The UK government has introduced a new legislation to harden national cyber defenses across critical infrastructure, imposing turnover-based penalties and granting ministers emergency powers to intervene during major cyber incidents.
The Cyber Security and Resilience Bill, unveiled Tuesday, would require organizations in healthcare, energy, water, transport, and digital services to meet mandatory security standards and report significant cyber incidents within 24 hours.
Companies that fail to comply could face daily fines of up to $132,000 (£100,000) or penalties tied to annual turnover, the Department for Science, Innovation and Technology (DSIT) said in a statement.
The bill, expected to receive Royal Assent in 2026, updates the UK’s Network and Information Systems Regulations (NIS) 2018, expanding coverage to include managed service providers (MSPs), data centers, and key suppliers for the first time. It supports the government’s Plan for Change strategy aimed at strengthening national resilience while driving economic growth, the statement added.
Turnover-linked penalties and a behavioural shift
The bill marks a turning point in how the UK enforces cybersecurity compliance. “The penalties change behaviour in a way flat fines never could,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research. “For large operators, every breach now carries a cost proportionate to their market reach. That link between impact and liability forces investment before the incident, not after it.”
The legislation introduced significantly tougher enforcement powers than those found in the EU’s NIS2 Directive or GDPR, said Madelein van der Hout, senior analyst at Forrester. “The bill sets a precedent for stricter cybersecurity enforcement by combining turnover-based penalties with emergency government powers.”
The proposal followed a series of damaging cyber incidents that exposed vulnerabilities in UK infrastructure. In 2024, hackers compromised a Ministry of Defence payroll system via a contractor, exposing data of 270,000 armed services members. The Synnovis ransomware attack on an NHS pathology provider disrupted more than 11,000 medical appointments, costing roughly $43 million (£32.7 million). The British Library breach in late 2023 caused losses of up to $9 million (£7 million), and recent attacks on Marks & Spencer and Jaguar Land Rover have renewed pressure on policymakers to act.
An independent study cited by DSIT estimated that cyberattacks cost the UK economy about $19.4 billion (£14.7 billion) each year or about 0.5% of the GDP.
MSPs and data centers under scrutiny
For the first time, medium and large managed service providers (MSPs) would fall within the scope of cybersecurity regulation. They must report significant incidents promptly to both government and customers, maintain detailed response plans, and demonstrate readiness to handle cascading impacts, the statement added.
Hout said the new framework will “reshape the MSP sector,” creating stronger detection and faster response cycles. “For enterprise clients, it promises earlier alerts and greater assurance that their providers adhere to minimum security standards.”
The bill’s 24-hour reporting mandate will pressure MSPs and digital service providers to upgrade operations. “Many organisations will find their processes too slow and fragmented to meet that clock,” Gogia warned. Shivraj Borade, senior analyst at Everest Group, added that the rule will prompt MSPs to “invest in SOC maturity, rapid triage, and legal alignment,” which will fundamentally alter pricing and client relationships.
The legislation also shifted accountability between enterprises and their service partners. “For the first time, we place more responsibility with the MSSP where it normally lies with the enterprise,” said Hout. “It raises expectations for both parties: MSSPs will carry greater legal accountability, and enterprises must perform tighter due diligence.”
According to the bill, data centers will also come under direct regulatory oversight for the first time, joining a broader group of operators responsible for managing power flow to smart devices and electric vehicle chargers. Organizations in scope must notify regulators and the National Cyber Security Centre (NCSC) within 24 hours of a significant cyber incident and submit a full report within 72 hours.
Emergency powers and expanded oversight
Under the bill, the technology secretary would gain authority to direct regulators and organizations, including NHS trusts and utilities, to take “specific, proportionate steps” to prevent or mitigate cyberattacks where national security is threatened. These interventions could include enhanced monitoring or temporary network isolation.
“The emergency powers recognize that cyber incidents evolve faster than committees can respond,” Gogia said. “Allowing the government to instruct critical sectors during live threats makes the system capable of acting in minutes, not weeks.”
Regulators would also be empowered to designate critical suppliers, such as diagnostics providers or chemical manufacturers, to ensure they meet baseline cybersecurity standards.