Cyber Security and Resilience Bill - Policy Statement of Intent
Today (1 April), the Department for Science, Innovation and Technology (DSIT) published the Policy Statement of Intent for the Cyber Security and Resilience Bill.
The Statement outlines legislative proposals informed by insights from international partners, lessons from the EU’s NIS2 Directive, and consultations carried out by the previous government in 2022 and 2023. The Bill aligns with the government’s Plan for Change and its core mission: economic growth.
The Statement introduces three overarching measures, each covering the summary of intent, implementation details and impact.
-
Bring more entities into scope of the regulatory framework.
Include Managed Service Providers (MSPs)
The Bill will extend regulations to MSPs, defined as service providers offering ongoing IT management, monitoring, and infrastructure support that involve network access to clients’ systems. This aims to enhance IT security, covering an additional 900-1,100 MSPs. DSIT expect this will come with associated costs due to security improvements and compliance.
Strengthening supply chain security & designate ‘Critical Suppliers’
The government will set stricter supply chain security duties for essential service operators and relevant digital service providers through secondary legislation, subject to consultation. Regulators can designate high-impact suppliers as ‘Critical Suppliers’, imposing security and reporting obligations. Certain SME relevant digital service providers (RDSPs) may fall under this category if they meet the designation criteria.
-
Empowering regulators and enhancing oversight
Technical & methodological security requirements
The Bill will formalise the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) Basic and Enhanced Profiles, to ensure best practice. It will also grant the Secretary of State the powers to:
- Update regulation following consultation
- Issue a Code of Practice for compliance
- Tailor requirements to different sectors
Improving Incident Reporting
The Bill will revise incident reporting requirements to include significant threats to service integrity, such as data breaches and spyware attacks. A two-stage reporting structure will be introduced:
- Initial Notification: Within 24 hours of discovery, entities must notify their regulator and NCSC.
- Incident Report: A full report must be submitted within 72 hours.
Digital service providers and Data Centres will be expected to alert affected customers.
Improve the ICO’s information gathering powers
The Bill will empower the Information Commissioner’s Office (ICO) to:
- Collect additional data to assess cyber risks in digital services
- Require digital services firms to share registration information
- Expand the criteria for information sharing with the ICO
- Enforce registration compliance.
Improve regulators’ cost recovery mechanisms
The Bill will allow regulators to introduce new fee structures, enabling cost recovery through:
- Information requests from regulated entities proportionate to the sector.
- A duty on regulators to publish a Statement of Charing Principles – this sets out the methodology for raising funds.
- Consultations with firms that provide digital services before setting fees and a duty to publish an end-of-cycle statement.
- A legal obligation for entities to pay fees.
-
An adaptive regulatory landscape
Delegated powers for regulatory flexibility
The Secretary of State will have powers to update the regulatory framework without new Acts of Parliament, subject to safeguards. This allows adjustments, such as adding new sectors under regulation or refining existing rules, following consultations.
Additional measures under consideration
-
Bringing data centres into scope of the regulation
The government will bring data centres into scope of the regulation, as they will be considered an essential service after they were designated as CNI in September 2024. The Bill states UK data centres would be in scope at or above 1MW capacity unless it is an enterprise data centre which will only be in scope if they are at or above 10MW capacity.
They will be expected to notify and provide certain information, have in place appropriate and proportionate measures to manage risk and report significant incidents.
If you have questions about this measure, please get in touch with Luisa Cardani (Luisa.Cardani.techuk.org).
-
Publish a statement of strategic priorities for regulators
DSIT are considering a new measure to provide a framework for cyber security regulation across the 12 regulators and their sectors. The Secretary of State would publish a Statement of Strategic priorities in consultation with sectors and regulators. The Statement would be laid before Parliament and would be updated every 3 to 5 years.
-
Powers of direction
A new power would allow the Secretary of State to direct regulated entities to address cyber threats where there is a perceived risk to national security. The direction would be laid before Parliament, unless doing so would create a national security risk. When considering this measure DSIT will review the precedents set by the Telecommunications (Security) Act 2021.
What’s Next?
This Policy Statement provides insight into the government’s approach, but final measures will be confirmed when the Bill is presented to Parliament. There are still a number of clarifications expected, particuarly around the definitions on terms like 'critical dependencies' and measures around incident reporting. The timeline for publication is still to be confirmed.
techUK looks forward to engaging with government in the coming weeks to confirm some of the detail around thse points.
If you have any questions on the Cyber Security and Resilience Bill, please get in touch with techUK’s Cyber Resilience Team.
techUK will be holding a session with DSIT on Wednesday 23 April, 10am to 11:30am. Members will have the opportunity to hear more details about the measures and ask questions to the Bill team. Click here to sign-up.
Register for techUK’s Cyber Security & Resilience Bill mailing list. Please click here to join and stay up to date with the Bill’s progress.
Policy Statement of Intent
Press Release
Cyber Resilience Programme activities
techUK brings together key players across the cyber security sector to promote leading-edge UK capabilities, build networks and grow the sector. techUK members have the opportunity to network, share ideas and collaborate, enabling the industry as a whole to address common challenges and opportunities together. Visit the programme page here.
Upcoming events
Latest news and insights
President's Awards 2025 - Nominations Open!
Do you have a trailblazer in your team?
Do you work with an innovator or a problem solver?
Do you have an inspirational colleague who deserves the spotlight for their work? The President’s Awards are back for 2025 and open for nominations. All techUK members are encouraged to nominate one colleague.
Learn more and nominate
Learn more and get involved
Cyber Resilience updates
Sign-up to get the latest updates and opportunities from our Cyber Resilience programme.
Meet the team
Jill Broom
Head of Cyber Resilience, techUK
Jill leads the techUK Cyber Security programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
- Email:
- [email protected]
- Website:
- www.techuk.org/
- LinkedIn:
- https://www.linkedin.com/in/jill-broom-19aa824
Read lessmore
Annie Collings
Programme Manager, Cyber Resilience, techUK
Annie is the Programme Manager for Cyber Resilience at techUK. She first joined as the Programme Manager for Cyber Security and Central Government in September 2023.
In her role, Annie supports the Cyber Security SME Forum, engaging regularly with key government and industry stakeholders to advance the growth and development of SMEs in the cyber sector. Annie also coordinates events, engages with policy makers and represents techUK at a number of cyber security events.
Before joining techUK, Annie was an Account Manager at a specialist healthcare agency, where she provided public affairs support to a wide range of medical technology clients. She also gained experience as an intern in both an MP’s constituency office and with the Association of Independent Professionals and the Self-Employed. Annie holds a degree in International Relations from Nottingham Trent University.
- Email:
- [email protected]
- Twitter:
- anniecollings24
- LinkedIn:
- https://www.linkedin.com/in/annie-collings-270150158/
Read lessmore
Tracy Modha
Team Assistant - Markets, techUK
Tracy supports several areas at techUK, including Cyber Exchange, Cyber Security, Defence, Health and Social Care, Local Public Services, Nations and Regions and National Security.
