Cyber security | UK Regulatory Outlook November 2025

Cyber Security and Resilience Bill introduced to Parliament 

The Cyber Security and Resilience (Network and Information Systems) Bill (CSRB) was introduced to the House of Commons on 12 November 2025.  

The government announced as part of the King's Speech that it would introduce a bill in the current Parliamentary session, followed by a preview of the contents of the bill in a policy statement released on 1 April (see our Insight for more details). The legislation is intended to strengthen the country's cyber resilience against cyber attacks in sectors deemed critical for the UK and its economy.  

Under the proposals:  

• Scope expansion: Medium and large managed service providers (companies providing IT management services to private and public sector organisations), data centres and large load controllers (organisations managing electricity for energy smart appliances) will be brought into scope of the regulations.
• Incident reporting: Organisations in scope will need to report more harmful cyber incidents to their regulator and the National Cyber Security Centre (NCSC) under a new two-stage reporting structure. Entities will be required to notify their regulator within 24 hours, with a full report within 72 hours. Regulated entities will also be required to send a copy of the incident notifications and make a full report to the NCSC. Data centres as well as digital and managed service providers will need to notify customers of significant cyber incidents which are likely to be affected.
• Critical suppliers regime: Regulators will be given new powers to designate and regulate critical suppliers to the UK’s essential services. UK and non-UK suppliers may be designated, meaning they would have to meet minimum network and information system security requirements which will be set in secondary regulations.
• Enforcement and penalties: Enforcement and penalties will be updated, including higher maximum penalties (up to £17 million or 4% of an organisation's worldwide turnover) for serious breaches. The technology secretary will also be given the power to increase turnover-based penalties up to a maximum of 10% of a company's worldwide turnover.
• National security direction powers: The technology secretary will be granted new powers to instruct regulators to take specific, proportionate steps to prevent cyber attacks where there is a threat to national security. Failure to comply with regulatory directions may result in penalties of up to £17 million or 10% of worldwide turnover, as well as daily penalties of up to £100,000.  

A date for the second reading has yet to be announced. Our data and cyber experts will continue to monitor any updates. Please see Osborne Clarke's Digital regulation timeline to track the bill as it progresses through Parliament.  

See the government press release and the full collection of documents on the bill. 

EU Commission publishes digital omnibus regulation proposal 

The European Commission is proposing to simplify existing rules on artificial intelligence, cyber security and data. Among other proposals, the package includes a digital omnibus that aims to simplifying compliance for businesses. Currently, companies operating in the EU face overlapping obligations under multiple pieces of legislation, including the NIS2 Directive, the GDPR and the Digital Operational Resilience Act (DORA), each requiring a separate notification in the event of a cyber incident.  

The proposed regulation introduces a single-entry point for companies to meet cyber security incident reporting obligations. A new, easy-to-use reporting interface will be developed to allow companies to file one report, which will fulfil reporting obligations under multiple EU legislative acts. The digital omnibus also proposes changes to the GDPR data breach notification requirements. Data controllers would only be required to notify breaches that are "likely to result in a high risk" to individuals, as well as extending the notification deadline to 96 hours (from 72 hours). Controllers will also be able to use the single-entry point to notify the relevant supervisory authorities of data breaches.  

The digital omnibus legislative proposals will now be submitted to the European Parliament and the Council for negotiation before a final text is adopted. See the Commission press release. 

Cyber Extortion and Ransomware (Reporting) Bill  

The Cyber Extortion and Ransomware (Reporting) Bill was introduced to Parliament on 21 October 2025 under the Ten Minute Rule. The private members' bill proposes to require companies to report any cyber extortion or ransomware attack to the government. 

Specifically, the bill proposed a mandatory duty on large companies (registered under the Companies Act 2006 with an annual turnover of over £25 million) and operators of critical national infrastructure to report any cyber extortion or ransomware attack within 72 hours, with a further report required if any ransom payment is made by the company, also within 72 hours. 

This bill aligns with the government's 2025 ransomware consultation (as previously reported), which proposed threshold-based mandatory incident reporting, alongside a targeted payment ban for public sector and regulated critical national infrastructure entities and a payment prevention regime requiring victims of ransomware to notify their intention to make a ransomware payment before paying.  

The second reading of the bill is scheduled to take place on 29 May 2026, although the House of Commons is not expected to be sitting on that date so there is a question as to whether it will become law.  

UK statement on signing UN Convention against Cybercrime 

The UK has formally signed the UN Convention against Cybercrime on 25 October 2025. In a speech delivered by cyber director of the Foreign, Commonwealth & Development Office, Andrew Whittaker, the UK reaffirmed its commitment to international collaborate only with states that respect the convention's human rights safeguards, warning that any misuse would undermine the treaty's viability, while highlighting the urgent need for coordinated global action against online fraud and child sexual abuse material.