for businesses with strong governance. |
| IET, BCS and professional bodies | Scope to drive professional standards; new impetus for training, certification and competency frameworks; alignment with secure-by-design engineering. | Concern about impact on small businesses; need for proportionality; risk of professionals being held to unclear expectations. | Update competency frameworks; provide practitioner guidance; advocate for SME friendly regulation; support CPD aligned to regulated duties. | Moves cyber further towards formal professionalisation; strengthens the role of standards and engineering practice across the sector. |
| WMCA and regional authorities | Opportunity to align regional growth strategies with national resilience obligations; increased relevance of regional cyber hubs; stronger economic narrative for resilience. | New burden on SMEs across the region; risk of uneven compliance; need for local capacity to support implementation. | Embed cyber resilience in regional plans; support hubs; coordinate business engagement; develop regional readiness programmes. | Positions cyber as key economic infrastructure in regional development; creates a platform for attracting investment and improving supply chain resilience. |
| Organisations, SMEs and enterprises | Clearer duties on MSPs and suppliers; better visibility of incidents; improved supply chain security; stronger national posture. | Compliance requirements for newly regulated organisations; potential new costs; need for incident reporting capabilities; risk of confusion during transition. | Review supplier contracts; build incident response playbooks; update governance structures; engage with regulators and community hubs. | Improved long term resilience and supply chain assurance; more predictable standards; increased customer trust and operational stability. |
| DSIT | Stronger regulatory spine and clearer authority over national cyber resilience; improved ability to align resilience with innovation and economic policy; direct regulation of MSPs and critical suppliers closes long standing gaps. | Risk of inconsistent interpretation across regulators; pressure to deliver practical guidance quickly; potential over centralisation if practitioner input is not embedded; coordination demands increase. | Publish early practitioner informed guidance; coordinate regulators through shared principles; embed proportionality for SMEs; strengthen collaboration with regional bodies and industry groups. | Consolidates DSIT as the UK’s central resilience authority; enhances strategic influence but success depends on effective coordination and delivery. |
| NCSC | Better visibility through structured incident reporting; alignment of supply chain regulation with long standing technical recommendations; stronger role for CSIRT and cross sector coordination. | Increased reporting volume impacts analytical capacity; reliance on regulators to enforce technical expectations; potential dilution of influence if guidance is not consistently followed. | Provide clear technical patterns and best practice; support regulators with threat intelligence and technical expertise; enhance industry engagement to refine appropriate and proportionate measures. | Reinforces NCSC’s role as the national technical authority; improves systemic awareness and strengthens the UK’s defensive posture. |
| UKTL (DSIT, CDDO, GDS, UK Cyber Security Council) | Ability to align professional standards, secure by design principles and public sector guidance with a coherent regulatory framework; stronger platform for professionalisation and digital governance reform. | Fragmentation risk if guidance diverges; uneven maturity across organisations; potential confusion for regulated persons if expectations are not harmonised. | Coordinate guidance across bodies; link competency frameworks to regulated duties; support cross government coherence on resilience obligations; integrate practitioner feedback loops. | Creates a more unified digital governance environment; strengthens professional standards and improves consistency across public and private sectors. |
| Other HMG Bodies (Cabinet Office, Home Office, MoD, sector regulators) | Clearer regulatory expectations for critical infrastructure; stronger tools for intervention and oversight; improved cross government alignment on national resilience. | Capability gaps in some departments; uneven regulator maturity; increased reporting and oversight demands; need for sensitive handling of national security directions. | Develop internal expertise; engage with industry and regional bodies; coordinate implementation with DSIT and NCSC; strengthen sector specific guidance and crisis response mechanisms. | Enhances whole of government resilience; enables more predictable oversight of essential sectors; strengthens national security posture over time. |
6. How this analysis compares with previous work on Horkan.com
This analysis of the Cyber Security and Resilience (NIS) Bill sits alongside a wider body of work that has examined UK cyber policy, regional growth strategies and skills reports. In particular, it connects to earlier comparative work that brought together six 2025 reports on cyber growth, regional futures and skills, and to subsequent pieces on governance, skills, resilience testing and regional cluster development.
6.1 Continuity with the “from fragmentation to framework” argument
The earlier synthesis of the six 2025 reports argued that the UK suffers from ambition without architecture. National strategies, regional growth plans and sector reports all identified real issues, but none provided a complete operating model for delivery. The central argument was that cyber must be treated as economic infrastructure, not a subheading under digital or defence, and that regions like the West Midlands should act as proof-of-concept for a practitioner-led framework.
The Bill broadly reinforces that framing. It treats network and information systems used for essential activities as critical to the economy and the functioning of society. It introduces a more explicit architecture around essential activities, regulated persons, strategic priorities, codes of practice and national security directions. In that sense, it looks more like the backbone that many of the reports implied but did not define.
6.2 Where the Bill addresses earlier critiques
Several of the weaknesses called out across the 2025 reports are at least partially answered by the Bill.
- Fragmentation of responsibility
Earlier work highlighted a lack of clear, binding responsibility for cyber resilience across sectors and regions. The Bill narrows this gap by expanding the NIS perimeter to data centres, managed service providers and critical suppliers, and by introducing a single concept of regulated persons. - Absence of a coherent regulatory spine
Previous analysis noted that strategies, growth plans and skills reports all assumed resilience but did not specify the regulatory scaffolding that would make it real. The Bill provides that scaffolding, with powers to make further regulations, a statutory code of practice and explicit roles for regulatory authorities. - Underweight treatment of supply chain risk
Earlier articles repeatedly pointed out that supply chains were either ignored or treated as an afterthought. By regulating managed service providers directly and creating a critical suppliers category, the Bill closes much of that gap. - Weak accountability and benchmarking
The comparative synthesis called for better transparency, benchmarking and accountability. The Bill does not create dashboards or indices, but it does require annual reporting to Parliament on how regulatory authorities are delivering against the statement of strategic priorities, which is a step toward more visible oversight.
6.3 Where the gaps remain
The Bill also leaves several themes from the earlier horkan.com analysis largely unaddressed.
- Regional balance and cluster development
The six report synthesis emphasised regional inequity and the need to treat places like the West Midlands as testbeds for cyber as economic infrastructure. The Bill is largely region blind. It creates a national regulatory framework but does not speak directly to regional ecosystems, hubs, or the practicalities of turning regulation into local growth. - Practitioner-led governance
A recurring theme in the blog work is the absence of practitioner voice in policy design and delivery. The Bill strengthens the role of regulators and the Secretary of State but says little about practitioner governance, community structures or mechanisms that embed operators and engineers into decision making. - Skills, conversion pathways and talent pipelines
The synthesis of the Cyber Security Skills 2025 report made clear that specialist shortages and weak conversion pathways are now the binding constraint on growth and resilience. The Bill is almost silent on skills. It assumes that regulated persons can find or develop the capability needed to meet their obligations, but does not address how that capability will be built at scale. - Benchmarking and live resilience metrics
Earlier work called for regional benchmarking, transparent metrics and something akin to a cyber resilience index. The Bill creates legal duties and reporting to Parliament, but it does not require public metrics on resilience, supply chain maturity or sectoral improvement.
6.4 How the Bill fits the West Midlands Cyber Hub roadmap
The previous articles argued that the West Midlands could act as a proof-of-concept for a practitioner-led cyber growth model, with a hub, a festival, unified governance, an investment concierge, skills pipelines and a regional benchmarking index. In that context, the Bill can be seen as enabling legislation rather than a complete solution.
- It provides the regulatory spine that such a regional model can plug into, especially around managed service providers, critical suppliers and essential activities.
- It creates levers that regional actors can use, for example by aligning local programmes with the national statement of strategic priorities and the expectations of regulatory authorities.
- It does not, on its own, create the community, governance, skills or investment mechanisms that the earlier roadmap called for. Those still need to be built regionally and locally, with practitioners in the lead.
6.5 Overall alignment
Taken together, the earlier analysis on horkan.com and this Bill-focused piece are complementary. The previous work mapped the policy, growth and skills landscape and proposed a practitioner-led framework for turning rhetoric into delivery. This section shows how the Bill moves part of that agenda forward by hardening the regulatory core, while leaving many of the ecosystem, regional and skills questions open.
In short, the Bill looks like a necessary component of the future UK cyber operating model, but not a sufficient one. It provides structure where there was previously fragmentation, yet it still relies on the kind of regional, practitioner-led, infrastructure-focused approaches that the West Midlands Cyber Hub and related work have been advocating.
7. Recommendations
The Cyber Security and Resilience Bill provides a stronger regulatory spine but leaves several gaps that must be closed to achieve meaningful resilience and economic impact. The following recommendations build on the earlier analysis, align with the West Midlands practitioner-led approach, and reflect the realities faced by SMEs, regulators, regions and suppliers.
7.1 Ensure proportionality for SMEs and smaller suppliers
The Bill brings many smaller managed service providers and critical suppliers into scope for the first time. Government should publish clear proportionality guidance that distinguishes between enterprise scale providers and smaller firms. Regulators should adopt tiered expectations, lighter-touch assurance routes and phased compliance windows to avoid overwhelming organisations that lack extensive cybersecurity resources.
7.2 Provide early, detailed guidance and transitional support
Newly regulated organisations will require clarity on thresholds, obligations and examples of compliance. Guidance should be published before commencement, supported by sector briefings, FAQs and online tools. Transitional help desks or hubs would help suppliers interpret obligations and adjust internal processes during the early stages of implementation.
7.3 Establish consistency across regulatory authorities
The Bill introduces multiple regulatory authorities with overlapping responsibilities. To prevent inconsistent implementation, government should create joint guidance, shared enforcement principles and cross-regulator coordination forums. A unified interpretation of the statutory code of practice would help ensure consistent expectations and reduce duplication for regulated persons.
7.4 Strengthen transparency and safeguards around information-gathering powers
Regulators now have broader powers to request information, including requirements to generate or retain data. To maintain trust, government and regulators should publish clear criteria for proportionality, confidentiality, legal privilege and retention. Regular transparency statements would reassure organisations that these powers are used responsibly and predictably.
7.5 Use cost recovery in a fair and predictable way
Charging schemes should be transparent, stable and proportionate. Regulators should ensure that charges reflect the scale and risk level of regulated persons. Advance publication of expected charges would help organisations allocate budgets. Transitional discounts for smaller suppliers should be considered during the early years of implementation.
7.6 Embed practitioner expertise in policy and delivery
The Bill strengthens national authority but does not create structures for practitioner involvement. To ensure regulations work in practice, government should establish practitioner advisory groups aligned with sectors and regions. These groups should help shape guidance, codes of practice and interpretation, ensuring real-world conditions are reflected in policy.
7.7 Create clear links between regulation and the skills pipeline
The Bill assumes capability but does not address how it will be developed. Government should work with professional bodies, training providers and regional initiatives to create funded conversion pathways, apprenticeships, returner schemes and residency-style programmes aligned with regulated roles. Regulatory requirements must be paired with talent development if resilience is to scale.
7.8 Develop a national and regional benchmarking model
Stronger regulatory duties need equally strong measurement. Government should publish sector resilience metrics and support regions in developing benchmarking models that track supply-chain maturity, incident patterns and improvement over time. This would mirror good practice in other jurisdictions and support informed investment and intervention decisions.
7.9 Support regional cyber ecosystems and hubs
Regulation works best when combined with local capacity. Government should recognise and support regional cyber hubs, including those in the West Midlands, as delivery partners for training, awareness, capability building and SME support. Local ecosystems can translate national obligations into practical help and ensure that smaller organisations are not left behind.
7.10 Align national strategy, regional growth plans and regulatory obligations
A coherent national approach requires coordination between DSIT, devolved authorities, growth bodies and regulators. The Bill should be integrated into regional growth strategies and industrial plans so that resilience becomes a foundation for investment, innovation and economic development. Alignment across these layers will accelerate both compliance and economic impact.
7.11 Establish a clear narrative framing cyber as economic infrastructure
Regulation alone will not shift behaviour. Government and regions should communicate a unified narrative that cyber resilience is essential infrastructure for public services, supply chains, manufacturing, health, energy and regional economies. This reframing helps businesses understand why investing in resilience is not optional but foundational.
7.12 Use the Bill as a platform for innovation and resilience testing
The expanded regulatory perimeter creates opportunities for new testing approaches, innovation sandboxes and real-world resilience exercises. Government should fund and encourage testbeds, cross-supplier simulations and applied research partnerships tied to regulated duties. This would build capability and support the growth of the UK’s resilience testing ecosystem.
8. Conclusions
The Cyber Security and Resilience Bill represents the most significant shift in the United Kingdom’s cyber regulatory landscape since the original NIS Regulations were introduced. It strengthens the national framework by expanding scope, clarifying duties, tightening incident reporting and providing new tools for regulators and government. In doing so, it moves the UK closer to treating cyber resilience as core economic infrastructure rather than a technical afterthought. The government’s own framing now explicitly positions cyber resilience as essential to daily life and economic stability, reinforcing the Bill’s ambition, but also raising the stakes if delivery fails.
The Bill answers several weaknesses identified in previous analyses of national and regional strategies. It brings essential suppliers, managed service providers and data centres into scope, addresses long neglected supply-chain risks and introduces clearer reporting expectations. It also provides the regulatory backbone that many policy papers and growth plans have lacked, replacing fragmentation with a more coherent architecture of essential activities, regulated persons, strategic priorities and national security directions.
However, legislation alone cannot deliver resilience. The Bill relies on a skills pipeline that remains constrained, regional ecosystems that are unevenly supported and practitioner expertise that is often absent from policy design. It offers limited mechanisms for regional balance, talent development or community-level capacity, leaving these critical elements to be solved elsewhere. Transition complexity, the risk of inconsistent regulation and the burden on smaller suppliers will require careful management to avoid unintended consequences.
For regional bodies like the West Midlands Combined Authority, for professional organisations such as the IET or BCS, and for the wider ecosystem of SMEs and managed service providers, the Bill provides both a mandate and an opportunity. It creates the conditions for stronger local coordination, better supplier assurance and improved customer protection, but only if regions, practitioners and industry work collaboratively to interpret and implement the requirements.
The broader body of work on horkan.com emphasises that resilience is inseparable from economic development, skills strategy, investment flow and regional equity. The Bill does not replace that agenda; it sits alongside it. Where policy has been fragmented, the Bill introduces structure. Where delivery has lacked consistency, it offers clearer expectations. Where supply chains have been exposed, it introduces new duties. Yet the work of building capability, fostering community, improving professional pathways and creating regional exemplars remains essential.
In sum, the Bill is a necessary foundation but not a complete solution. It provides a stronger national spine, but the real test will be how effectively government, regulators, regions, professional bodies and practitioners use that spine to support a resilient and inclusive cyber ecosystem. If these groups align, the UK can move from episodic progress to sustained capability, and from rhetorical ambition to credible, measurable resilience.
9. Appendix: Author’s Note: Why I Wrote This
I wrote this because I’m not observing the Cyber Security and Resilience Bill from the side-lines. I work directly on supply-chain cyber risk, build tools and services that organisations rely on, and help run regional initiatives like the West Midlands Cyber Hub that exist to turn policy into real adoption and measurable resilience. I’ve seen how cyber risk actually propagates through suppliers, MSPs and regions, and how often national intent fails at the point of delivery. This article connects statute to operational reality, surfaces where risk will land in practice, and reflects a wider commitment, through community, regional infrastructure and practitioner-led delivery, to raising cyber maturity and protecting the UK’s economic backbone.