Executive Snapshot
January 2026 | Baker McKenzie
The Cyber Security and Resilience Bill represents the UK’s most significant cyber reform since the the UK NIS Regulations 2018. The Bill modernises the UK framework to address systemic cyber risk, digital supply‑chain exposure and the need for earlier visibility of incidents, with full effect anticipated by 2028 following consultation and secondary legislation.
What is new in the UK
The Bill adopts a targeted, criticality‑driven approach, bringing into scope medium and large managed service providers (“MSP”), large load controller, certain data centres used to provide digital services, and designated critical suppliers whose disruption could create cascading economic or national security impacts. Incident reporting obligations are materially revised, shifting the trigger from service disruption to system compromise, with a 24‑hour initial notification and 72‑hour follow‑up report. Regulators are granted enhanced tools, while the NCSC plays an operational support role (not a regulatory one).
How this compares with EU NIS2
While aligned with NIS2 on key principles—scope expansion to MSPs and data centres, accelerated reporting timelines, supply‑chain focus and cost recovery—the UK framework deliberately diverges in design. Unlike NIS2’s broad sector‑based expansion and prescriptive governance model, the UK Bill applies a more proportionate and flexible regime, emphasising systemic risk, regulatory discretion and national security responsiveness, including powers of direction.
What leadership should do now
Organisations with UK exposure should assess whether they fall within scope, test incident‑response readiness for 24‑hour notifications, review critical supplier dependencies, and align UK planning with existing EU NIS2 programmes without assuming full equivalence.
Read the full Client Alert Below:
UK Cyber Security and Resilience Bill – Key Developments, Comparison with EU NIS2 and Practical Considerations
General information only; not legal advice.
Client Alert
UK Cyber Security and Resilience Bill Key Developments, Comparison with EU NIS2 and Practical Considerations | Baker McKenzie January 2026
Since its introduction, the UK cyber threat landscape has evolved significantly. Cyber attacks are increasingly supply‑chain‑driven, often linked to state‑sponsored activity, and capable of causing wide‑scale operational and economic disruption. The UK Government estimates the annual cost of cyber attacks to UK businesses at £14.7 billion, with the UK now identified as the most targeted jurisdiction compared with Europe.
The UK Government has introduced the Cyber Security and Resilience Bill (the Bill), marking the most significant reform of the UK cyber security framework since the Network and Information Systems Regulations 2018 (adopted as the UK NIS Regulations 2018) (“NIS 2018”). The Bill responds to these developments by recalibrating the existing framework around principles of criticality, proportionality and speed of response, with a particular emphasis on earlier visibility of cyber incidents.
While the Bill draws on the same regulatory lineage as the EU NIS2 Directive, it adopts a distinct, UK‑specific approach, prioritising national resilience and operational effectiveness over broad sectoral harmonisation. The new regime is expected to be implemented through consultation and secondary legislation, with full operational effect anticipated by 2028.
Strategic Context
Cyber security has moved beyond a purely technical risk and is now recognised as a matter of national security, economic stability and public trust. The UK has consistently been identified as one of the most targeted jurisdictions for cyber attacks, with significant impacts on essential services, digital infrastructure and supply chains. Against this background, the Government has determined that the existing NIS 2018 framework—while foundational—requires recalibration to address: (i) systemic risks arising from managed services and shared infrastructure; (ii) delayed visibility of cyber incidents; and limitations in regulatory responsiveness to emerging threats.
The Bill is designed to address these challenges through a targeted, risk‑based and adaptable regulatory model.
Key Features of the Bill
- Targeted Expansion of Scope
The Bill expands regulatory coverage selectively, focusing on entities whose compromise could create cascading or systemic effects on the UK economy or national security. Key inclusions are expected to comprise:
- Managed Service Providers (MSPs) Medium and large MSPs with privileged or persistent access to customer systems will be brought into scope, reflecting their role as high‑impact aggregation points for cyber risk. Small and micro enterprises are excluded.
- Data Centres Medium and large data centres, including enterprise data centres used to provide digital services, will be subject to the regime. The legislative intent is not to capture purely internal intragroup IT infrastructure, unless defined thresholds or service characteristics are met.
- Designated Critical Suppliers Regulators will be empowered to designate suppliers as “critical” where their disruption could materially affect essential or digital services. Designation will be subject to defined statutory criteria and procedural safeguards, including the ability for suppliers to make representations.
- Large Load Controllers Entities capable of materially influencing electricity system stability will be regulated to mitigate risks of cyber‑enabled grid disruption.
- Revised Incident Reporting Obligations
The Bill introduces a single, harmonised incident reporting duty across NIS sectors and significantly broadens the scope of reportable incidents. Notably:
- Reporting triggers are no longer limited to service disruption or confirmed ransomware attacks.
- System compromise, including incidents affecting the confidentiality, integrity or availability (CIA) of systems or data, may give rise to notification obligations.
A two‑stage reporting model applies:
- Initial notification within 24 hours, intended as a light‑touch alert; and A fuller report within 72 hours, once additional information is available.
- The reporting regime is designed to enable early situational awareness and coordinated response, rather than to operate as an enforcement mechanism in its own right.
- Enhanced Regulatory Framework
To support effective implementation, the Bill provides regulators with additional tools, including:
- wider information‑sharing powers between competent authorities;
- cost‑recovery mechanisms for supervisory and enforcement activities;
- and a Statement of Strategic Priorities, issued by the Secretary of State, requiring regulators to align NIS oversight with national cyber security objectives.
The Bill expressly seeks to avoid duplication of existing sector‑specific regulatory regimes, including those applicable to financial services and operational resilience. Any overlap is expected to remain limited and to be addressed through secondary legislation and regulatory coordination.
Role of the National Cyber Security Centre
The National Cyber Security Centre (NCSC) plays an enhanced operational role under the framework but does not act as an operational regulator.
Engagement with the NCSC is not mandatory. Organisations are not legally required to implement NCSC guidance. Early information sharing enables the NCSC to provide targeted support and to correlate intelligence across sectors.
From a governance perspective, engagement with the NCSC may be seen as an important indicator of reasonable and proactive cyber risk management.
Comparison with the EU NIS2 Directive
Although the Bill and the EU NIS2 Directive share a common conceptual origin in the original NIS framework, they reflect different regulatory priorities and design choices. Both regimes are clearly aligned on a number of core policy objectives.
In particular, they expand regulatory scope to include managed service providers and data centres, recognising their growing role as critical digital enablers, they introduce accelerated incident notification timelines, based on a 24‑hour early warning followed by a more detailed report within 72 hours, they place enhanced emphasis on supply chain cyber risk, and they allow regulators to recover the costs associated with supervision and enforcement. These areas of alignment mean that, in practice, many technical and organisational measures adopted for NIS2 compliance will also support readiness for the UK framework.
At the same time, the two regimes diverge in important and deliberate ways. NIS2 adopts a broad, sector‑based expansion, extending mandatory cyber obligations to a wide range of additional industries, including food, chemicals and postal services, with a strong focus on internal market harmonisation. By contrast, the UK Bill applies a criticality‑driven approach, concentrating regulatory attention on those digital enablers—such as MSPs, data centres and designated critical suppliers—whose compromise would be most likely to generate systemic or cascading risk for the UK economy or national security.
A further point of divergence concerns governance and senior management accountability. NIS2 introduces explicit obligations on the “management body”, requiring board‑level involvement in cyber risk management and, in some cases, exposure to liability for non‑compliance. The UK Bill takes a more proportionate and flexible approach, reinforcing expectations around governance and prioritisation without automatically imposing harmonised board‑level liability constructs, and leaving greater scope for calibration through guidance, supervision and enforcement discretion.
Differences also emerge in relation to enforcement philosophy. NIS2 relies on harmonised administrative penalties, including fines of at least 2% of global annual turnover for certain categories of entities, reflecting its prescriptive and deterrence‑driven model. The UK framework, while strengthening regulatory powers, places greater emphasis on discretion, remediation and adaptability, supported by enhanced regulatory tools rather than automatic escalation to high financial penalties.
Finally, the UK Bill is more explicit in addressing national security responsiveness. It introduces specific powers of direction, enabling targeted intervention by the Secretary of State where a significant cyber risk to national security is identified. While NIS2 allows Member States to issue binding instructions in exceptional circumstances, the UK framework integrates this capability more directly, reflecting domestic security priorities.
Overall, the UK has intentionally pursued alignment with NIS2 in substance, but not replication in form, seeking to ensure interoperability for cross‑border organisations while preserving national flexibility and the ability to respond rapidly to evolving cyber threats.
Implementation Timeline UK Bill
- 2025–2026 – Parliamentary scrutiny and public consultation
- 2026–2027 – Secondary legislation and regulatory guidance
- By 2028 – Anticipated full operational effect
Practical Implications and Next Steps
Organisations operating in or connected to the UK should consider:
- reviewing whether they may fall within scope as an MSP, data centre operator or designated critical supplier;
- assessing the adequacy of incident response and escalation procedures, particularly in light of the 24‑hour notification requirement;
- mapping supply chains to identify potential critical‑supplier exposure; aligning UK preparedness with existing EU NIS2 compliance programmes, where applicable; and
- monitoring consultations and implementation measures closely.
It should also be noted that certain intragroup cloud or shared IT infrastructures—where cloud computing services are provided internally across multiple group entities or locations—may fall within the scope of the Bill, depending on their characteristics and operational use, even where such services are not offered to third parties.
Conclusion
The Cyber Security and Resilience Bill signals a shift in UK cyber regulation from a sector‑based compliance model to one anchored in national resilience and systemic risk management. While aligned with international developments, including NIS2, the framework reflects the UK’s preference for proportionality, operational flexibility and rapid response. For many organisations, early preparation and alignment across jurisdictions will be key to managing regulatory risk and supporting long‑term operational resilience.
This client alert is provided for general information purposes only and does not constitute legal advice. Specific advice should be sought in relation to particular circumstances.
