The UK government has announced new cyber laws designed to strengthen the UK’s defences against cyberattacks on essential services, such as the NHS, water, transport, and energy networks
The Cyber Security and Resilience Bill, introduced to Parliament on 12 November 2025, will modernise the country’s cyber laws and close vulnerabilities across public services and critical industries.
Strengthening defence
Under the proposed new cyber laws, hospitals, power networks, and water companies will be required to meet stricter cybersecurity standards. The legislation is designed to ensure the UK can withstand rising threats from cybercriminals and hostile states, which are becoming more sophisticated and disruptive.
Medium and large companies that provide IT, cyber security, or digital support services to essential organisations will now be brought under direct regulation for the first time.
This includes managed service providers that hold trusted access to government, NHS, and critical infrastructure systems. These companies will be required to report serious cyber incidents promptly and maintain detailed response plans to limit potential disruption.
Closing supply chain gaps
The Cyber Security and Resilience Bill gives regulators new powers to identify and designate “critical suppliers” to essential public services. This could include businesses providing healthcare diagnostics to hospitals or chemicals to water firms. Designated suppliers must meet strict minimum security requirements to prevent vulnerabilities from being exploited through the supply chain.
Harsher penalties will also be introduced for serious security breaches, with fines linked to company turnover. The government aims to ensure it is no longer cheaper to ignore cyber responsibilities than to comply with them.
Faster response
Organisations affected by serious cyber incidents will need to notify their regulator and the National Cyber Security Centre (NCSC) within 24 hours, with a full report required within 72 hours.
Data centres, managed service providers, and digital infrastructure operators will also have to alert customers who may be impacted, enabling them to take rapid action to protect their systems.
The Cyber Security and Resilience Bill grants the Technology Secretary new powers to direct regulators and essential service providers, such as NHS trusts and utilities, to take specific measures in the event of a national security threat. This could include isolating high-risk systems or boosting monitoring to prevent further attacks.
Protecting the economy and public services
Cyber attacks already cost the UK economy an estimated £14.7 billion each year, equivalent to 0.5% of GDP. The government warns that a significant attack on national infrastructure could temporarily increase public borrowing by over £30 billion.
Recent incidents, including the 2024 breach of the Ministry of Defence payroll system and the Synnovis NHS attack that disrupted over 11,000 medical appointments, continue to highlight the impact of cyberattacks on crucial services.
National Chief Information Security Officer for Health and Care at Department of Health & Social Care, Phil Huggins said:
“The Bill represents a huge opportunity to strengthen cyber security and resilience to protect the safety of the people we care for.”
“The reforms will make fundamental updates to our approach to addressing the greatest risks and harms, such as new powers to designate critical suppliers.”
Long-term resilience
The new cyber laws are part of the government’s Plan for Change and its National Security Strategy, hoping to create a more secure digital economy and protect the public from service disruption. They also support ongoing work by the NCSC to promote best practices through initiatives such as Cyber Essentials, the Cyber Assessment Framework, and Active Cyber Defence.
By targeting the sectors and suppliers that are most crucial to daily life, the Cyber Security and Resilience Bill represents a significant step forward in ensuring the UK can continue to operate safely and confidently in an increasingly digital and hostile world.
