Hospitals, energy suppliers and transport networks in the UK are set to have stronger cyber security rules under new legislation introduced in Parliament. The Department for Science, Innovation and Technology announced the Cyber Security and Resilience Bill today, and falls under the government’s overall Plan for Change.
The new laws will cover essential services such as healthcare, water, energy and transport. Medium and large companies providing IT support or cyber security services to organisations like the NHS will be regulated for the first time. They will have to meet strict security duties, report serious cyber incidents quickly and have detailed and specific recovery plans in place.
Regulators will also gain powers to identify and oversee critical suppliers to these essential services. For example, companies supplying medical diagnostics to hospitals or chemicals to water firms could be required to meet minimum security standards. The government said this would close weak points in supply chains that could be targeted by criminals or state-backed hackers.
How Will Enforcement Change?
The government plans to modernise enforcement by linking penalties to company turnover, so it works out more expensive to ignore cyber rules. Businesses that fail to meet security duties could face some serious fines. The Technology Secretary will have the authority to instruct regulators and public bodies, such as NHS trusts or water companies, to strengthen defences when there is a threat to national security.
This could involve isolating high-risk systems or improving monitoring to protect essential services. The Office for Budget Responsibility has estimated that a major cyber attack on national infrastructure could increase government borrowing by £30 billion, or 1.1% of GDP. New research also shows that the average cost of a serious cyber attack in the UK is £190,000, adding up to £14.7 billion each year.
Why Are Stronger Rules Needed?
Recent attacks have shown how damaging cyber incidents can be. In 2024, hackers gained access to the Ministry of Defence’s payroll system through a managed service provider. Another attack, on Synnovis in the NHS, disrupted more than 11,000 medical appointments and cost around £32.7 million.
Under the new Bill, organisations will have to report harmful incidents to the National Cyber Security Centre within 24 hours and file a full report within 72 hours. Data centres, which manage patient records, payments and AI systems, will now be covered by the rules.
The measures also apply to organisations that control electricity to smart appliances in homes, such as electric vehicle chargers. This aims to protect households and the national grid from digital disruption.
The Bill supports the UK’s National Security Strategy and strengthens economic stability. The government said it will also support growth in the cyber security sector, which added £13.2 billion to the economy in the last financial year.
Experts have shared comments reacting to the new bill. On the official government press release, some leaders commented as well. Here’s what all of them said:
Our Experts:
- Martin Davies, Senior Audit & Alliance Manager, Drata
- Nick Haan, Field CTO, Claroty
- Camellia Chan, CEO, X-PHY Inc.
- Liz Kendall, Science, Innovation, and Technology Secretary
- Dr Richard Horne, CEO, National Cyber Security Centre
- Phil Huggins, National Chief Information Security Officer for Health and Care, Department of Health & Social Care
- Simon Sheeran, Head of Cyber Security Oversight, UK Civil Aviation Authority
- Jill Popelka, CEO, Darktrace
- Julian David OBE, CEO, techUK
- Sarah Walker, Chief Executive, Cisco UK and Ireland
- Jamie MacColl, Senior Research Fellow, Cyber and Tech, Royal United Services Institute
Martin Davies, Senior Audit & Alliance Manager, Drata
“The UK government’s Cyber Security and Resilience Bill is a timely and necessary step to strengthen the country’s defences against increasingly sophisticated cyber threats. The Bill is similar in both its intent and obligations to that of the EU’s NIS 2 directive. By extending obligations across critical suppliers, the Bill acknowledges that cyber resilience depends on the entire digital supply chain, not just the organisations at the front line.
“Mandating faster incident reporting and empowering regulators to enforce stronger security standards will help close long-standing gaps in visibility and accountability. For compliance to really be effective, organisations will have to focus on building continuous trust and assurance. This means maintaining real-time awareness of systems, risks, and controls rather than relying on periodic audits.
“Building resilience in essential services like healthcare, energy, water, and transport requires a living model of trust that adapts to new threats and validates controls continuously. This is key to maintain confidence among citizens who depend on these systems every day. The new Bill sets a strong foundation and continuous assurance is what will sustain it.”
Nick Haan, Field CTO, Claroty
“Seeing the UK government prioritise the security of critical infrastructure through new legislation is an important step in the right direction. For years, operators of essential services have sought clearer direction on how to strengthen their defences, and this Bill provides much-needed guidance and accountability.
“45% of critical infrastructure organisations are concerned about their ability to reduce risk to key cyber-physical systems (CPS) amid ongoing economic uncertainty. This underlines why a national and coordinated approach is so important.”
“Securing cyber-physical systems is inherently complex with many critical entities relying on decades-old operational technology that cannot be modernised overnight. Meeting new requirements will take time and sustained investment, but it’s encouraging to see the government acknowledging these realities while driving progress.
“Critical national infrastructure is finally getting the attention it deserves. Clearer standards and oversight will help organisations navigate this uncertainty and ultimately strengthen the UK’s collective resilience.”
Camellia Chan, CEO, X-PHY Inc.
“The UK Government’s Cyber Security and Resilience Bill rightly recognises that suppliers of Critical National Infrastructure must be regulated to protect essential public services from dangerous cyber-attacks.
“With an increase in CNI organisations being targeted by data breaches, the real-world, devasting impacts of cyber incidents are becoming more visible. UK national security is at risk.
“Now that threat actors can leverage tools to rapidly exploit vulnerabilities throughout the entire technology stack from the hardware up, traditional, software-based defences are no longer enough to safeguard IT systems – let alone vital public services.
“This new mandate requires all companies that support CNI to adopt stringent, proactive cyber-defence postures. To effectively deliver on this promise, businesses must implement measures that secure hardware and software at all levels for holistic, autonomous monitoring and protection across entire IT estates.”
Liz Kendall, Science, Innovation, and Technology Secretary
“Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target.
“We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”
More from News
- Half Of UK Businesses’ Budgets Go To Tech And AI, Reports Find
- Founders Rally Against Reeves’ Exit Tax
- What Does The Five-Week-Long U.S. Shutdown Really Mean For Startups Around The World?
- Meta To Invest $600 Billion In AI Infrastructure Across The US
- Indian Startup Funding Up 60% In October 2025
- EU May Pause Parts Of AI Law After Pressure From US And Big Tech
- Despite What You’ve Heard, ChatGPT Still Gives Medical And Legal Advice
- How Are Data Centres Contributing To The Global Hard Drive Shortage?
Dr Richard Horne, CEO, National Cyber Security Centre
“The real-world impacts of cyber attacks have never been more evident than in recent months, and at the NCSC we continue to work round the clock to empower organisations in the face of rising threats.
“As a nation, we must act at pace to improve our digital defences and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services.
“Cyber security is a shared responsibility and a foundation for prosperity, and so we urge all organisations – no matter how big or small – to follow the advice and guidance available at ncsc.gov.uk and act with the urgency that the risk requires.
Phil Huggins, National Chief Information Security Officer for Health and Care, Department of Health & Social Care
“The Bill represents a huge opportunity to strengthen cyber security and resilience to protect the safety of the people we care for.
“The reforms will make fundamental updates to our approach to addressing the greatest risks and harms, such as new powers to designate critical suppliers.
“Working with the healthcare sector, we can drive a step change in cyber maturity and help keep services available, protect data, and maintain trust in our systems in the face of an evolving threat landscape.”
Simon Sheeran, Head of Cyber Security Oversight, UK Civil Aviation Authority
“The aviation sector contributes billions of pounds to the UK economy and provides critical national infrastructure.
“This Bill will help improve cyber defences essential for maintaining the already very high safety standards in aviation.
“The Civil Aviation Authority protect people and enable aerospace within a global eco-system, and the need for aviation to defend as one is a national imperative.”
Jill Popelka, CEO, Darktrace
“In an era where cybercriminals move faster, experiment freely, and increasingly leverage AI to their advantage, the Cyber Security and Resilience Bill is an essential piece of legislation. It will improve the UK’s defences, enabling businesses and public services to securely harness the opportunities provided by technology and innovation.
“We’ve seen cyber attackers increasingly target supply chains and managed service providers in recent years, including vital institutions like the NHS and the Ministry of Defence. It’s promising to see the Bill recognise the risk across the digital ecosystem.
“It’s also good to see the government’s focus on future-proofing the regulatory environment for cyber security and creating a stronger role for NCSC’s Cyber Assessment Framework. These changes will help give organisations more confidence to adopt new technologies while staying prepared for the next evolution in threats.”
Julian David OBE, CEO, techUK
“techUK welcomes today’s introduction of the Cyber Security and Resilience Bill to Parliament which signals the government’s ambition to modernise and future-proof the UK’s cyber laws while fostering the resilience that will underpin our economic growth. It marks a significant step forward in prioritising the security of our nation’s essential services.
“techUK looks forward to continuing to engage with the government as the Bill makes its way through Parliament, to help ensure that the measures are fit for purpose, practically implementable and can deliver their intended outcomes, protecting the UK from a diverse range of threats and enabling organisations to harness the benefits that technology can offer.”
Sarah Walker, Chief Executive, Cisco UK and Ireland
“We welcome the government taking action to overhaul the UK’s cyber framework with the Cyber Security and Resilience Bill. This is a significant step in securing the UK against ever-increasing cyber threats. Our latest research shows the scale of the challenge ahead; only 8% of UK organisations are classed as ‘Mature’ in their cybersecurity readiness.
“As AI reshapes both attack and defence, we need regulation that keeps pace with this changing threat landscape. We are looking forward to collaborating with the UK government and working with our international partners to continue securing the UK’s digital economy.”
Jamie MacColl, Senior Research Fellow, Cyber and Tech, Royal United Services Institute
“The events of 2025 have proven beyond doubt that improving national cyber security and resilience is essential for the UK’s economic security. The arrival of new legislation to better protect our most critical national infrastructure is an important step in improving cyber resilience in the UK.
“However, it is also important that organisations outside of the scope of the Bill up their game on cyber security and resilience. We urgently need to build collective resilience to inspire confidence in the face of threats from hostile states and criminals.”
