Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

UK Unveils Cybersecurity Bill: Major Overhaul for Critical Infrastructure Operators Coming?

Skadden Publication / Cybersecurity and Data Privacy Update

Nicola Kerr-Shaw David A. Simon William E. Ridgway Alex Smallwood Aleksander J. Aleksiev

Executive Summary

  • What’s new: On 12 November 2025, the new Cyber Security and Resilience (Network and Information Systems) Bill (the Bill) was brought before the UK Parliament.
  • Why it matters: The Bill seeks to amend the existing Network and Information Systems Regulations (NISR) by broadening their scope, introducing more stringent requirements and enhancing enforcement powers.
  • What to do next: In light of the stricter penalties for noncompliance, it is essential that organisations subject to the current and revised NISR — such as energy, water, transport and certain digital services providers — closely monitor the Bill’s developments and take steps to ensure they are prepared to comply once the Bill becomes law.

__________

Context

Given the rising number of high-profile cyber incidents resulting in significant losses and disruptions for UK businesses and infrastructure, the UK government on 12 November 2025 introduced the new Cyber Security and Resilience (Network and Information Systems) Bill (the Bill), which augments the existing Network and Information Systems Regulations (NISR) framework.

Below is an overview of the key proposals.

1. Increased Scope

The Bill proposes to significantly extend the NISR’s scope to operators of essential services (OESs) and relevant digital service providers (RDSPs) in certain critical sectors (e.g., electricity, transport and water). The new increased scope would cover:

  • Managed service providers (MSPs) that provide services via their own networks and systems, unless they’re micro or small enterprises.
  • Data centres with a capacity of 1MW or more.
  • Large load controllers that control 300MW or more of electrical load.

Regulators would be granted additional powers to designate certain suppliers of goods and services as “critical suppliers” if an incident affecting them could significantly impact the UK. These suppliers would have the right to appeal their designation to the First-Tier Tribunal.

The obligations for critical suppliers would be outlined in future regulations, but the Department for Science, Innovation and Technology has confirmed that they would not be more stringent than those for OESs or RDSPs.

2. Stricter Incident Notification Obligations

The Bill also proposes tightening the current incident reporting obligations:

  • What: Expanding the definition of “incident” to include events that are merely “capable of having” a significant future impact on relevant services (e.g., where an unauthorised third party gains access to a network before deploying a more disruptive attack).
  • When: Initial notifications to the relevant sectoral regulator would be required within 24 hours of becoming aware of an “incident,” with a full report within 72 hours.
  • Who:
    • Regulators: Alongside their existing sectoral regulator, companies would also need to send notifications and reports to the National Cybersecurity Centre (NCSC).
    • Customers: Companies would also need to take reasonable steps to notify customers “likely to be adversely affected” by the incident as soon as reasonably practicable. The level of this threshold remains unclear, but it appears to be lower than the “high-risk requirement” under the UK General Data Protection Regulation (GDPR).

3. Increased Enforcement Powers and Recovery of Costs

The Bill also proposes stricter financial penalties for noncompliance:

  • Higher maximum fines: Up to £17 million or 4% of global annual turnover for the most serious breaches.
  • Standard maximum fines: Up to £10 million or 2% of global annual turnover for less serious breaches.
  • Cost recovery: Enforcement authorities would be able to recover costs from companies when discharging their duties under the NISR.

4. Increased Regulatory Powers

The UK government would have the power to issue “necessary and proportionate” directions in response to cybersecurity issues threatening national security (e.g., by imposing restrictions on the use of goods and services) and impose daily fines of £100,000 for noncompliance. Importantly, these “national security” directions can be issued to any organisation carrying on “essential activity” in the UK, not just OESs, RDSPs or MSPs.

The government would also be empowered to introduce further obligations on regulated entities by amending the NISR in the future.

What Is Not Included

Importantly, the Bill does not propose any rules around ransom payments, a topic which promoted much debate following this year’s consultation on cyber regulation, but such rules could still be introduced in separate legislation.

The Bill’s expanded scope is not as broad as that of the EU’s NIS2 (e.g., the manufacturing and food sectors are not brought within scope), but the UK government has the power to add new sectors in the future by specifying new “essential services” and “regulated persons.”

In addition, in October 2025, the UK government wrote to the top 250 UK businesses, emphasizing that board-level oversight of cybersecurity risk is essential. The government encouraged them to rehearse their cyber response plans by following official guidance, such as the NCSC’s Cyber Assessment Framework (CAF) and the Cyber Governance Code of Practice. Businesses were also urged to sign up to the NCSC’s early warning system and to use the NCSC’s Cyber Essentials scheme to help manage supply chain risk. Therefore there is a general expectation, even if not regulatory, that businesses take cyber risk seriously.

What To Do Now

These reforms remain at an early stage, as the Bill still needs to progress through both Houses of Parliament. If entered into law, it would mark a huge compliance shift for those entities newly brought in scope.

There is a clear expectation from the UK government that companies take (and are seen to take) cybersecurity seriously. Companies should therefore consider taking action now to improve their cybersecurity posture, including by:

  • Conducting tabletop exercises, making use of legal privilege where possible.
  • Updating and refreshing incident response plans and playbooks.
  • Evaluating how weaknesses in cyber defences are reported to the board and reviewed by management.

Companies that are already subject to the EU NIS2 regime should consider how their EU compliance work can support compliance with the potential UK reforms.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP