In 2025, the UK’s Cyber Security and Resilience Bill was finally introduced to parliament, with its first reading on the 12th November. It represents a much-needed upgrade to 2018’s Network and Information Systems (NIS) Regulations, and is aimed at bolstering national security and protecting the economy.
With the new Bill comes a raft of new proposals, many pertaining to public sector supply chains and critical national infrastructure. For the first time, regulators will oversee managed service providers (MSPs) and have powers to define what constitutes a critical supplier and enforce minimum security standards.
The Bill also expands scope to include certain data centres as essential services for the first time and gives regulators authority to designate high impact suppliers. This includes designating smaller providers and SMEs as “critical” if their failure could significantly disrupt essential or digital services. Fines of up to 4% of revenue or £17 million (whichever is higher) for failing to report attacks within 24 hours or to prepare for breaches adequately can be enforced by regulators, who also have new powers to set standards as the regulation evolves.
As a tumultuous 2025 is now behind us, the timing of the Bill couldn’t be better. Attacks on organisations like Jaguar Land Rover (JLR) show how fragile the UK economy is against cyberattacks. If one link in the supply chain goes down, the entire ecosystem and economy suffer. The JLR attack alone is forecasted to cost the UK’s economy more than £2 billion, and government ministers estimate cyberattacks cost the country almost £15 billion per year.
For many in the cyber security profession, the Cyber Security and Resilience Bill will feel like another regulation to comply with in an already crowded space. In the last 18 months alone, we’ve seen multiple major regulations either proposed, enforced or updated. These include EU Data Act, sector-specific rules such as PCI DSS, Basel III/IV and DORA, and the UK’s Data (Use and Access) Act to name but a few.
But if attacks like JLR show us anything, it’s that collaboration and unity are more important than ever. CIISec LIVE was a perfect chance to reflect on this sentiment . The theme of the event was “Reinforcing trust through collaboration”, and the Bill was referenced heavily throughout . Delegates emphasised that compliance alone isn’t enough to build resilience. Sustained investment in skills, strong governance, and cross-sector collaboration are all essential, and organisations without well-developed competence frameworks will find compliance even more challenging.
One talk in particular highlighted the issues JLR and the wider supply chain has faced. Delegates from the shipping, aviation, rail and transport industries explored how to protect our vital transport networks from attack. The focus was on both the individual planes, trains and automobiles and the ecosystems surrounding them. There was a recognition that whilst there might be one target of an attack, entire supply chains and even economies feel the impact whether that’s the motor industry, or an airport.
Regardless of whether attacks are targeting retailers, manufacturers, travel, shipping, or any other industry, it’s clear that in isolation, companies and the cyber security profession are weaker. Regulations like the Cyber Security and Resilience Bill might feel painful in the short-term but will help to strengthen resilience and bring the profession closer in the long-term. With further consultation planned in 2026, ongoing industry engagement will be crucial to ensuring the Bill evolves as needed.