Broadly, the measures are part of three key areas of reform: (1) expanding the regulatory scope; (2) empowering regulators and enhancing oversight; and (3) ensuring an adaptive regulatory landscape to respond to the evolving threat landscape. We highlight the key aspects for members below.
An expanded scope
Similarly to the NIS Regulations in 2018, the Bill’s scope will focus on the UK’s essential services or the sectors where their disruption would have an affect on daily lives – such as NHS, transport and energy. The Bill will also go further bringing Managed Services Providers (MSPs), load controllers, designated critical services and data centres into scope.
1. Managed Service Providers (MSP): Large and medium MSPs will be brought into scope of the regulation. Many companies now outsource their IT services to MSPs, who provide essential services such as IT helpdesks and cyber security services. These companies have access to their customers’ systems – making them a clear target for cyber attacks. You can access the fact sheet for relevant digital providers here.
An MSP is defined as a service which:
is provided by one organisation to another organisation via a contract; and
consists of ongoing management in relation to a customer’s information technology systems; and
is provided by means of the organisation, or a person authorised by the organisation, having a connection (or access) to the customer’s network and information systems, and that connection can be established on the customers premises or remotely.
2. Designated critical suppliers: The Bill will give competent authorities or the Information Commission the power to bring suppliers into scope of the regulation, if they are deemed to supply an essential service. This is a key part of the government’s ambition to improve supply chain security across essential and digital services. There will be a series of considerations that must be taken before designating a supplier as ‘critical’ - this includes a period of consultation and an assessment of the impact any disruption could have to the UK’s way of life. This clause will bring the UK in line with the UK’s financial sector’s Critical Third Parties and the EU’s NIS2 Directive’s approach to supply chain duties.
A designated critical supplier is defined as:
The supplier must provide goods or services directly to an Operator of Essential Services (OES) for which the authority is the designated competent authority.
The supplier must rely on network and information systems in order to provide these goods or services.
An incident affecting the operation or security of any network and information systems relied on by the supplier for the purposes of that supply must have the potential to cause disruption to;
the provision of any essential service, relevant digital service, or managed service by the person to whom the supply is made; or
the provision of essential services, relevant digital services, or managed services (whether of a particular kind or generally) by persons to whom the supplier provides goods or services.
That disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom. This includes both scenarios of direct service disruption and cyber risk introduced by the supplier’s systems.
3. Large load controllers: Load controllers are being brought into scope to reduce the risk of grid disruption through enhanced cyber security requirements.
A large load controller is defined as:
An organisation is deemed a large load controller if it manages electrical load for smart appliance – a key service as the UK continues it’s transition to Clean Power 2030 and Net Zero.
4. Data centres: Read techUK’s assessment of the requirements on data centres below.
Ensuring effective regulators
The Bill will drive a more consistent and effective regime across the 12 regulators responsible for implementing the laws. This will include expanded and more timely reporting of harmful cyber-attacks; a stronger mechanism for government to set priority outcomes for regulators to work to; and a fuller toolkit for sharing information, recovering costs and enforcement.
A ‘light touch’ initial notification within 24 hours in addition to the current requirement for a full report within 72 hours. The NCSC will be made aware of the incident alongside the regulator to better support organisations with rapid response and identify systemic vulnerabilities.
Broader definitions to capture more types of incidents – for example, those that are capable of having a significant impact, even if there haven’t been any at the point of discovery, such as ransomware and pre-positioning attacks.
The requirement for data centres, digital and managed service providers to alert their customers who are likely to have been impacted by an incident to increase transparency and enable those customers to take their own actions to mitigate harms.
2. The Secretary of State will be given powers to drive better consistency in how regulators implement the NIS Regulations through setting the priority outcomes regulators will have a duty to seek to achieve. These outcomes will be set out in a designated public statement of strategic priorities, a well-used tool across a range of regimes, such as online safety, helping regulators consider how they can support government achieve its strategic priorities.
3. Regulators will be empowered to recover the full costs associated with their NIS functions, so they are better resourced to carry out their responsibilities. The reason for this is because, at the moment, regulators are constrained in their ability to recover the costs associated with overseeing and enforcing the regime which keeps our essential services safe.
This power will be underpinned by safeguards, including the requirement to show how these funds are being raised/used (a ‘charging scheme’) and to consult with regulated entities ahead of the creation of the charging scheme. Regulators will also not be able to make a profit.
The approach for this is based on precedent cost recovery regimes found in the Online Safety Act 2023, the Telecommunications (Security) Act 2021 and the Data Protection Act 2018.
4. The ability to share information is fundamental to the successful functioning of the regime. It helps regulators, the UK intelligence agencies and law enforcement develop a consistent and comprehensive understanding of cyber risks and mitigations, and reduces administrative burdens for businesses. Greater clarity will be provided on what information regulators can share and receive, including with law enforcement, to support delivery of NIS functions while minimising burdens on businesses.
5. Effective enforcement will have a key role to plan in encouraging better compliance with the regulations and the Bill will reform the current enforcement requirements with the objective of ensuring a more effective and proportionate regime.
The maximum financial penalty will be amended – enabling potentially higher penalties when appropriate and proportionate – to reflect the significance of the regime and align with comparable legislation, such as General Data Protection Regulation (GDPR) laws and those which protect the cyber security of products, like baby monitors and smartphones. Penalty bands for non-compliance will also be simplified to make them clearer, and the regime more effective.
Enabling resilience
The government does not currently have the authority to quickly respond to the evolving threat and attack landscape. This part of the Bill is focused on speeding up the process by giving the government power to swifty act against threats. These powers are broken down in two ways:
1. Future-proofing: The government’s ambition is to become more responsive to evolving cyber threats. They will have the ability to introduce secondary legislation, which would bring new sectors into scope of the regulation or updating the security requirements. This fills a gap following Brexit, and will be key to implementing the regime.
2. Powers of direction: This will give the Secretary of State the power to direct regulators and regulated entities to take necessary and proportionate action to respond to threats to the UK’s national security. This will include enhanced monitoring and isolation of high-risk systems to protect essential services.
More on what this means for data centres
1. Recognition as essential services
The Bill formally designates data centres as operators of essential services (OES) under the NIS Regulations (Part 2, Ch. 1)
Data centre operators will now be regulated similarly to critical infrastructure sectors (energy, transport, health, etc.).
Thresholds:
Commercial/Third-party data centres: ≥1 MW rated IT load.
Enterprise (self-operated) data centres: ≥10 MW rated IT load.
2. Definition of “Data Centre Service”
A data centre service covers the physical infrastructure used to house, connect, and operate IT equipment, including supporting infrastructure for:
Electricity supply,
Environmental control (HVAC, dust/humidity/fire management),
Security systems,
Resilience and redundancy provisions
3. Scope of regulation
Applies regardless of whether the operator is UK-established, covering all providers of data centre services operating in the UK.
Crown exemption: Government intelligence bodies (MI5, MI6, GCHQ) are excluded where national security requires it.
4. Reporting and compliance duties
Operators must:
Provide information to the designated competent authority (Secretary of State and Ofcom, jointly).
Report cyber or operational incidents within 24 hours (initial) and 72 hours (full)
Notify customers likely to be affected by an incident, including potential compromise of data or service continuity
5. Regulatory oversight and enforcement
Competent authorities can impose:
Information requests, inspections, and compliance directives.
Financial penalties for non-compliance.
Directions under Part 4 of the Bill where threats pose national security risks.
High level implications
While a lot of the detail is expected as part of secondary legislation for the implementation, the Bill elevates the strategic recognition of data centres as critical national infrastructure (CNI), strengthening investment case and public policy support.
Furthermore, it aims to improve sector resilience and incident response coordination with national cybersecurity bodies and seeks to create a uniform regulatory baseline, enhancing trust among enterprise customers and international partners. It also aims aligns with existing similar EU regulation on NIS.
What to know about the implementation of the Bill...
There will be a ‘sequenced’ approach to implementation, the intention being to bring the Bill’s reforms online as soon as possible, while giving affected industry and regulators appropriate information as well as time to plan, prepare and adjust practices. A business adjustment period will be communicated prior to new or updated duties coming into force.
Once the Bill has become in an Act, it will come into force in phases. Certain measures will come into force on ‘Day 1’ or on ‘Month 2’ after Royal Assent, while others will be brought into force through secondary legislation (also known as “commencement regulations”), at a time determined by the Secretary of State. Government has set these out as a non-exhaustive list as follows:
Day 1
Future proofing
The post-implementation review
Month 2
Statement of strategic priorities
Information sharing
Via secondary legislation
Powers of Direction
Data Centres
Relevant Managed and Digital Service Provider updates
Large Load Controllers
Critical suppliers
Incident reporting
Cost recovery
Most of the measures that will come into force via secondary legislation rely on further detail to be operational and implemented. These are technical details and measures that are not appropriate for primary legislation, therefore, they would be introduced in secondary legislation following consultation. The introduction of this secondary legislation will be coordinated to ensure that all relevant duties and information are in place and available before compliance begins for existing and newly regulated entities.
Government will consult stakeholders on its wider implementation approach and policy to be included in secondary legislation, where necessary. It intends to consult on implementation proposals in 2026, then analyse and incorporate feedback, as well as consider any relevant developments during bill passage and the wider cyber and risk landscape. The government will then respond to the consultation, then secondary legislation will be laid before Parliament. Relevant stakeholders will be given an appropriate adjustment period.
Next steps
The Bill will move to its second reading which is when Members of Parliament will have the first opportunity to debate the main principles in the Bill. This usually takes place in the two weekends following the first reading. techUK will update members when the date for this is confirmed.
techUK will be holding a member briefing session next Tuesday 18 November (10.30-12.00) and you can sign up for this here.
If you are a member who has not received techUK’s communications on the Bill and would like to receive updates, please contact Annie Collings at [email protected].
Jill Broom
Head of Cyber Resilience, techUK
Jill Broom
Head of Cyber Resilience, techUK
Jill leads the techUK Cyber Resilience programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
Annie is the Programme Manager for Cyber Resilience at techUK. She first joined as the Programme Manager for Cyber Security and Central Government in September 2023.
In her role, Annie supports the Cyber Security SME Forum, engaging regularly with key government and industry stakeholders to advance the growth and development of SMEs in the cyber sector. Annie also coordinates events, engages with policy makers and represents techUK at a number of cyber security events.
Before joining techUK, Annie was an Account Manager at a specialist healthcare agency, where she provided public affairs support to a wide range of medical technology clients. She also gained experience as an intern in both an MP’s constituency office and with the Association of Independent Professionals and the Self-Employed. Annie holds a degree in International Relations from Nottingham Trent University.
Olivia Staples joined techUK in May 2025 as a Junior Programme Manager in the Cyber Resilience team.
She supports the programs mission to promote cyber resilience by engaging key commercial and government stakeholders to shape the cyber resilience policy towards increased security and industry growth. Olivia assists in member engagement, event facilitation and communications support.
Before joining techUK, Olivia gained experience in research, advocacy, and strategic communications across several international organisations. At the Munich Security Conference, she supported stakeholder engagement and contributed to strategic communications. She also worked closely with local and national government stakeholders in Spain and Italy, where she was involved in policy monitoring and advocacy for both public and private sector clients.
Olivia holds an MSc in Political Science (Comparative Politics and Conflict Studies) from the London School of Economics (LSE) and a BA in Spanish and Latin American Studies from University College London (UCL).
Outside of tech, Olivia enjoys volunteering with local charities and learning Norwegian.
Programme Team Assistant for Public Sector Markets, techUK
Fran Richiusa
Programme Team Assistant for Public Sector Markets, techUK
Fran serves as the Programme Team Assistant within techUK’s Public Sector Market Programmes, where she is responsible for delivering comprehensive team support, managing administrative functions, and fostering strong relationships with members.
Prior to joining techUK in May 2025, Fran built a meaningful career in the charitable and local government sectors. She worked extensively with both victims and perpetrators of crime, and notably led the coordination of Domestic Homicide Reviews across Surrey—an initiative aimed at identifying lessons and preventing future incidents of domestic abuse.
Outside of work, Fran is an avid traveller and a proud cat mum who enjoys unwinding with her feline companions.
techUK brings together key players across the cyber security sector to promote leading-edge UK capabilities, build networks and grow the sector. techUK members have the opportunity to network, share ideas and collaborate, enabling the industry as a whole to address common challenges and opportunities together. Visit the programme page here.
Industry Roundtable: The future of classified government IT systems and software
Explore the future of classified government IT systems and software at this exclusive techUK industry roundtable. Senior stakeholders will discuss emerging needs, security standards, and opportunities for innovation across classified environments. Join the conversation shaping the next generation of secure government technology.
Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.
Jill leads the techUK Cyber Resilience programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
Annie is the Programme Manager for Cyber Resilience at techUK. She first joined as the Programme Manager for Cyber Security and Central Government in September 2023.
In her role, Annie supports the Cyber Security SME Forum, engaging regularly with key government and industry stakeholders to advance the growth and development of SMEs in the cyber sector. Annie also coordinates events, engages with policy makers and represents techUK at a number of cyber security events.
Before joining techUK, Annie was an Account Manager at a specialist healthcare agency, where she provided public affairs support to a wide range of medical technology clients. She also gained experience as an intern in both an MP’s constituency office and with the Association of Independent Professionals and the Self-Employed. Annie holds a degree in International Relations from Nottingham Trent University.
Olivia Staples joined techUK in May 2025 as a Junior Programme Manager in the Cyber Resilience team.
She supports the programs mission to promote cyber resilience by engaging key commercial and government stakeholders to shape the cyber resilience policy towards increased security and industry growth. Olivia assists in member engagement, event facilitation and communications support.
Before joining techUK, Olivia gained experience in research, advocacy, and strategic communications across several international organisations. At the Munich Security Conference, she supported stakeholder engagement and contributed to strategic communications. She also worked closely with local and national government stakeholders in Spain and Italy, where she was involved in policy monitoring and advocacy for both public and private sector clients.
Olivia holds an MSc in Political Science (Comparative Politics and Conflict Studies) from the London School of Economics (LSE) and a BA in Spanish and Latin American Studies from University College London (UCL).
Outside of tech, Olivia enjoys volunteering with local charities and learning Norwegian.
Programme Team Assistant for Public Sector Markets, techUK
Fran serves as the Programme Team Assistant within techUK’s Public Sector Market Programmes, where she is responsible for delivering comprehensive team support, managing administrative functions, and fostering strong relationships with members.
Prior to joining techUK in May 2025, Fran built a meaningful career in the charitable and local government sectors. She worked extensively with both victims and perpetrators of crime, and notably led the coordination of Domestic Homicide Reviews across Surrey—an initiative aimed at identifying lessons and preventing future incidents of domestic abuse.
Outside of work, Fran is an avid traveller and a proud cat mum who enjoys unwinding with her feline companions.
Discover how innovation, skills, investment, and infrastructure are shaping the UK’s digital future as policymakers, industry leaders, and regional experts launch the Local Digital Index 2025.
