Skip to main content
Home

Information Commissioner’s Response to the Cyber Security and Resilience Bill

23 December 2025

About the Information Commissioner’s Office  

The Information Commissioner’s Office (ICO) is the designated competent authority with responsibility for regulating relevant digital service providers (RDSPs) defined as cloud computing services, online marketplaces and search engines under the Network and Information Systems Regulations 2018 (NIS).

The Information Commissioner also has responsibility for promoting and enforcing the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), the Freedom of Information Act 2000 (FOIA), the Environmental Information Regulations 2004 (EIR) and the Privacy and Electronic Communications Regulations 2003 (PECR).  

Introduction  

On 12 November 2025, the Secretary of State for the Department for Science, Innovation and Technology introduced the Cyber Security and Resilience (Network and Information Systems) Bill (the Bill) to Parliament. It is an important milestone in the evolution of the UK’s cyber security regulation.  

Government and Parliament are responsible for developing policy and for making changes to the legislative framework. The ICO is independent from the government. Our role is to carry out the duties set out in the current, and any future, legislative framework. I welcome the Bill and its aim to strengthen the UK’s cyber defences and build the resilience of essential services, infrastructure and digital services.  

The Bill is the result of public consultation and a call for views. This includes robust and constructive engagement between my office, the government and other competent authorities through the development of the cyber security and resilience reforms. We will continue to provide constructive input and feedback as appropriate during the parliamentary scrutiny and approval process.  

The ICO’s current role in regulating digital service providers closely aligns to our role as the UK regulator of data protection. Both sets of regulation help people trust that their data is secure and that key digital services remain available. Digital service providers (cloud computing services, digital marketplaces and online search engines) underpin functions that are essential to societal and economic activities within the UK, including businesses and critical national infrastructure. With the ever-increasing complexity of digital supply chains, it is more important than ever that suppliers can meet an appropriate level of cyber security and resilience.  

Key business functions in the UK are increasingly relying on managed service providers for support, infrastructure management, cybersecurity and networking. Managed service providers are similar to digital service providers and help our digital world to function through unique access to their clients’ IT services, networks and data. Increasing our scope to regulate relevant managed service providers (RMSPs) as set out in the Bill is a natural progression and should better protect a broader range of services from cyber-attacks.

We are seeing more significant cyber incidents caused by digital service interdependencies. An attack on one supply chain can cause widespread disruption to the continuity of digital services and the essential services which rely on them. These independencies are necessary to keep complex systems running. We support the government’s plan to expand our regulatory powers so we can better oversee digital and managed service providers in their duties to identify and take appropriate and proportionate measures to manage the risks posed to the security and operation of network and information systems.

However, regulating these complex and interdependent supply chains will remain a challenge, even with our new powers. Government will need to continue to work collaboratively with regulators to better understand the increasing threats to UK cyber resilience. No regulator can tackle this task alone.

The current regulations have not kept pace with the challenges of emerging cyber threats. The Bill will allow for the creation of secondary legislation to future-proof the regulations. While it is important for the regulatory framework to retain the flexibility to keep up with the ever-changing cyber landscape, there remains uncertainty over how key elements of the framework will function. We welcome the government’s commitment to consult on these elements of the framework, as set out in the factsheets accompanying the Bill. This consultation needs to clearly articulate the requirements set out in secondary legislation, as well as the intended outcomes. 

Expanded role of the ICO  

The changes in the Bill and the updates to the NIS regulations reflect the fact that cyber threat landscape is constantly evolving. The way that we regulate must evolve to keep pace. The proposed changes helpfully strengthen the existing legislation by expanding the range of organisations that will be in scope (such as RMSPs and critical suppliers), enhancing the powers of regulators and developing a better view of resilience risks through improved incident reporting.  

I am pleased that the holistic approach taken in the Bill will further support our role to protect people and businesses from cyber-attacks and outages. This approach will also shore up the delivery of critical services by allowing for the regulation of the supply chain and a better understanding of risk. We are keen to play our part in strengthening our national security defences against cyber-attacks and supporting the government to respond to the evolving threat landscape.  

The government has set out their intent to support our move away from our current reactive approach to a proactive, risk-based, oversight approach. The government have committed to enhance our capability, through the new measures, to enable us to proactively assess and regulate high-risk RDSPs and RMSPs, strengthening the digital services sector against future threats.  

I am pleased to see the following provisions included in the Bill to support the change in approach:

An expanded ability for us to serve information notices on regulated entities and any other person likely to hold relevant information.  

Expanded information gateways to ensure NIS regulators can share and receive information with and from UK public authorities and government departments to facilitate the exercise of NIS functions, subject to safeguards.

The introduction of powers to enforce a failure to register and keep registration details up to date.

The expansion of the information sharing powers should support our and other NIS competent authorities' efforts to reduce the regulatory burden on those organisations that might otherwise receive multiple requests for information. This should enable more streamlined approaches.  

Critical to our ability to deliver the ambitions in this legislation is the expanded costs recovery power.. The new costs framework will ensure that there is a flexible, long-term approach to ensuring the resources of the competent authorities. I am reassured that the government has recognised the need to appropriately fund this complex work in a way that can be explained to industry. It is important that the legislation allows regulators to meet the day to day running costs, whilst also ensuring that costs can be recovered specifically for activities such as inspections and enforcement action as necessary. I also welcome the government’s previous commitment to working with my office to ensure that appropriate resources are in place for our increased regulatory scope.  

We will work closely with other NIS competent authorities to identify areas of risk across the interconnected digital services sectors and their reliant essential services. This is particularly true of the close working relationship we will need to support the identification and regulation of designated critical suppliers. We encourage the government to further increase the value of the proposed legislation by proactively supporting the information sharing between relevant UK regulators and assisting in building robust coordination mechanisms between regulators to facilitate the effective identification of risk. This could include:  

  • government taking an active role in risk identification;  
  • mechanisms to support the exchange of relevant information with government departments not part of the NIS regulations; and
  • technology to support the management and sharing of information between NIS regulators.

There is significant work for my office to take forward to implement this ambitious new regulatory framework which will require support and guidance from the government to ensure that we have the appropriate levels of funding and guidance to make the transition. The expansion of our regulatory remit to include RMSPs and designated critical suppliers and our move to proactive regulation will require sufficient time for us to accurately validate the size and risk profiles of the RDSPs we currently regulate and the RMSPs we will regulate. We will also need to establish the core infrastructure, systems and resources to take forward those new duties. In addition to this work, there will be greater emphasis on regulatory coordination, co-operation and information sharing and gathering, which we will need to factor into our regulatory activities.

Secondary legislation 

Overall, the Bill represents a positive and balanced package of reforms. However, as with any legislation, there are some points that would benefit from additional clarity. We are keen to understand the impact of the Secretary of State’s regulation making powers and the government’s planned secondary legislation as set out in the Bill policy statement and published factsheets, in particular:

  • The factors and thresholds for determining what a “significant impact” is for incident reporting.
  • Security and resilience requirements.
  • Clarification of the criteria for assessing “critical suppliers” and further detail on their duties.    
  • The application of the new enforcement and penalty measures and determination of turnover.
  • Further enhancement of our information gathering powers, including the collection of information that will support risk assessment and prioritisation activities for proactive regulatory oversight.  

While we support the widening scope and enhanced duties of the Bill, the new requirements of the regulations will require complex determinations on the nature of services covered. Industry must clearly and easily understand any change of scope to the NIS regulations and associated underlying definitions. Regulated entities must also comply with enhanced incident reporting duties, including assessing and notifying regulators of incidents which are likely to have significant impact in the UK, within a narrower window of 24 hours. To help industry meet the new incident reporting duties, the government must create practical primary legislation, secondary legislation and guidance. This should ensure that regulated entities know what incidents to report and within what timeframes.  

We will continue to work closely with the government, competent authorities and others to provide feedback and support to develop the new requirements. I see these further clarifications as central to the effectiveness of the regulatory framework. I urge the government to continue to work closely with regulators to build requirements that support compliance without increasing regulatory burden unnecessarily and allow for pragmatic use of the resources of the competent authorities.  

We note that while key elements of the regulatory framework are still subject to discussion and are dependent on the detail of secondary legislation, we will have a limited ability to provide clear guidance to support organisations to comply confidently with the legislation. We will work closely with the government and other NIS competent authorities to look for opportunities to align our approaches with the proposed secondary legislation, where appropriate, and plan for any implementation period.  

We will proactively engage with the RDSPs and RMSPs on our plans to provide guidance and will welcome views on both what we can provide to support compliance and in what format.  

Conclusion  

The Bill represents a meaningful and necessary update to the existing NIS regulations. The Bill’s requirements should support regulated entities ensure they are clearly and confidently meeting the required levels of cyber security and resilience. In particular, if regulators need to proactively assess risks across the supply chain to tackle the systemic risks, there is still clarity required from the proposed secondary legislation on how the framework is to work in practice. We welcome further engagement and consultation from government on any development of both the primary and secondary legislation.

We will need support and guidance from government as we implement the requirements created by the Bill and fundamentally change our role as a NIS competent authority. We need to ensure that we have the appropriate levels of funding and guidance to make this transition. We await further detail on the commencement and timelines of the new duties, including the commencement of the supporting secondary legislation.