Cyber security | UK Regulatory Outlook January 2026

The Cyber Security and Resilience Bill

The Cyber Security and Resilience (Network and Information Systems) Bill (CSRB), which was introduced to Parliament on 12 November 2025, had its second reading on 6 January 2026. The bill updates the Network and Information Systems Regulations 2018 (NIS Regulations), with reforms focused on improving the country's resilience to cyber attacks. As previously reported, the National Cyber Security Centre's (NCSC) 2025 Annual Review noted a 50% increase in highly significant incidents for the third consecutive year.

Changes introduced in the bill include bringing managed service providers, data centres and large load controllers into scope, as well as enhanced incident reporting and customer notification measures and enforcement powers, including higher fines for non-compliance.

Businesses should continue monitoring the progress of the bill and identify whether they are likely to fall within its expanded scope. Organisations can prepare for compliance by reviewing existing incident response plans and conducting supply chain risk assessments.

The Public Bill Committee has launched a call for evidence seeking views on the bill. The committee is scheduled to meet on 3 February 2026 to scrutinise the bill line by line and is expected to report on 5 March 2026. The government intends to launch consultations on implementation proposals, with responses to be considered before secondary legislation is laid before Parliament.

The bill is anticipated to come into force at some point in 2026, with phased implementation to be delivered through secondary legislation.

Businesses should expect a busy year ahead on the cyber security front. Royal assent for the CSRB Bill is anticipated in the latter part of the year, subject to parliamentary time. Beyond the UK, businesses with EU operations should monitor trilogue negotiations on the Digital Omnibus package, which aims to streamline incident reporting obligations across multiple pieces of EU cyber legislation, including GDPR, NIS 2 and DORA (see our dedicated microsite for more).

Read more on the bill in our Insight. See our Digital Regulation Timeline to follow the progress of the CSRB and read the ICO's response to the bill.

Cyber essentials supply chain playbook

The NCSC has published a guide to help businesses effectively manage cyber risk by supporting their use of Cyber Essentials across their supply chains. Organisations are encouraged to use the playbook to manage their supply chains more effectively, with recent high-profile incidents demonstrating the escalating threat posed by vulnerabilities in supply chains and the financial and reputational impact it can have on an organisation.

The playbook sets out sets for organisations to:

• audit their supply chain by using the IASME Supplier Check tool;
• assess whether their entire supply chain, or certain supplier security profiles will require Cyber Essentials certification as a minimum security requirement; and
• choose the most effective approach to embed Cyber Essentials within their supply chain.

This forms part of the government's efforts to strengthen the cyber security and resilience of the UK ahead of the Cyber Security and Resilience Bill. Alongside driving uptake of Cyber Essentials, businesses may also consider aligning with the Cyber Assessment Framework principles, and the Cyber Governance Code of Practice, a dedicated package to support board members and directors in governing cyber security risks.

Government cyber security strategy

The government published the Cyber Action Plan, which sets expectations for how it will improve the cyber security and resilience of public services.

Announced alongside the second reading of the Cyber Security and Resilience Bill, the plan will hold government and the public sector to equivalent standards through increasing visibility of cyber risk, addressing the most serious and complex risks, improving responsiveness to incidents, and increasing government-wide cyber resilience.

Supported with a £210 million investment, the plan will be delivered across three phases, and includes steps to hold organisations to account for improving their cyber defences, including setting minimum standards and investment in cross-government platforms, services and infrastructure to address critical risks.

Businesses providing services to the government should monitor the implementation progress of the plan, including assessing whether their software security practices align with the Software Security Code of Practice. The government aims to promote this voluntary framework through the new Software Security Ambassador Scheme, with the aim of reducing software supply chain attacks and related disruption.

Read the government press release.