A PYMNTS Company

Five Major Changes to the Regulation of Cybersecurity in the UK Under the Cyber Security and Resilience Bill

By  |  November 21, 2025

By: Mark Young & Paul Maynard (Covington Inside Global Tech)

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    In this piece for the Inside Global Tech Blog, authors Mark Young & Paul Maynard (Covington & Burling) take a look at the UK Government’s newly introduced Cyber Security and Resilience Bill, a major overhaul of the country’s cybersecurity regulatory framework. The Bill responds to the growing economic and operational damage caused by cyber incidents affecting major UK organizations and aims to modernize the outdated 2018 NIS Regulations. It significantly expands the scope of regulated entities—including data centers, managed service providers, and key operators in critical sectors—and introduces stronger obligations, broader incident-reporting requirements, and the potential for substantial fines of up to £17 million or 4% of global turnover.

    The authors explain that the Bill also broadens what constitutes a reportable incident, requiring organizations to notify both regulators and affected customers of events that could have significant impacts—not just those causing actual disruption. It introduces mechanisms for regulators to impose targeted cybersecurity requirements and addresses supply chain vulnerabilities by allowing the designation of “critical suppliers,” who may be subject to future government direction or codes of practice. Enhanced information-sharing powers will enable closer cooperation among regulators, law enforcement, intelligence agencies, and foreign authorities.

    Looking ahead, the Bill positions the UK Government to play a far more active strategic and operational role in cybersecurity regulation. It creates a framework for setting national priorities, issuing binding secondary legislation, mandating specific cybersecurity measures, and developing codes of practice to guide compliance. These expanded powers indicate a shift toward a more centralized and adaptive regulatory model designed to respond quickly to evolving threats and ensure stronger national cyber resilience…

    CONTINUE READING…