If you are an organisation already covered by the UK’s Network and Information Systems Regulations 2018 (NIS), or you are a managed services provider (which it will bring into scope), then this will be an important piece of legislation to keep track of. It will also be important for service providers to these organisations, who will need to understand and comply with any obligations required to be flowed down the supply chain.

The UK government has published a policy statement on 1 April 2025, setting out the measures it intends to include in the Cyber Security and Resilience Bill, which was announced as a priority in the King’s Speech in July 2024.

These measures include the following proposed changes to the existing regime:

1. Addition of managed service providers: Managed service providers would be subject to the same duties as “relevant digital service providers” (RDSP) under NIS, and the definition of RDSP will be expanded to cover certain SMEs. The government is also considering expansion of these duties to data centres; this may be included either in the Cyber Security and Resilience Bill or in a separate bill.
2. Supply chain obligations (including contractual requirements): The Bill would allow government to create secondary legislation to clarify duties of “operators of essential services” (OES) and RDSP to manage supply chain risks. These will be designed to ensure “appropriate and proportionate measures” are taken, including contractual requirements, security checks or continuity plans. This likely means the Bill itself won’t contain mandatory contractual clauses for suppliers, but they are nevertheless coming down the track.
3. Designated critical suppliers: The regulator would be able to individually designate a supplier as a “designated critical supplier” (DCS) in certain circumstances, bringing them directly in scope for core security requirements and incident reporting obligations. This is a different approach to the EU’s Digital Operational Resilience Act (DORA), where organisations have had to determine the criticality of their suppliers to their own business operations.
4. Extra government powers: The Secretary of State is seeking powers to update the regulatory framework without requiring an Act of Parliament. This would allow future expansion to cover new sectors, introduce new requirements, and change regulator responsibilities. This could mean changes are introduced with less scrutiny and less notice to organisations, due to the lack of parliamentary procedure.
5. Alignment with EU’s NIS2: The Bill would specifically include the ability for the Secretary of State to make regulations bringing UK NIS into closer alignment with the EU’s NIS2 and issue a code of practice. There may be points of departure from the EU regime here, but the aim of alignment where appropriate is likely to be helpful to international organisations which need to comply with both regimes.
6. Incident reporting: The incident reporting criteria would be expanded, reporting times would decrease (notification within 24 hours followed by an incident report within 72 hours), and some organisations would be required to notify individuals. This means earlier notification than under the existing data protection law requirements, and will likely need to be reflected in vendor agreements.
7. Additional powers to the ICO: The UK Information Commissioner’s Office (ICO) would be given more information on registration, as well as powers to set up new fee regimes and enforce failure to register. Given the ICO’s recent record with data protection enforcement, it will be interesting to see how they exercise their proposed powers under the new Bill.

QUESTIONS? 

To discuss how this requirement may apply to your organisation, please contact Benjamin Ross (Global Head of Privacy & Cybersecurity) or Jessica Vautier (Senior Associate) in Bortstein Legal Group’s Privacy team.