The UK's Cyber Security and Resilience (Network and Information Systems) Bill has advanced in Parliament, establishing mandatory operational technology (OT) compliance for industrial operators and asset owners. Key requirements include strengthened governance, incident reporting, resilience, and supply chain oversight, with measures taking effect by 2026.
The Bill, first read on November 12, 2025, cleared its second reading in January 2026 and remains in committee. It is expected to become law by late 2025 or early 2026, with implementation phased during 2026. Regulated entities-such as operators of essential services, digital service providers, and designated critical suppliers-will be required to report cyber incidents to both regulators and the National Cyber Security Centre (NCSC) within 24 hours, followed by a detailed report within 72 hours. The Bill grants the Secretary of State authority to expand sectoral scope via secondary legislation. Osborne Clarke notes that affected providers, including data centres, relevant digital service providers (RDSPs), and relevant managed service providers (RMSPs), must notify likely affected UK customers after completing full incident reporting.
Background
The Bill builds on the UK's Network and Information Systems (NIS) Regulations 2018 and brings UK regulation closer to the EU's NIS2 Directive, while broadening regulatory reach. The proposed law expands to previously exempt sectors such as space, manufacturing, utilities, managed service providers (MSPs), data centres, and critical suppliers. Skadden reports that standard maximum fines may reach £10 million or 2% of global turnover, with daily penalties of £100,000 for non-compliance involving national security. The Bill enhances executive and regulatory authority to issue binding directions and conduct inspections. Regulatory enforcement will be led by the NCSC, Information Commissioner's Office (ICO), and relevant sectoral bodies.
Details
Entities subject to the Bill face a two-stage incident reporting process: initial notification within 24 hours, followed by a complete report within 72 hours to both the regulator and the NCSC. Regulators may require notification to affected customers, increasing compliance obligations for incident response. Supply chain and vendor risk management duties will expand, and regulators may designate critical suppliers who must meet similar requirements. Board-level accountability for cyber resilience is central, with expectations for senior management or board-appointed representatives to oversee compliance.
Penalties for violations are substantial: potential fines reach £10 million or 2% of global annual turnover for serious breaches, with daily penalties of up to £100,000. The Secretary of State maintains authority to impose additional obligations or expand sectoral scope via secondary legislation. The Bill also promotes alignment with established frameworks such as the NCSC Cyber Assessment Framework and standards like ISO 27001.
Outlook
Stakeholders should expect detailed secondary legislation and consultations throughout 2026 to clarify compliance timelines, audit processes, and sector-specific duties. Supply chain partners and OT equipment suppliers will need to update contractual terms and service levels to meet new cyber resilience, reporting, and governance standards. UK-listed manufacturers dependent on global supply chains or operating under the EU's NIS2 will need to manage parallel and potentially overlapping security requirements.
