The UK Parliament on Wednesday introduced a new Cyber Security and Resilience Bill aimed at strengthening the defenses of Britain's critical sectors, including public services such as healthcare, drinking water providers, transport, and energy.
“In the face of increasing cyber threats, it will prevent disruption – keeping the taps running, the lights on and the UK’s transport services moving – while making sure those who supply our vital services have tougher cyber protections,” the Parliament said in its announcement.
The bill, put forth by the UK Department for Science, Innovation and Technology and Secretary of State for Science, Innovation and Technology (DSIT), Peter Kyle, has been in the works since 2024.
According to the UK National Cyber Security Centre (NCSC), nationally significant cyber incidents have increased by 48% over the past year, more than double the numbers recorded from 2023 to 2024. Highly significant events have increased by 50% overall, with numbers rising consecutively over the past three years, the NCSC also states.
“These numbers clearly illustrate that the challenge we face is growing at an order of magnitude… it is time to actundefined - NCSC CEO Richard Horne.
undefined NCSC UK (@NCSC) November 12, 2025
Find out how to report a cyber incident in the UK⬇️ https://t.co/bcHeD3QDTN pic.twitter.com/rl0vudmCSo
Considered a cornerstone of the UK’s Plan for Change to spur economic growth, Kyle says the bill will help “make the UK’s digital economy one of the most secure in the world – giving us the power to protect our services, our supply chains, and our citizens.”
“Ensuring the security of the vital services which will deliver that growth is non-negotiable,” Kyle said, citing several major cyberattacks that have had devastating impacts on the British economy and its citizens everyday life.
In 2024, hackers breached the UK Ministry of Defence payroll systems, exposing the personal data of an unknown number of people serving in the UK military.
Also in 2024, the ransomware attack on Synnovis, a pathology laboratory services provider for the NHS, triggered a pause in critical services at five NHS London hospitals for days, the cancellation of over 10,000 appointments, and harm to hundreds of patients.
And the City of Leicester is one of several British municipalities that have been hit wth cyber incidents in the past few years. The attack there forced city officials to shut down many government services and disconnect all phone lines during a week-long recovery.
And let’s not forget the more recent attacks on the British retail and automotive manufacturing sector, with cyber hits on some of Britain's biggest brands, including Marks & Spencer, Co-op, and Jaguar Land Rover.
What's in the bill?
According to the document, substantial improvements are being made to the nation’s 2018 Network and Information Systems (NIS) Regulations, currently the only UK cybersecurity legislation on the books.
The new framework will bring more entities into scope and update regulations “to keep pace with the threats faced by regulated entities and bring the UK in line with our counterparts.”
The bill also changes breach reporting requirements as a way to help counter ransomware, enables the British government to “respond decisively” to imminent national security threats, and, for the first time, categorizes data center infrastructure as part of the critical sector.
One of the more notable changes will be the requirement that medium and large IT services companies providing IT management, helpdesk support, and cybersecurity to critical services now be regulated.
This would entail giving regulators increased powers to designate critical suppliers to essential services.
"Because they hold trusted access across government, critical national infrastructure, and business networks, they will need to meet clear security duties," DSIT said on Wednesday.
Under the proposal, data breaches must now be reported to regulators and the National Cyber Security Centre within 24 hours, with a full report within 72 hours, and to notify businesses and individuals who use their services of the incident.
Several measures in the bill will also impact US organizations providing services or solutions to the nation’s essential services, for example, that organizations will be further required to shut down gaps in supply chains that criminals could exploit.
The bill would additionally create plans to ban public sector entities and those operating in the critical sectors, including the NHS, local councils, and schools, from paying ransom demands to cybercriminals.
Security experts cautiously optimistic
Karen Fryatt, UK market head at cybersecurity consulting firm NCC Group, says “the introduction of Britain’s first-ever law with ‘cyber security’ in its title is a landmark moment.”
“This is an essential piece of legislation that brings the cyber rules governing critical infrastructure in line with modern threats, economic realities, and technological developments,” Fryatt says.
And all while “maintaining crucial flexibility to keep pace with the ever-changing cyber landscape,” she adds.
Fryatt further expects the new bill will help tackle rising supply chain risks and strengthen incident reporting, noting that recent NCC Group research found that 68% of organizations expect supply chain attacks to grow in severity and scale.
Still, Fryatt also points out that the new proposal must not be seen as a silver bullet.
“There are still important questions around incentivizing secure technology development, uplifting SME cyber resilience, and modernizing the UK’s cybercrime laws,” she said.
“Businesses must take heed. If you’re among the many organizations that will, for the first time, fall under UK cyber regulations, now is the time to prepare,” Fryatt warns.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked