Cyber Security and Resilience Bill

The key facts from the King's Speech are: == Consequences ==

It will introduce compulsory ransomware reporting so that the authorities can better understand the threat and "alert us to potential attacks by expanding the type and nature of incidents that regulated entities must report." While this information collection is likely to increase resilience to attacks, the administrative burden for businesses from this reporting might well bring with it additional costs as well as the original cyber incident's expense. EU NIS 2 introduces wide-reaching changes to the existing EU cyber security laws for network and information systems. The Bill as yet has no information on any punishments for non-compliance or what the data regulators' demands from an organisation that has experienced a cyber security incident will be. It was announced in April 2025 by Peter Kyle, UK Secretary of State for Department for Science, Innovation and Technology, that there would be £100,000 a day fines for failing to act against relevant threats. == Reaction ==

Jon Ellison, NCSC Director of National Resilience, said that the proposed bill was "a landmark moment tackling the growing threat to the UK's critical systems". He continued that it will be "a crucial step towards a more comprehensive regulatory regime, fit for our volatile world". A representative of the CyberUp Campaign Matt Hull said that the organisation is looking forward to the Government updating UK cyber resilience and in particular the Computer Misuse Act 1990. Any updates to this Act would help cyber professionals protect the U.K., safeguard the digital economy and unlock the potential growth within the cybersecurity industry. == Cyber security and resilience policy statement ==

In April 2025, the CS&R Policy Statement was published, which outlines the confirmed and proposed measures to be included in the bill. Quoting: "The digital revolution is transforming our Critical National Infrastructure (CNI) and our essential public services. It offers an extraordinary opportunity – to make our people and our country better off. However, it may also bring new and dangerous vulnerabilities... In this Policy Statement, I set out legislative proposals for this Bill. I also acknowledge that the cyber landscape moves exponentially – a lot can happen in a short space of time. This statement proposes several additional measures to tackle the threats that we are facing now." The statement details plans to expand the regulatory framework to cover more entities, empower regulators and improve oversight. This includes enhancing incident reporting, augmenting the ICO's information-gathering capabilities and improving regulators’ cost recovery mechanisms. The bill also addresses the need for an adaptable regulatory framework to keep pace with the ever-evolving cyber landscape. These measures will increase data protection and network security and are likely to include data center operators and managed service providers . The proposals also include giving regulators more tools to enhance security standards, mandating detailed incident reporting and granting the government powers to update regulatory frameworks as threats and technology evolve. The Cyber Essentials Plus test specification will be updated with new verification pointers, verification of segregation by sub-set and verification of sampling. The statement also outlines the steps organizations will need to take to achieve Cyber Essentials certification in 2025 and onwards. These include changes to IT infrastructure requirements, such as the introduction of passwordless authentication. == Schedule ==

• 17 July 2024 - Bill announced. • 12 November 2025 - First reading: The Bill was introduced to Parliament. • 6 January 2026 - Second reading. • 22 January 2026 - NISR Keeling Schedule showing changes proposed by the CS&R bill. • 24 February 2026 - Compilation of the 7 committee stages up until 24 February 2026 published (current). == See also ==