On the 3 February 2026, the Public Bill Committee met for the first time to scrutinise the Cyber Security and Resilience (Network and Information Systems) Bill with its report due by 5 March 2026. The Bill represents one of the most significant updates to the UK’s cyber regulatory framework since the introduction of the Network and Information Systems Regulations 2018 (NIS Regulations). As cyber threats escalate in scale and complexity, the Bill seeks to modernise the UK’s approach to critical infrastructure protection, regulatory oversight and incident reporting. Introduced on 12 November 2025, and discussed in greater detail here: UK cyber security reform takes shape, it is a core pillar of the government’s wider cyber‑resilience strategy announced in the 2024 King’s Speech and is expected to become law by the end of 2026.
Expanded scope of regulation
A central component of the Bill is the expansion of entities regulated as Operators of Essential Services to include:
- data centres (which host and support digital infrastructure);
- large load controllers (organisations that can control the energy use of smart appliances such as batteries and electric vehicles);
- managed service providers (organisations that provide third-party IT services to other businesses); and
- suppliers that are critical to a regulated organisation’s ability to provide its essential service.
Enhanced regulatory powers
The Bill grants regulators broader authority to create a more predictable and enforceable compliance environment across critical industries. It enhances regulators’ ability to implement and enforce the NIS Regulations consistently across sectors by:
- requiring regulated organisations to report more cyber incidents;
- enabling regulators to recover costs, share information, and impose higher fines;
- empowering the Secretary of State to publish a statement of strategic priorities setting out objectives for regulators to achieve when carry out their functions under the NIS Regulations; and
- granting the Secretary of State powers to direct regulated organisations and regulators to take specified actions in the interests of national security and powers to update the NIS Regulations through secondary legislation rather than primary.
Strengthening reporting
The scope of incident reporting to improve response to ransomware attacks is expanded under the Bill, with reforms to include:
- a mandatory 24‑hour initial notification window for significant incidents, followed by a 72‑hour detailed report (aligning in part with the NIS Regulations);
- explicit inclusion of ransomware attacks within reportable incidents; and
- a shift of responsibility for customer notifications directly on providers rather than (as per current NIS Regulations) on regulators.
Implications for businesses
For those businesses currently subject to the NIS Regulations, a gap analysis might be prudent to identify any new obligations that might kick in – for example, reviewing incident reporting procedures to take account of the proposed new timetables. The expanded scope of the Bill means that some companies not previously caught, might fall into the expanded scope, including as a potential “critical supplier” necessitating:
- a revised contractual risk allocation with suppliers and customers;
- awareness and preparation for additional reporting obligations (to ensure readiness for 24-hour notifications); and
- a general review of their cyber security policies and procedures and preparation to engage with sector regulators where appropriate.
We will be monitoring the Bill’s progression through its stages to Royal Assent.
