The U.K. government on Wednesday introduced new legislation to strengthen national defenses against cyberattacks targeting critical sectors such as healthcare, transport, and energy. The proposed Cyber Security and Resilience Bill, introduced in Parliament, aims to bolster protections across essential public services, including hospitals, drinking water providers, and energy networks. The legislation supports the government’s Plan for Change by enhancing national security, improving resilience against cybercriminals and state-backed actors, and safeguarding the systems that underpin daily life and economic growth. The announcement comes as new research estimates that cyberattacks cost the U.K. economy nearly £15 billion each year.
These proposed laws would cover certain digital and essential services, including healthcare, transport, energy, and water. Under the proposals, medium and large companies providing services like IT management, IT help desk support, and cybersecurity to private and public sector organisations like the NHS, will also be regulated for the first time. As holders of trusted access across government, critical national infrastructure, and business networks, entities will be required to meet clearly defined security duties. This includes reporting significant or potentially significant cyber incidents promptly to the government and customers, as well as having robust plans in place to deal with the consequences.
Initially announced last July, the U.K. government announced that it would introduce the Cyber Security and Resilience Bill into Parliament in the coming months, as confirmed by the legislative agenda outlined in King Charles’ speech. The bill is expected to strengthen the U.K.’s cyber defenses and ensure that critical infrastructure and the digital services relied upon by companies remain secure. In April, the government published a policy statement outlining the measures to be included in the forthcoming bill.
“Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the U.K. is no easy target,” Liz Kendall, Science, Innovation, and Technology Secretary, said in a media statement. “We all know the disruption daily cyber-attacks cause. Our new laws will make the U.K. more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”
Richard Horne, National Cyber Security Centre (NCSC)CEO, said that the real-world impacts of cyber attacks have never been more evident than in recent months, and at the NCSC, “we continue to work round the clock to empower organisations in the face of rising threats. As a nation, we must act at pace to improve our digital defences and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services.”
Horne added that cybersecurity is a shared responsibility and a foundation for prosperity, and so we urge all organisations, no matter how big or small, to follow the advice and guidance available at ncsc.gov.uk and act with the urgency that the risk requires.
“The Bill represents a huge opportunity to strengthen cyber security and resilience to protect the safety of the people we care for,” Phil Huggins, National Chief Information Security Officer for Health and Care at the Department of Health & Social Care, said. “The reforms will make fundamental updates to our approach to addressing the greatest risks and harms, such as new powers to designate critical suppliers. Working with the healthcare sector, we can drive a step change in cyber maturity and help keep services available, protect data, and maintain trust in our systems in the face of an evolving threat landscape.”
The proposed Cyber Security and Resilience Bill also enables regulators will be given new powers to designate critical suppliers to the U.K.’s essential services, such as those providing healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria. This would mean they’d have to meet minimum security requirements, shutting down gaps in supply chains that criminals could exploit, which could cause wider disruption.
Enforcement will be modernised, including tougher turnover-based penalties for serious breaches, so cutting corners is no longer cheaper than doing the right thing. That’s because companies providing taxpayer services should make sure they have tough protections in place to keep systems up and running.
The Technology Secretary gets new powers to instruct regulators and the organisations they oversee, like NHS trusts and Thames Water, to take specific, proportionate steps to prevent cyber attacks where there is a threat to U.K. national security. This includes requiring that they beef up monitoring or isolate high-risk systems to protect and secure essential services.
Earlier this year, the U.K. government published the Cyber Governance Code of Practice, setting out clear steps organizations must adopt to manage digital risks and safeguard their day-to-day operations. Whilst it is for companies to ensure they have proper protections in place, the Cyber Security and Resilience Bill targets those that will have the maximum impact on improving cyber resilience, bringing the services that retailers, hospitals, councils, and others depend on into scope, raising their baseline protection for businesses in the long term.
Recent cyber-attacks on managed service providers clearly make the case for updated laws. In 2024, hackers accessed the Ministry of Defence’s payroll system via a managed service provider, while other recent attacks, such as the Synnovis incident in the NHS, resulted in over 11,000 disrupted medical appointments and procedures, and some estimates suggest costs of £32.7 million. This brings into sharp focus the impact cyber incidents can have on the public and our essential public services.
Organizations in scope will need to report more harmful cyber incidents to their regulator and the NCSC within 24 hours, with a full report within 72 hours, to ensure support can be on hand more quickly to help build a stronger national picture of cyber threats. If a data centre or digital and managed service providers face a significant or potentially significant attack, they will have to notify customers who are likely to be impacted promptly so organisations can act fast to protect their business, people, and services.
Data centres keep the U.K. running, from patient records and payments to email services and AI development. The Cyber Security and Resilience Bill will bring them into the scope of the regulations, ensuring they meet robust cybersecurity standards.
Last September, the U.K. government officially designated data centers, which store a substantial portion of the nation’s data, as ‘Critical National Infrastructure.’ The decision acknowledged the vital role these data centers play in powering the economy, placing them on par with essential services like energy and water systems. Such a designation allows the government to provide enhanced support to the industry during critical incidents, minimizing economic disruption and aiding in recovery and future planning.
New safeguards will also cover organisations that manage the flow of electricity to smart appliances like electric vehicle charge points and electrical heating appliances in homes. This will reduce the risk of disruption to consumers using smart-energy appliances and the grid, bolstering the U.K.’s energy security.
The Bill represents a step change in how the government protects people in an increasingly dangerous world, supporting the National Security Strategy. It will help to deliver greater economic stability, protect businesses and working people from the impact of cyber attacks, and support further investment into the U.K.’s cyber security sector, which contributed £13.2 billion to the economy in the latest financial year.
“In an era where cybercriminals move faster, experiment freely, and increasingly leverage AI to their advantage, the Cyber Security and Resilience Bill is an essential piece of legislation,” Jill Popelka, CEO of Darktrace, said. “It will improve the U.K.’s defences, enabling businesses and public services to securely harness the opportunities provided by technology and innovation.”
Popelka added, “We’ve seen cyber attackers increasingly target supply chains and managed service providers in recent years, including vital institutions like the NHS and the Ministry of Defence. It’s promising to see the Bill recognise the risk across the digital ecosystem. It’s also good to see the government’s focus on future-proofing the regulatory environment for cybersecurity and creating a stronger role for NCSC’s Cyber Assessment Framework. These changes will help give organisations more confidence to adopt new technologies while staying prepared for the next evolution in threats.”
Ric Derbyshire, principal security researcher at Orange Cyberdefense, wrote in an emailed statement that the introduction of the Cyber Security and Resilience Bill (CSRB) is a welcome step towards strengthening and protecting the U.K.’s critical national infrastructure (CNI). “Crucially, an area it focuses on is the complex nature of supply chains that support CNI. It’s easy for organisations to fall into the trap of thinking of their ‘supply chains’ in the narrow terms of those immediately connected to them.”
Derbyshire said that by bringing new classes of service providers into scope, from managed service providers and data centre operators to suppliers whose goods and services support critical systems, the CSRB broadens the reach of national cyber regulation. “This shift encourages organisations involved in CNI to recognise that security and resilience rely on an interdependent ecosystem, rather than a simple chain. The bolstered oversight and reporting powers introduced through the Bill represent a significant step-change in accountability.”
Following the cyber‑attack on Jaguar Land Rover in late August 2025, forcing U.K. factory shutdowns, halted supply chains, and inflicted losses of about £1.9 billion, potentially the country’s costliest breach, a recent letter from government ministers, including the Technology Secretary, Chancellor, and Business Secretary, to business leaders and FTSE 350 firms, urging them to strengthen their cyber defences to face down the growing range of threats targeting the U.K.’s organizations. These installations can make use of the free guidance and tools available from the NCSC, including Cyber Essentials, Active Cyber Defence services, and the Cyber Assessment Framework for the U.K.’s most critical organisations to help improve their resilience.
link