Hunton Andrews Kurth writes:
On November 12, 2025, the UK government introduced the draft Cyber Security and Resilience (Network and Information Systems) Bill (the “Bill”) to the UK Parliament. The Bill, which was originally announced in July 2024, proposes amendments to the Network and Information Systems (NIS) Regulations 2018 (the “NIS Regulations”), taking into consideration the European Union (“EU”) Directive on measures for a high common level of cybersecurity across the EU (the “NIS2 Directive”).
According to the UK government, the Bill is designed to mitigate the ever-increasing risk of cyber attacks targeting the UK’s essential services. Key provisions of the Bill include:
- Broader Applicability: The Bill proposes to extend the reach of the NIS Regulations to encompass more entities, including (i) medium and large data centers; (ii) managed service providers, including medium and large companies providing IT management; (iii) large load controllers managing electrical loads for smart appliances; and (iv) designated critical suppliers which supply goods or services to operators of essential services. Organizations within the scope of the Bill would be required to, amongst other things, adhere to clear security standards, promptly report significant cyber incidents, and maintain robust contingency plans.
Read more at Privacy & Information Security Law Blog.