Cybersecurity · United Kingdom
Cybersecurity - United Kingdom
The UK's primary cross-sector cybersecurity obligation rests on the NIS Regulations 2018, which require operators of essential services (energy, transport, health, water, digital infrastructure) and relevant digital service providers (cloud, online marketplaces, search engines) to implement proportionate security measures and report significant incidents to competent authorities within 72 hours. Layer on top are sector-specific duties: the Telecommunications Security Act 2021 for public telecoms networks, and FCA/PRA operational resilience rules for financial services. The Cyber Security and Resilience Bill — introduced to Parliament in November 2025 and advancing through the Lords as of mid-2026 — will expand scope to managed service providers and data centres, impose a tighter two-stage incident reporting regime (24 h initial + 72 h full report), and align broadly with the EU NIS2 Directive, with Royal Assent expected in 2026 but phased implementation likely extending to 2028.
SI 2018/506, which transposed the EU NIS Directive, requires operators of essential services and relevant digital service providers to take appropriate and proportionate technical/organisational security measures and notify their competent authority without undue delay and no later than 72 hours of becoming aware of a significant incident. The ICO is the competent authority for digital service providers; sector regulators (Ofgem, DHSC, CAA, etc.) cover essential services.
Introduced to the House of Commons on 12 November 2025 and having passed Committee and Report stages by mid-2026, the Bill expands NIS scope to managed service providers, data centres, and critical suppliers; introduces mandatory two-stage incident reporting (24 h initial notification to regulator and NCSC; 72 h comprehensive report); and grants ministers a power to designate additional sectors by secondary legislation. Royal Assent is anticipated in 2026.
Imposes specific security duties on public electronic communications network and service providers, requiring them to take measures to identify and reduce the risk of security compromises. Ofcom is the enforcement authority; associated Regulations and a Code of Practice (developed with NCSC) specify technical security measures and mandatory reporting of security compromises.
The FCA and PRA require in-scope financial firms to identify important business services, set impact tolerances, and test operational resilience including cyber scenarios; firms must be able to remain within tolerances by 31 March 2025. In 2026 the FCA finalised Policy Statement PS26/2, making incident and third-party reporting requirements clearer and more consistent across regulated firms.
The CAF, published by the National Cyber Security Centre, provides the technical assessment tool used by competent authorities to evaluate compliance with NIS security duties for operators of essential services. It sets out 14 principles across four objectives (managing security risk, protecting against cyber attack, detecting cyber security events, minimising impact).
Under current NIS Regulations, operators of essential services notify the relevant sector competent authority; digital service providers notify the ICO — both without undue delay and within 72 hours where feasible. The Cyber Security and Resilience Bill proposes a stricter two-stage duty: 24-hour initial notification to regulator and NCSC, followed by a full incident report within 72 hours, explicitly modelled to be no more onerous than EU NIS2.
Machine-assisted translation · verified 5/24/2026 · orientation, not legal advice. English version →