The government has published the Cyber Security and Resilience Bill, legislation that updates the UK's framework for protecting critical infrastructure from cyber attacks and that introduces new requirements for the organisations that provide the essential services on which the economy and society depend.
The bill updates the Network and Information Systems Regulations, which were introduced in 2018 to implement a European Union directive and which have been in need of reform since the UK left the EU. The updated framework expands the range of organisations that are covered by the regulations, strengthens the security requirements that apply to them, and increases the penalties for non-compliance.
The bill introduces several significant changes. It expands the definition of critical infrastructure to include data centres, cloud computing services and managed service providers, reflecting the increasing dependence of the economy on digital infrastructure. It requires covered organisations to report significant cyber incidents to the regulator within 24 hours, down from the current 72 hours. And it gives the regulator the power to impose fines of up to £20 million or 4 percent of global turnover for serious breaches.
The bill is part of a broader programme of work to strengthen the UK's cyber defences, which have been identified by the National Cyber Security Centre as one of the most serious threats to national security. The government has said the bill will be introduced in the current parliamentary session and is expected to receive Royal Assent by mid-2027.
Join in — free. Comments on Daily Junction are for members, so real names stay rare and bots stay out.
One field. We email you a 6-digit code — no password needed. Your comment is kept while you do it.
Under 13? You’ll need a parent’s OK first — it takes them one click.