Digital Defences – the new Cyber Security and Resilience Bill. 

On 1 April 2025, the UK Government provided further details for the highly anticipated Cyber Security and Resilience Bill (the Bill). The Bill will expand the current scope of regulation, bringing more organisations into regulatory view. 

What are current requirements? 

The Network and Information Systems Regulations 2018, apply to: 

• Operators of essential services (OES) – An organisation operating services deemed essential for the maintenance of critical societal or economic activities, where the service provision depends on network and information systems and any incident would have ‘significant disruptive effects’ on that service. 

• Relevant digital service providers (RDSP) – A provider of a digital service that is an online market, an online search engine or a cloud computing service – with a head office or nominated representative in the UK, and 50 or more staff or a balance sheet of at least EUR 10 million. 

The Bill will expand the current regime to include more entities and update requirements for operators of essential services and relevant digital services providers. 

What do the reform proposals include and will they apply to us? 

1. Expansion of the scope of the regime to include more entities. 

Managed service providers (MSPs) providing core essential IT services to the public sector and UK businesses will be within scope given that they have considerable access to their clients’ IT systems and can themselves be vulnerable to cyber-attacks. 

In-scope MSPs include those providing services to another organisation which:  

(i)    rely on the use of network and information systems to deliver the service;
(ii)   relate to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications, and/or IT networks, including for the purpose of activities relating to cyber security; and
(iii)   involve a network connection and/or access to the customer’s network and information systems. 

Including MSPs allows the Government to enhance the security of the IT infrastructure of a broader range of services. An estimated 900-1100 MSPs are expected to be newly regulated. 

2. Strengthening supply chain security.

Secondary legislation introduced under the Bill will clarify and strengthen supply chain duties for OESs and RDSPs against vulnerabilities that may undermine essential or digital services. Adoption of proportionate and appropriate measures (with detail awaited) will be required, for example through contractual requirements and security checks. 

Regulators will be given powers to bring other high-impact suppliers within scope as designated critical suppliers (DCS). Suppliers who provide goods or services to an OES or an RDSP that rely on network and information systems, can be individually designated as a DCS where a regulator considers that a disruption to their goods or services could cause ‘a significant disruptive effect on the essential or digital service it supports’.  

Small and micro RDSPs are currently outside of the regime however under these proposals, smaller RDSPs may be designated as a critical supplier by regulators. It is expected that DCSs will be a very small number of suppliers providing goods or services to OESs and RDSPs. 

3. Empowering regulators and enhancing oversight.

The Bill will: 

• expand the ICO’s powers to enforce registration and enhance its ability to identify and mitigate risks before they materialise. 

• enable regulators to set a fees regime and recover costs. 

• give the Secretary of State new powers to update existing technical and methodological security requirements and issue codes of practice. 

• require incident notification to applicable regulators and the NCSC within 24 hours, with full reporting within 72 hours. Digital service providers and data centres that experience a significant incident will also be required to alert customers.

4. More agile and flexible regulatory powers to match cyber security evolution. 

The Secretary of State will be granted new powers to update the regulatory framework, without new primary legislation, for example to allow for new sectors and sub-sectors to be brought within the scope of the regulations, or for new requirements for regulated entities to be introduced. 

5. New duties for data centres. 

Now designated as Critical National Infrastructure, the Government is now planning to move forward with extending regulatory oversight, given the potential scale of impact on wider sectors of the economy which would be caused by disruption to data centres.

Key points: 

(i) All UK data centres will be included in scope of the regulatory regime, irrespective of the nature of services offered from them and their ownership, although there are some minor carve outs based on size and whether or not they are enterprise data centres; 

(ii) New data centre duties will include providing information, having measures to manage risk and reporting significant incidents.  The scope will be adjustable over time to respond to developments;  

(iii) The Government will carry out an impact assessment and data centre operators should consider feeding back cost and other growth impacts; 

(iv) Timing is uncertain as the measures may not be included in the Cyber Security and Resilience Bill. The Government will decide the appropriate legislative vehicle for the measures in due course.  

Open questions on the effectiveness of proposed regulation.

• Will regulators be sufficiently resourced to handle expanded powers? 

• Can flexibility and agility be balanced with consistency and oversight? 

• How will this align with the Government’s broader push for growth-friendly regulation? 

Digital operators will need to be alert for more updates when the Bill is introduced into Parliament later this year and consider impacts now.