“My Ministers will also
introduce legislation to
improve the country's
defences against cyber-security threats”
- The first duty of a government is to protect its citizens.
The UK's digital economy is increasingly being attacked by cyber
criminals and state actors, affecting essential services and
infrastructure. The Cyber Security and Resilience Bill will
increase the UK's defences against cyber attacks and better
protect the services that people rely on every day.
- The Bill will deliver a fundamental step change in the UK's
national security –making essential digital services more secure
in the face of cyber criminals and state actors who want to
disrupt our way of life - ensuring the economy is better
protected. This will make the UK a safer place to live, work and
do business.
What does the Bill
do?
- The Cyber Security and Resilience Bill will strengthen the
UK's defences to protect essential UK services from cyber
attacks, by making crucial updates to existing legislation.
Expand the
remit of
existing regulations
to better
protect more
of the core services
people and businesses rely on
- Many managed IT companies will be regulated under the Bill.
These organisations deliver key services such as IT helpdesks
and cyber security to private and public sector organisations
like the NHS. They will need to meet new security duties as
they hold trusted access across government, critical national
infrastructure and business networks.
- Data centres will be brought into scope as they are
critical to keeping the UK running, underpinning essential and
digital services from patient records and online payments to
email services and AI development.
- Operators that manage the flow of electricity to smart
appliances, like electric vehicle charge points and electrical
heating appliances in homes, will also have to meet new
security requirements. This will reduce the risk of disruption
to consumers using smart-energy appliances, and the electricity
network, bolstering the UK's energy security.
Regulatorswillbegivennewpowerstodesignatecriticalsupplierstothe
UK's essential services such as those providing healthcare
diagnostics to the NHS or chemicals to a water firm, where they
meet the criteria. This will assist in closing gaps in supply
chains that criminals could exploit to cause wider disruption.
Ensuring cyber
regulators are
more effective
and consistent
to protect essential services
- Organisations in scope will need to report a greater range
of harmful cyber incidents to their regulator and the National
Cyber Security Centre (NCSC) within 24 hours, with a full
report within 72 hours, to ensure support can be on hand more
quickly to help build a stronger national picture of cyber
threats.
- If a data centre or digital and managed service provider
faces a significant or potentially significant cyber incident,
they will have to take reasonable steps to identify and notify
promptly the customers who are likely to have been impacted, so
organisations can act fast to protect their business, people
and services.
- Enforcement will be modernised, including tougher
turnover-based penalties for serious breaches, so cutting
corners is no longer cheaper than doing the right thing.
Companies providing essential services to the public and
businesses should ensure they have tough protections in place
to keep their systems up and running.
Ensure the UK is resilient to
new threats
- Ministers will be given new powers to instruct regulators and
the organisations they oversee, like NHS trusts and Thames Water,
to take specific, proportionate steps to prevent cyber attacks
where there is a threat to UK national security. This includes
requiring that they bolster their monitoring or isolate high-risk
systems to protect and secure essential services.
- The Government will be more agile and responsive to evolving
cyber threats with powers to make changes to the regime in
secondary legislation, such as bringing more services into scope,
or updating security requirements.
Territorial extent and
application
- The Bill will extend and apply to the whole of the UK.
Key facts
-
The cyber security sector makes an important economic
contribution. In 2024, the cyber security sector
contributed £13.2 billion in revenue to the economy. The
sector now employs 67,300 people and created 6,600 new jobs
from 2024-25.
-
The UK is
subject to
daily cyber
attacks, as cyber criminals and state-linked
actors blackmail businesses, steal data, and threaten our way
of life. According to a report by IBM, the UK is the most
targeted country for cyber attacks in Europe. This threat is
now evolving: a new generation of AI models are becoming
increasingly capable of cyber offence, finding and exploiting
weaknesses in software at speed and scale. In April 2026, AI
firm Anthropic announced a new model called Mythos, which
testing by DSIT's AI Security Institute found to be
substantially more capable at cyber offence than any model
previously assessed.
-
A cyber
attack on
critical national
infrastructure could
be hugely
costly to the
economy. According to a 2025 report by KPMG,
a systemic cyber incident to the rail network causing one
week of disruption could result in an estimated cost of £1.8
billion.
-
The National Cyber Security Centre, part of GCHQ, is
world-leading in defending the UK online. It
provides free, practical advice, training and guidance at
ncsc.gov.uk, for organisations of every size, as well as an
Early Warning Service which can inform organisations of
potential cyber attacks and give them time to act. The UK has
also established the AI Security Institute which provides the
Government with a world-leading capability for understanding
AI cyber capabilities.
-
The Chief Executive Officer of the National Cyber
Security Centre, Dr Richard Horne,
said “The real-world impacts
of cyber attacks have
never been more evident than in recent months,
and at the NCSC we continue to work round the clock to
empower organisations in the face of rising threats. As a
nation, we must act
at pace to improve
our digital defences and
resilience, and the Cyber Security and
Resilience Bill represents a crucial step in better
protecting our most critical services.”