On 12 November 2025, the Department for Science, Innovation and Technology introduced the UK Cyber Security and Resilience (Network and Information Systems) Bill (the “Bill”) to Parliament.1
Purpose of the Bill
A key aim of the Bill is to address weaknesses, inadequacies, and gaps in the UK’s current cybersecurity legislation (i.e., the Network and Information Systems (NIS) Regulations 2018 (“UK NIS“)). As cyber threats and attacks increase in number and complexity, there is a growing sense that the UK needs to take action to ensure entities playing a pivotal role in the UK economy are better placed to defend, respond, and recover.
The impact assessment accompanying the Bill (the “Impact Assessment“)2 explains that UK businesses and vital public services are increasingly targeted by hostile actors, and that UK NIS is no longer fit for purpose and must be reformed:
…There is a growing threat to our essential and digital services from malicious cyber actors. Cyber attacks are becoming more frequent and sophisticated, with criminals circumventing protections with new techniques and targeting our increasingly complex supply chains to find weak links. At the same time, more…
