UK Introduces Sweeping Cybersecurity Bill to Counter Rising Digital Threats

Officials say the measure has been more than a year in the making and represents a core priority for the Labour government. Tech Secretary Liz Kendall said the proposal is meant to signal that the UK is not an “easy target.” The legislation arrives after a series of cyber incidents that have rattled public institutions such as the National Health Service and affected several major British companies.

New government research published Wednesday estimated that significant cyberattacks inflict about £14.7 billion in economic damage each year, roughly 0.5% of the UK’s GDP. Under the proposed framework, as many as 1,000 companies could fall under the law’s scope, and for the first time, vendors providing services to organizations like the NHS would face direct cybersecurity regulations. Penalties are planned for entities that fail to comply.

Related: Senate Bill to End Shutdown Includes Extension to Cyber-Information Sharing Protections

The National Cyber Security Centre recorded 204 “nationally significant” attacks in the 12 months leading up to August 2025, a sharp rise from the previous year. In an October assessment, the agency warned that “our collective exposure to serious impacts is growing at an alarming pace.”

Richard Horne, the NCSC’s chief executive officer, welcomed the bill as a crucial step. “The real-world impacts of cyberattacks have never been more evident than in recent months,” he said.

Recent incidents have underscored the urgency. A wave of hacks this summer struck major retailers such as Marks & Spencer Group Plc. In August, Jaguar Land Rover suffered a crippling attack that shut down vehicle production for more than a month, with an estimated economic cost of £1.9 billion. The health sector has also been hit hard: a breach of an NHS contractor in 2024 forced the cancellation of thousands of appointments and has been linked to at least one death.