December 1, 2025

UK Cybersecurity Legislation Soon to be Introduced

Alston & Bird

+ Follow Contact

Send

Embed

The UK Government has introduced the Cyber Security and Resilience (Network and Information Systems) Bill (the “Bill”) to Parliament, marking the most significant update to the UK’s cyber legislation since 2018. You can access a copy of the Bill here. The Bill aims to strengthen national security and protect critical infrastructure networks in key sectors from increasingly sophisticated cyber threats.

What is the purpose of the Bill?

The Bill updates the existing 2018 Network and Information Security Regulations to address modern risks and technological developments. The Bill’s primary purpose is to impose tougher security obligations by broadening the regulatory scope and enhancing enforcement powers. At a high level, the key provisions include:

Bringing new sectors into scope of the legislation	The scope of the Bill covers data centres, managed service providers, large load controllers and designated critical suppliers. The UK Government considers these sectors to be core services relied upon throughout the UK economy.
Specifying what constitutes a reportable cybersecurity incident	The Bill requires organisations to report “data centre incidents” and “OES incidents” to a regulator. Although the definitions differ slightly, both categories broadly cover incidents that significantly impact the operation or security of network information systems relied on for providing a data centre service or an essential service. An essential service is one that is critical to national infrastructure, such as water, energy or transport, or vital to the UK economy and society, such as health and digital infrastructure. The Bill lists several factors for organisations to consider when deciding if an incident’s impact is significant. The list includes the extent of the disruption, the number of affected users, the incident’s duration, the geographical scope, and whether the incident compromised the confidentiality, authenticity, integrity or availability of data.
Mandating stricter incident reporting timelines	Organisations must submit initial notifications within 24 hours of becoming aware of a reportable incident. They must submit full notifications within 72 hours of becoming aware of a reportable incident.
Introducing new enforcement powers	The Bill proposes a split financial penalty system, determined by which paragraph of the Bill an organisation breaches. The “standard maximum amount” is the greater of £10 million or 2% of annual turnover. The “higher maximum amount” is the greater of £17 million or 4% of annual turnover.

Alignment with EU Standards

The UK’s approach to cybersecurity legislation closely mirrors the EU’s Network and Information Systems (NIS2) Directive. Both frameworks aim to extend coverage to essential and digital services, enforce stricter incident reporting requirements, and introduce stronger accountability measures. However, the Bill allows the UK to tailor requirements to domestic needs while maintaining compatibility for organisations operating across both the EU and UK. This alignment will prove particularly important for businesses with EU operations, as it reduces complexity and ensures consistent compliance obligations.

Timelines and Next Steps

The Government introduced the Bill to Parliament on 12 November 2025. The Bill will now proceed through debate and potential amendments during the current session (which runs until Spring 2026). Full implementation should occur in 2026, following Royal Assent, the passage of secondary legislation, and the publication of regulatory guidance.

Organisations should begin considering whether the Bill applies to them, and if so, what steps they must take to ensure compliance. For example, they will need to update incident response plans to reflect the new reporting thresholds and timelines, and provide relevant team members with training to ensure they meet reporting deadlines.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

Written by:

Alston & Bird

Contact + Follow

Hanna Hewitt

+ Follow

less

What do you want from legal thought leadership?

Please take our short survey – your perspective helps to shape how firms create relevant, useful content that addresses your needs:

Take the survey now »

Published In:

Critical Infrastructure Sectors

+ Follow

Cybersecurity

+ Follow

Data Centers

+ Follow

National Security

+ Follow

New Legislation

+ Follow

Proposed Legislation

+ Follow

Regulatory Reform

+ Follow

Regulatory Requirements

+ Follow

Reporting Requirements

+ Follow

Risk Management

+ Follow

Energy & Utilities

+ Follow

International Trade

+ Follow

Science, Computers & Technology

+ Follow

less

Alston & Bird on:

UK Cybersecurity Legislation Soon to be Introduced

What is the purpose of the Bill?

Alignment with EU Standards

Timelines and Next Steps

Latest Posts

Written by:

What do you want from legal thought leadership?

Published In:

Alston & Bird on:

"My best business intelligence, in one easy email…"