UK Cyber Security and Resilience Bill: pragmatic overhaul or regulatory overload?

The UK’s Cyber Security and Resilience (Network and Information Systems) Bill (the CSRB) was presented to Parliament on 12 November 2025. The bill had been anticipated for some time, with a preview of its contents provided in a policy statement released on 1 April 2025.

It constitutes the most significant overhaul of the UK’s cross‑sector cybersecurity framework since the Network and Information Systems Regulations 2018 (the UK NIS Regulations), which it amends and expands. In short, the bill widens the scope of the regulations and puts in place a framework, supported by more flexible secondary legislation, to ensure that in-scope entities take measures to keep pace with a constantly evolving cyber threat landscape.

However, the CSRB sits within a complex "lasagne" of related UK law and regulatory guidance, alongside related EU law with extra-territorial effect, and should be viewed in this context. For organisations that are within scope, it will not necessarily be helpful to look at the CSRB in isolation. This could present a challenge for them.

Equally, businesses that have given due consideration to other cyber laws and regulatory standards in recent years, should be able to leverage the steps they have already taken to develop cyber resilience.

How is the CSRB different from NIS2?

The CSRB and the EU's NIS2 Directive have a common foundation and goal, but take different paths to achieve it. Both have their origins in the Network and Information Systems (NIS) Directive (2016/1148), which established the first EU-wide framework for cyber security regulation. It was implemented in the UK via the UK NIS Regulations in May 2018 (the same month that the GDPR came into force), and at a similar time in other EU Member States.

Since implementation of the NIS Directive, the EU and (post-Brexit) UK have separately reviewed their respective regimes and found similar problems: insufficient sectoral coverage, supply chain vulnerabilities, weak enforcement and an evolving threat landscape. The EU also identified that implementation was fragmented across the Member States (which was obviously no longer a problem for the UK).

As such, the reform process has been different in both jurisdictions, reflecting in part the EU's requirement to address fragmented implementation. The EU's NIS2 has wholly replaced the NIS Directive, expanded the regulated sectors to 18 and tightened obligations. Its implementation deadline was 17 October 2024 (which has been missed in a large number of Member States).

The CSRB, on the other hand, does not replace the UK NIS Regulations; it amends and extends them. The scope has also been widened, but to a lesser extent. Managed service providers, data centres, large load controllers, and designated "critical suppliers" are now covered. Unlike NIS2, it has also retained the Operator of Essential Services or "OES" and Relevant Digital Service Provider or "RDSP" distinction.

Importantly, and partly noting that the UK does not need to mitigate the risk of fragmentation across a range of jurisdictions by putting in place more prescriptive requirements, the CSRB adopts a more flexible approach. Where NIS2 mandates certain security requirements (albeit still at a high level), in the UK such requirements are to be introduced via secondary legislation, which may be easier to amend and update in the future.

One further key distinction between NIS2 and the CSRB is that the CSRB does not currently provide for senior management responsibility/liability (making senior management directly responsible if their organisation fails to put appropriate compliance measures in place). Businesses must wait to see if this omission is addressed in secondary legislation.

Who is newly in scope?

Managed service providers

As trailed in the policy statement, one of the most far-reaching consequences of the CSRB is that managed service providers (MSPs) will be brought within scope. The government's own research, published with the bill's announcement, stated that the UK had approximately 12,867 active MSPs, of which well over 1000 may be brought within scope.

Medium and large managed service providers (RMSPs) will be directly regulated, whether or not they are established in the UK, if they provide a managed service in the UK.

A managed service is defined by four features: it is provided under contract to another organisation; relies on network and information systems to deliver the service; involves ongoing management, active administration and/or monitoring of IT systems, infrastructure, applications and/or networks (including for cybersecurity); and requires connection to or access to the customer’s network and information systems on premises or remotely.

Data centres

The bill designates “data infrastructure” as a sector and classifies data centres as essential services, with the Department for Science, Innovation and Technology (DSIT) and Ofcom acting jointly as the competent authorities, and Ofcom performing operational regulation.

Only larger data centres are within scope, with thresholds defined by rated IT load (RITL), which measures the power supply to installed IT equipment during normal operation. Data centres with a RITL of one megawatt (MW) or more are considered in scope for regulation. Enterprise data centres, being those operated solely for the IT needs of the person who owns the data centre, are in scope only if their RITL is 10 MW or more.

Large load controllers

In a step that was not mentioned in the policy statement, the CSRB adds “large load controllers” as OES within the electricity subsector.

A large load controller is an entity that can remotely turn up or down the consumption or charging of many end‑use devices (for example electric vehicles and charge points, heat pumps, and domestic or industrial batteries) to help balance the grid.

As with data centres, scope is limited by size: it only applies where the controller has the technical ability to control an aggregate electrical load of 300 MW or more across the relevant assets. In simple terms, that means having enough controllable demand to influence regional grid stability, so only the largest aggregators and fleet/platform operators are likely to be in scope.

Critical suppliers

Lastly, regulators gain a new power to designate “critical suppliers” whose goods or services are judged so pivotal that an incident affecting their network and information systems could cause significant disruption to the economy.

The designation tests require: direct supply to an OES, RDSP or RMSP; reliance on network and information systems for the supply; a realistic potential for disruptive impact on provision of services; and likely significant economic/societal impact in whole or part of the UK.

Duties for designated suppliers will be introduced via secondary legislation; the intention is to apply core security and incident reporting obligations proportionately.

Duties and standards: what will regulated entities need to do?

Security measures

On the whole, the core NIS Directive security obligations remain: entities must take appropriate and proportionate technical and organisational measures to manage risks to the network and information systems relied upon to deliver the essential service, and to prevent and minimise the impact of incidents.

The government will also provide, in secondary legislation, more prescriptive security duties including duties on entities to manage supply chain cyber risk, including potentially by using contractual controls, security checks, continuity planning and similar measures. The details will be subject to consultation, but it is possible that they will follow similar measures to those required by NIS2.

Enhanced incident reporting and customer notification

A further operationally significant change for regulated entities is the tightened incident reporting regime. All regulated entities will face new incident reporting obligations.

Initial notification must be made within 24 hours, with a full report within 72 hours, based on a significant impact test considering factors. This closely aligns with the requirements of NIS2.

After submitting a full report, data centres, RDSPs, and RMSPs must identify and notify likely adversely affected UK customers, providing incident details and reasons. This customer notification obligation represents a significant new compliance burden, which may entail businesses having to amend their incident response procedures.

Other developments

In addition to the core obligations set out above, other developments will also affect regulated businesses.

Increased information sharing

The bill creates additional data-sharing mechanisms. NIS regulators can share information with each other, and other appropriate authorities (including those overseas).

Organisations may flag commercially sensitive material, but should assume that in notifying one NIS authority of an incident, other authorities and external regulators may become aware of it.

Cost recovery: regulatory fees

Regulators will be able to impose charges on regulated entities to recover their costs. Fees are cost recovery not profit making and may vary by sector.

Enforcement and penalties: clearer tiers, higher ceilings

Penalties are streamlined into two (broadly GDPR-level) tiers for infringements, depending on their seriousness:

• Standard maximum: the greater of £10 million or 2% of worldwide turnover.
• Higher maximum: the greater of £17 million or 4% of worldwide turnover.

Statement of strategic priorities

The government can provide strategic priorities and objectives for NIS regulators, with a key aim being to drive consistency across the regulatory landscape.

National security directions

Where a serious cyber threat creates a national security risk, the secretary of state can direct a regulated entity to take (or refrain from) specified actions, subject to necessity and proportionality. These "emergency" directions take precedence over conflicting requirements and are backed by information gathering, inspection and significant penalty powers.

Osborne Clarke comment

The CSRB is just starting its regulatory journey and may be subject to further amendment. Even once enacted, many of the more prescriptive elements will depend on secondary legislation. The government has signalled that it intends to consult on implementation proposals during 2026.

In terms of the steps in-scope (or potentially in-scope) entities should take now, there are two principal calls to action. Firstly, to prepare early, leveraging what they already have and, secondly, to treat CSRB compliance in the context of the business' wider cyber-law compliance strategy.

Much of what will be required will map onto well‑understood technical and organisational measures rather than novel controls. In practice, currently available resources will assist, including for example the NCSC's Cyber Assessment Framework.

For businesses that are also subject to NIS2, running a structured gap analysis against NIS2 (for example by using the ENISA Technical Implementation Guidance) to create a single workplan that can be reused in relation to the CSRB (and other laws) is likely to be a worthwhile time investment.

The practical takeaway is not to wait. The prescriptive measures are unlikely to surprise well‑run programmes, and there are credible roadmaps available now. However, early planning (potentially grounded in CAF and ENISA‑aligned good practice) will be critical.