Landmark reform: the UK Cyber Security and Resilience Bill

March 2026  |  FEATURE | RISK MANAGEMENT

Financier Worldwide Magazine

March 2026 Issue

Cyber attacks are becoming increasingly prominent and are costing companies significantly. From financial losses to reputational damage, organisations continue to suffer at the hands of cyber criminals. In the UK, cyber attacks surged by 50 percent in 2025 according to the UK National Cyber Security Centre, with high-profile incidents highlighting systemic vulnerabilities and the real‑world consequences of gaps in cyber resilience.

Given the scale of the damage a cyber attack can cause, it is unsurprising that companies and governments across the world are attempting to stem the tide and strengthen cyber security defences and resilience.

In the UK, the government has increased its efforts to address these vulnerabilities. In November 2025 it introduced the Cyber Security and Resilience Bill, a reform intended to strengthen national security, protect critical infrastructure and respond to the escalating threat of cyber attacks that are estimated to cost the UK economy £14.7bn each year. The bill will amend the existing Network and Information Systems Regulations 2018 and grant new powers to regulators and the government in relation to cyber security.

A modernised regulatory framework for a new threat landscape

The introduction of the bill is an important moment, as it reflects the UK government’s growing recognition of the link between cyber security and national and economic security. The reforms aim to align the UK more closely with evolving EU frameworks such as NIS2 and the Critical Entities Resilience Directive, while maintaining a distinct UK approach to implementation and enforcement.

The introduction of the bill is an important moment, as it reflects the UK government’s growing recognition of the link between cyber security and national and economic security.

Broadly speaking, the bill seeks to modernise the framework originally set out in the NIS Directive, which established a ‘horizontal’ cyber security regulatory framework covering essential services in transport, energy, drinking water, health and digital infrastructure, as well as certain digital services including online marketplaces, online search engines and cloud computing services. In its current form, the bill will significantly expand the scope of the NIS regulations to cover areas such as data centres and managed service providers, and will impose additional obligations on organisations within scope. It will also increase potential fines to a maximum of £17m or 4 percent of worldwide turnover, and extend the powers of competent authorities to share information, issue guidance and take enforcement action. In addition, it will create a framework for future amendments to the NIS regulations, establish mechanisms that allow competent authorities to impose specific cyber security requirements on covered organisations, and provide the government with greater direction over cyber security matters.

Where the bill falls short: scope, supply chains, and practical challenges

Although the bill represents an important update to existing measures and is the most significant overhaul of the UK’s cross-sector cyber security framework since 2018, it has not been met with universal approval. Some observers argue that there are issues with how the bill fits alongside related UK legislation and regulatory guidance, as well as with EU law that has extraterritorial effect. For organisations that fall within scope, it may therefore be unhelpful to consider the bill in isolation. For those that have already taken steps to comply with other cyber security laws and regulatory standards, the bill should allow them to build on existing progress.

For many commentators, the bill is too narrow in scope. It focuses heavily on critical national infrastructure and digital service providers but excludes major companies in other sectors such as retail and automotive that also experience significant cyber attacks. This omission may overlook broader economic risks. There are also concerns about supply chain exposure created by the bill in its current form. Vague criteria and size-based thresholds could shift compliance burdens and generate hidden vulnerabilities across complex supply chains, ultimately undermining the goal of enhanced resilience. Some have also argued that the bill lacks sufficient emphasis on preventing common threats such as phishing and should be better coordinated with existing regulations such as NIS2.

The bill also omits measures previously proposed by the government to ban ransomware payments by operators of critical national infrastructure and to require broader reporting of ransomware payments across the economy.

The bill remains an important step in the UK’s ongoing efforts to combat cyber crime. The government has signalled its intention to consult on implementation proposals during 2026, which means aspects of the bill could change in the months ahead.

Preparing for compliance: building resilience ahead of enforcement

Regardless of further refinements, companies operating in today’s uncertain economic and geopolitical climate will need to achieve compliance quickly and effectively once the bill enters into force. As with other pieces of legislation that create significant compliance obligations, organisations must engage proactively and use the bill as a catalyst for strengthening their cyber security posture, rather than waiting until compliance becomes unavoidable.

Although no formal timeline has been published for the passage of the bill, the government is expected to aim for enactment by the end of the current parliamentary session in spring 2026. The bill is likely to evolve as it progresses through parliament, but companies should begin preparing for a more demanding compliance environment.

© Financier Worldwide

BY

Richard Summerfield

©2001-2026 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.