Blog

The move comes as the security of critical national infrastructure (CNI) against malignant actors and introduction of novel technologies rises up the agenda. NCE has heard from defence and tech experts about the “evolving” threat of cyber attacks and that the introduction of artificial intelligence (AI) in CNI presents a range of new vulnerabilities.

Ministers have also pointed to a rise in high‑profile incidents to justify the legislation. In 2024, attackers reportedly accessed the Ministry of Defence payroll system via a managed service provider, and a cyber‑attack on Synnovis, a pathology supplier to the NHS, disrupted more than 11,000 appointments and procedures and has been linked to estimates of tens of millions of pounds in costs.

Independent research cited by the government estimates the average cost of a significant cyber‑attack in the UK is now more than £190,000, amounting to about £14.7bn annually, roughly 0.5% of GDP. The Office for Budget Responsibility has warned a large attack on CNI could temporarily raise public borrowing by over £30bn, or about 1.1% of GDP.

The Cyber Security and Resilience Bill, laid in Parliament this week, would extend legal duties and enforcement powers across a wider range of digital and essential services, bringing some previously unregulated suppliers, notably managed service providers and data centres, into scope for the first time.

Under the proposals, medium and large companies that provide IT management, helpdesk support and cyber‑security services to public bodies and critical infrastructure would have to meet statutory security duties. They would be required to report significant or potentially significant incidents promptly to government and to affected customers and to maintain plans to deal with the consequences of attacks.

Regulators would be given new powers to designate “critical suppliers” to sectors such as healthcare or water, meaning firms that supply diagnostic services to the NHS or chemicals to water utilities could be required to meet minimum security standards. The government says this will tackle supply‑chain vulnerabilities that criminals could exploit to cause wider disruption.

The Bill would also bring data centres under regulation, arguing they are central to running patient records, payments, email and AI development. Even providers that manage the flow of electricity to smart devices, such as EV chargers and electric heating, would face new safeguards to reduce the risk of disruption to consumers and the grid.

Enforcement measures are being modernised: the Bill proposes turnover‑based penalties for serious breaches, a move intended to ensure fines are proportionate to company size and to deter firms from treating compliance as an avoidable cost.

The technology secretary, currently Liz Kendall, would gain new powers to instruct regulators and organisations they oversee, including bodies such as NHS trusts and major utilities, to take proportionate steps to protect services when there is a threat to national security. That could include tightening monitoring or isolating high‑risk systems.

Organisations in scope would face tightened reporting deadlines: the government wants notifications of the most harmful incidents to be sent to regulators and the National Cyber Security Centre (NCSC) within 24 hours, with a fuller report due within 72 hours. Firms such as data centres and managed service providers would also be required to notify customers likely to be affected so they can take mitigating action.

Cyber‑security experts have in recent years urged clearer regulation of managed service providers and supply chains after attacks that used these routes to reach government and corporate networks. The Bill follows earlier government guidance, such as the Cyber Governance Code of Practice, and a recent cross‑department letter to business leaders urging firms to bolster their defences.

Industry groups will be watching the detail closely. Turnover‑based penalties and new designation powers could impose significant compliance costs on firms already facing complex regulatory regimes, while the deadline for 24‑hour incident reporting will test the ability of organisations to triage and verify incidents quickly.

The Bill now begins its passage through Parliament, where it will be subject to scrutiny and potential amendment. If adopted, ministers say it will raise the baseline of cyber resilience across services that households and businesses rely upon and help protect public services and the wider economy from disruptive attacks. The government has pointed industry towards existing NCSC tools such as Cyber Essentials and the Cyber Assessment Framework to help organisations prepare.

‘A crucial step in protecting our most critical services’

Science, innovation and technology secretary Liz Kendall said: “Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target.

“We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”

National Cyber Security Centre CEO Richard Horne said: “The real-world impacts of cyber attacks have never been more evident than in recent months, and at the NCSC we continue to work round the clock to empower organisations in the face of rising threats.

“As a nation, we must act at pace to improve our digital defences and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services.”

Department of Health & Social Care national chief Information security officer for health and care Phil Huggins said:

“The Bill represents a huge opportunity to strengthen cyber security and resilience to protect the safety of the people we care for.

“The reforms will make fundamental updates to our approach to addressing the greatest risks and harms, such as new powers to designate critical suppliers.

“Working with the healthcare sector, we can drive a step change in cyber maturity and help keep services available, protect data and maintain trust in our systems in the face of an evolving threat landscape.”

UK Civil Aviation Authority head of cyber security oversight Simon Sheeran said: “The aviation sector contributes billions of pounds to the UK economy and provides critical national infrastructure.

“This Bill will help improve cyber defences essential for maintaining the already very high safety standards in aviation.

“The Civil Aviation Authority protect people and enable aerospace within a global eco-system, and the need for aviation to defend as one is a national imperative.”

Darktrace CEO Jill Popelka said: “In an era where cybercriminals move faster, experiment freely, and increasingly leverage AI to their advantage, the Cyber Security and Resilience Bill is an essential piece of legislation. It will improve the UK’s defences, enabling businesses and public services to securely harness the opportunities provided by technology and innovation.

“We’ve seen cyber attackers increasingly target supply chains and managed service providers in recent years, including vital institutions like the NHS and the Ministry of Defence. It’s promising to see the Bill recognise the risk across the digital ecosystem. It’s also good to see the government’s focus on future-proofing the regulatory environment for cyber security and creating a stronger role for NCSC’s Cyber Assessment Framework. These changes will help give organisations more confidence to adopt new technologies while staying prepared for the next evolution in threats.”

techUK CEO Julian David said: “techUK welcomes today’s introduction of the Cyber Security and Resilience Bill to Parliament which signals the government’s ambition to modernise and future-proof the UK’s cyber laws while fostering the resilience that will underpin our economic growth. It marks a significant step forward in prioritising the security of our nation’s essential services.

“techUK looks forward to continuing to engage with the government as the Bill makes its way through Parliament, to help ensure that the measures are fit for purpose, practically implementable and can deliver their intended outcomes, protecting the UK from a diverse range of threats and enabling organisations to harness the benefits that technology can offer.”

Cisco UK and Ireland chief executive Sarah Walker said: “We welcome the government taking action to overhaul the UK’s cyber framework with the Cyber Security and Resilience Bill. This is a significant step in securing the UK against ever-increasing cyber threats. Our latest research shows the scale of the challenge ahead; only 8% of UK organisations are classed as ‘Mature’ in their cybersecurity readiness. As AI reshapes both attack and defence, we need regulation that keeps pace with this changing threat landscape. We are looking forward to collaborating with the UK government and working with our international partners to continue securing the UK’s digital economy.”

Royal United Services Institute senior research fellow, cyber and tech Jamie MacColl said: “The events of 2025 have proven beyond doubt that improving national cyber security and resilience is essential for the UK’s economic security. The arrival of new legislation to better protect our most critical national infrastructure is an important step in improving cyber resilience in the UK. However, it is also important that organisations outside of the scope of the Bill up their game on cyber security and resilience. We urgently need to build collective resilience to inspire confidence in the face of threats from hostile states and criminals.”

Like what you’ve read? To receive New Civil Engineer’s daily and weekly newsletters click here.