The UK government has advanced the Cyber Security and Resilience (Network and Information Systems) Bill through Parliament, establishing a 2026 enforcement timeline and expanding regulatory obligations for operational technology (OT) asset owners. Introduced on November 12, 2025, the Bill broadens the scope of existing Network and Information Systems (NIS) regulations to include managed service providers (MSPs), data centres, and large load controllers. The legislation enhances enforcement powers and imposes stricter incident reporting requirements. Royal Assent is expected in late 2026, with phased implementation via secondary legislation anticipated by 2027.
Background
The Bill updates the UK's NIS Regulations (2018), broadening regulatory oversight to OT-relevant entities such as MSPs, data centres designated as Critical Network Infrastructure, and substantial energy controllers. The April 2025 policy statement outlined the inclusion of MSPs with direct network access, data centres named as critical infrastructure in September 2024, and large load controllers. Regulators will be authorized to designate "critical suppliers," holding them to requirements comparable to operators of essential services and digital service providers. The Bill empowers the Secretary of State to direct entities or regulators during national security incidents and introduces a statement of strategic priorities to standardize supervisory functions across sectors.1Cyber security and resilience policy statement - GOV.UK
The Information Commissioner's Office (ICO) supports the Bill's aim to increase the resilience of essential digital services and endorses enhanced information-gathering and cost-recovery powers. However, it notes that further clarification is needed, particularly in defining "significant impact" for incident reporting, criteria for "critical suppliers," and the scope of regulator authority.2Information Commissioner’s Response to the Cyber Security and Resilience Bill | ICO
Details
The Public Bill Committee completed a line-by-line review in early 2026, meeting on February 3 and reporting on March 5. The government intends to hold consultations on implementation before secondary legislation is introduced. Royal Assent is expected later in 2026, with phased enforcement through 2027.3Cyber security | UK Regulatory Outlook January 2026 | Osborne Clarke
Key measures include a two-stage incident reporting process: an initial notification, potentially within 24 hours, followed by a full incident report within 72 hours-reflecting EU NIS2 standards. OT operators and their vendors will need to justify traceability practices and accelerate incident triage and response. Regulators will gain expanded authority to conduct audits, issue improvement notices, and impose financial penalties up to £17 million or a percentage of global turnover.4What to Expect from the UK Cyber Security & Resilience Bill - Device Authority
Industry stakeholders advocate aligning the Bill with established standards such as ISO 27001, Cyber Essentials, the NCSC's Cyber Assessment Framework, IEC 62443, and NIST CSF 2.0 to streamline compliance and aid regulators in setting objective criteria. Concerns remain regarding inconsistent regulatory capabilities across sectors and the need for a harmonized enforcement approach.5Cyber Security and Resilience (Network and Information Systems) Bill (3rd February 2026)
Multinational manufacturers face cross-border compliance challenges, including harmonizing reporting obligations with EU frameworks like NIS2 and DORA and managing relationships with foreign providers, such as U.S. hyperscalers.5Cyber Security and Resilience (Network and Information Systems) Bill (3rd February 2026)
Outlook
OT asset owners should audit their incident response and supplier governance controls, aligning with recognized cyber resilience frameworks. Manufacturers with multinational operations must track concurrent developments in EU legislation to address overlapping reporting requirements. Regulators are expected to release implementation details via consultations and secondary legislation following Royal Assent.
