The Cyber Security and Resilience (Network and Information Systems) Bill amends the UK’s NIS Regulations to bring new classes of infrastructure and suppliers under regulatory supervision. It adds data centre services, large load controllers (smart energy control), and managed service providers to the NIS perimeter; creates a parallel regime for “relevant digital service providers” and “relevant managed service providers”; and establishes a route to designate upstream “critical suppliers.”
The Bill also tightens incident reporting and customer‑notification rules, expands investigative and enforcement tools (inspections, information notices, charging schemes and higher penalties), and gives the Secretary of State powers to set strategic priorities, issue statutory codes and, where national security is at risk, issue binding directions that take priority over other regulatory obligations. For operators, suppliers and their customers this is a material shift in compliance scope, transparency and potential liability.
At a Glance
What It Does
Amends the Network and Information Systems Regulations to: (1) designate data‑centre services, managed service providers and large load controllers as regulated where specified thresholds are met; (2) create registration duties for overseas providers and UK representatives; (3) require prompt incident notifications (initial and full) and customer notices; (4) enable designation of critical suppliers; and (5) give the Secretary of State powers to set strategic priorities, make further regulations and issue national‑security directions.
Who It Affects
Operators and owners of data centres that meet the rated IT load thresholds, companies operating load‑control platforms that can influence ≥300MW of load, managed service providers that connect to customer systems under contract, cloud/search/marketplace platforms that meet the RDSP test, upstream suppliers that may be designated as critical, regulators (ICO, sector competent authorities), GCHQ/CSIRT, and large customers of these services.
Why It Matters
It expands regulatory reach into parts of the digital and energy ecosystem that were previously lightly regulated, shifts more offensive and defensive responsibilities onto service providers, centralises strategic direction with the Secretary of State and GCHQ, and gives regulators new funding and penalty powers—raising compliance costs, operational transparency and the stakes for incident management.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Bill takes the existing NIS framework and widens it to capture three types of entities that underpin modern services: data centres, managed service providers (RMSPs) and large load controllers in the smart energy ecosystem. It does this by inserting new definitions, numerical thresholds and registration duties into the NIS Regulations so that operators whose scale or function meets those tests must register, publish representative contact details and, where relevant, nominate a UK representative.
Reporting rules are tightened and harmonised across operator‑of‑essential‑service (OES), relevant digital service providers (RDSPs) and RMSPs: an initial alert must be provided quickly and a fuller report within a defined short timeframe, with separate, specific duties on data‑centre OESs and managed‑service providers to notify affected customers after the regulator has the full picture. The CSIRT and the SPOC (single point of contact) receive notification copies so regulators and national cyber responders can coordinate proportionate action and, in some cases, publish public information to manage incidents.The Bill formalises a “critical supplier” route: competent authorities (and the Information Commissioner in relation to RDSPs/RMSPs) can designate upstream suppliers that are essential to OESs, RDSPs or RMSPs where their loss would materially disrupt the economy or daily life.
Designation requires consultation, coordination between authorities, and can reach entities established outside the UK.To fund supervision and enforcement the Bill allows charging schemes and ad hoc cost recovery by designated authorities. Investigatory tools are broadened—information notices, inspections and approved skilled‑person reviews—and penalties are scaled to seriousness, with high fixed caps and turnover‑linked maxima for the most serious failures.
Separately, Part 3 creates a Secretary‑of‑State power to issue a statement of strategic priorities, make bespoke system‑resilience regulations, and publish a statutory code of practice that regulators must consider when issuing guidance.
The Five Things You Need to Know
Data‑centre services become an OES where the rated IT load meets 1 MW (non‑enterprise) or 10 MW (enterprise) thresholds; operators must provide basic contact and corporate details within 3 months of designation.
A load controller is captured as an OES if it can send load‑control signals to relevant energy smart appliances whose aggregate potential electrical control is ≥300 MW (definition of managed ESAs and intermediary treatment included).
Initial incident notifications must be sent within 24 hours of awareness and a full notification within 72 hours; data‑centre, RDSP and RMSP rules require simultaneous copy to CSIRT and subsequent customer notification duties after the full report.
Designated competent authorities and the Information Commissioner can designate upstream ‘critical suppliers’ (including non‑UK entities) after consultation; designations may be coordinated across regulators and can be revoked where criteria cease to be met.
Regulators can impose periodic charging schemes, information notices and inspections; penalties include dual caps under the amended NIS structure (standard: up to £10m or 2% turnover; higher: up to £17m or 4% turnover) and daily rates for continuing breaches.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Expands who the NIS regulates and sets thresholds
This chapter modifies the NIS Regulations to add (a) data‑centre services with explicit structural and ‘rated IT load’ thresholds (1MW/10MW depending on commercial basis), (b) managed service providers defined by contractual ongoing management and remote access to customer systems, and (c) large load controllers with a 300MW aggregate control threshold. It also clarifies that many designations can apply to entities not established in the UK and excludes public electronic communications services from some capture rules. Practically, it means operators and upstream suppliers must first determine whether they meet the new technical and commercial thresholds and then follow registration, contact and compliance paths set elsewhere in the Bill.
Creates a designation route for upstream critical suppliers and coordination duties
Competent authorities (and the Information Commissioner for RDSP/RMSP supply chains) gain explicit power to designate suppliers as critical where a supplier’s network/system failure could significantly disrupt essential services or the wider economy. Designation triggers duties (consultation, notice to the supplier, rights of representation) and authorities must coordinate with one another and consider whether existing obligations on downstream customers are sufficient. There are procedural protections (consultation windows and revocation routes) but designations can apply to non‑UK firms, raising cross‑border enforcement and contractual implications.
Harmonises notification timelines and obliges customer notification for certain incidents
The Bill standardises an initial 24‑hour notification followed by a comprehensive 72‑hour report for OESs, RDSPs and RMSPs, with parallel duties to provide copies to the CSIRT. Data‑centre OESs have a bespoke definition of a data‑centre incident and an explicit duty to identify and notify affected UK customers after the regulator has received the full notification. The Information Commissioner and CSIRT receive registers of RDSPs/RMSPs to support cross‑agency incident response and cross‑border notification is enabled where third‑country authorities have corresponding roles.
New enforcement tools, cost recovery and information‑sharing pathways
This chapter authorises charging schemes (periodic and ad hoc), expands information‑gathering powers (written information notices including power to require generation or retention of data), and broadens inspection powers. It sets limits and procedural protections (timeframes for compliance, privileged communications carve‑outs) and strengthens statutory information‑sharing between NIS enforcement authorities, the Secretary of State and GCHQ/CSIRT. The Bill requires annual transparency reporting about incident volumes and charging income, and affords regulators the power to recover unpaid charges as civil debt.
Higher, tiered penalty regime and updated appeal routes
The Bill amends the penalty framework: it introduces a standard maximum (greater of £10m or 2% turnover) for many compliance failures and a higher tier (greater of £17m or 4% turnover) for the most serious breaches (including notification failures and key security duties). Daily rates apply for continuing breaches. The Information Commissioner gains express power to pursue RMSP failures; enforcement notices, confirmation decisions and an expanded appeals route to the First‑tier Tribunal are provided with statutory procedures for representation and judicial review pathways preserved.
Strategic priorities, secondary regulations and a statutory code
Part 3 lets the Secretary of State issue a formal statement of strategic priorities for system security and resilience, subject to consultation and parliamentary procedure, and requires regulators to have regard to it. The Secretary of State may also make broad regulations to impose resilience requirements on ‘regulated persons’, publish a statutory code of practice, and compel periodic reporting on how regulators are delivering against the strategy. These are intentionally broad powers: secondary legislation will define many specifics and set penalty ceilings for future regulatory regimes.
Emergency national‑security directions that can override other regulatory duties
Where a security or operational compromise risks national security, the Secretary of State can issue binding directions to regulated persons and regulatory authorities requiring or prohibiting specified actions. Directions must be necessary and proportionate; the Secretary of State can limit disclosure of their existence or contents; directions take priority where compliance with concurrent regulatory duties is impossible; and regulators may be directed to monitor compliance. The Bill includes inspection, enforcement, non‑disclosure penalties and civil remedies to enforce compliance.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Large data‑centre customers and cloud consumers — better incident transparency and a statutory customer‑notification route mean customers can make faster operational decisions and contractual claims after outages or security incidents.
- National cyber response bodies (CSIRT, SPOC and GCHQ) — receive statutory access to registers, notifications and coordinated information sharing, improving cross‑agency situational awareness and international engagement.
- Regulatory authorities (ICO and sector NIS competent authorities) — gain explicit powers to designate critical suppliers, issue enforcement notices, collect charges and coordinate cross‑regulator activity, which strengthens oversight and accountability.
- Organisations that already operate to high security standards — may gain competitive advantage where designation brings clearer minimum expectations and greater visibility of supply‑chain resilience.
Who Bears the Cost
- Data‑centre operators and managed service providers that cross the thresholds — must add compliance (registration, incident management, representative nomination), implement additional technical/security controls and support inspections, all of which raise operational costs.
- Upstream suppliers designated as critical — face new regulatory obligations, potential audits, and reputational exposure; foreign suppliers may need to accept UK‑style oversight or change commercial terms.
- Regulators and government — Information Commission, sector regulators and GCHQ will need extra staff, technical intake and international engagement capacity to operate registers, review designations, process incidents and support charging schemes.
- Customers of smaller suppliers — may experience service changes or increased contracting complexity if suppliers pass through compliance costs or if non‑UK suppliers change terms to limit regulatory exposure.
Key Issues
The Core Tension
The central dilemma is balancing national security and system resilience against openness, regulatory proportionality and commercial burden: the Bill arms government and regulators with powerful, sometimes secretive instruments designed to reduce systemic risk, but those instruments impose compliance costs, reduce transparency for affected customers and suppliers, and concentrate discretion in executive hands—tradeoffs that will surface in designation disputes, disclosure decisions and the first major cross‑border incident the regime handles.
The Bill is deliberately wide in scope and uses numeric thresholds, cross‑border capture and delegation to secondary legislation. That breadth raises implementation frictions.
First, the numerical thresholds for data centres (rated IT load) and load controllers (300MW aggregate control) are precise but will require administrative rules and measurement guidance: for example, how to treat shared facilities, colocation, hybrid/private cloud, and intermediaries that process or transform control signals. The designation of critical suppliers—especially non‑UK ones—creates coordination and enforcement challenges where legal reach and contractual leverage differ across jurisdictions.
Second, the Bill centralises strategic control with the Secretary of State and enables national‑security directions with non‑disclosure powers. Those tools trade operational secrecy for democratic transparency and commercial predictability.
A direction that must remain secret can materially affect contractual counterparties, investors and end users without the usual oversight mechanisms. The Bill tries to balance this by requiring consultation where practicable and by limiting secret disclosures to national‑security necessity, but those are judgment calls that depend on inter‑agency trust and resourcing.
Third, information‑sharing carve‑outs and the Investigatory Powers Act constraint create legal friction points. The Bill expressly allows broad information flows for cyber resilience, but it also preserves prohibitions in surveillance law, and it requires consent and proportionate use when regulators pass incident data among each other or to industry.
Operationalising those legal limits while maintaining rapid incident response will be an early implementation stress‑test for regulator legal teams and for GCHQ/CSIRT’s ability to act quickly across private sector partners.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.