Introduction
In April 2025, the UK Department for Science, Innovation and Technology (DSIT) released the Cyber Security and Resilience Policy Statement, detailing legislative proposals for the Cyber Security and Resilience Bill, announced in the 2024 King’s Speech. The Bill aims to strengthen the UK’s cyber defences by updating the Network and Information Systems Regulations 2018, in response to the growing threats of cyber-attacks from hostile states and criminals.
According to the 2024 Cyber Breaches Survey, half of all UK businesses reported cyber incidents. This policy underscores the government’s commitment to protecting critical national infrastructure, enhancing regulator powers, and fostering economic growth through secure digital services.
Scope
The Policy Statement outlines several measures designed to reinforce cyber resilience across essential and digital services, focusing on:
- Expanding Regulatory Scope: Bringing Managed Service Providers into the NIS Regulations, alongside designating critical suppliers to secure supply chains.
- Empowering Regulators: Enhancing oversight through updated technical security requirements, improved incident reporting, stronger Information Commissioner’s Office (ICO) powers, and better cost recovery mechanisms.
- Futureproofing: Introducing delegated powers to adapt regulations to emerging threats without new primary legislation.
Further proposals under consideration include data centre regulation, a Statement of Strategic Priorities for regulators, and directional powers for the Secretary of State regarding regulated firms in the interest of national security.
These measures will align, where appropriate, with the EU’s NIS2 directive, helping to reduce systemic digital risks and create a secure environment for innovation and economic growth.
Requirements for Firms
Affected organisations, particularly Operators of Essential Services, Relevant Digital Service Providers, and Managed Service Providers, will be subject to new obligations:
- Managed Service Providers: Must comply with security and incident reporting duties, with the ICO as the regulating authority.
- Operators of Essential Services: Must implement supply chain controls such as contractual risk measures and third-party due diligence.
- Relevant Digital Service Providers: Must register with the ICO, share information on systemic criticality and respond to information notices.
All in-scope entities will be required to report qualifying cyber incidents:
- An initial notification within 24 hours
- A full incident report within 72 hours
Digital service providers and data centres must also notify affected customers of any material impact.
Next Steps for Firms
Firms should prepare for the Cyber Security and Resilience Bill by:
- Assessing Compliance: Review current cyber risk management strategies against the NCSC Cyber Assessment Framework and ensure readiness for enhanced ICO obligations.
- Monitoring Legislative Updates: Track the development of the Bill and anticipated secondary legislation.
- Securing Supply Chains: Implement robust supply chain controls and contract risk assessments.
- Budgeting for Regulatory Costs: Prepare for new fee structures to support regulatory enforcement and oversight.
How Complyport Can Help
Complyport offers tailored compliance and resilience services to help firms address cyber security and operational risks, meet regulatory expectations and strengthen continuity planning. Our services include:
- IT and Cybersecurity Audits: To identify and mitigate digital vulnerabilities;
- Framework Compliance Reviews: Including EBA Guidelines, Cyber Essentials, GDPR, SOC 2, NIS Directive, ISO 31000, ISO 27001, ISO/IEC 27036-4, and more;
- SOC 2 Audit Preparation: To validate internal control effectiveness;
- Operational Resilience Assessments: Ensuring continuity of critical business services;
- DORA Implementation Reviews: Supporting firms with EU regulatory exposure;
- REP018 Reporting Assistance: Helping firms meet FCA operational risk requirements.
Get in Touch
Book a consultation with one of our Subject Matter Experts today to ensure your organisation is well-positioned to meet these enhanced operational resilience and cyber security requirements.
Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat
