The Government is bringing in tough new laws to strengthen the UK's defences against cyber attacks on essential public services and critical infrastructure.
The new laws being introduced in Parliament today are aimed at ensuring that hospitals, energy and water supplies and transport networks, together with other critical infrastructure providers, are better protected from the threat of cyber-attacks.
In the face of increasing cyber threats, the measures in the Cyber Security and Resilience Bill are intended to strengthen national security and protect growth by boosting cyber protections for the services that people and businesses rely on every day.
The proposed laws would cover certain digital and essential services including healthcare, transport, energy and water. Under the proposals:
Medium and large companies providing services like IT management, IT help desk support and cyber security to private and public sector organisations like the NHS, will also be regulated for the first time. Because they hold trusted access across government, critical national infrastructure and business networks, they will need to meet clear security duties. This includes reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences
Regulators will be given new powers to designate critical suppliers to the UK’s essential services such as those providing healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria. This would mean they would have to meet minimum security requirements – shutting down gaps in supply chains which criminals could exploit, thereby causing wider disruption
Enforcement will be modernised, including tougher turnover-based penalties for serious breaches so cutting corners is no longer cheaper than doing the right thing.
The Technology Secretary will get new powers to instruct regulators and the organisations they oversee, like NHS trusts and Thames Water, to take specific, proportionate steps to prevent cyber attacks where there is a threat to UK national security. This includes requiring that they strengthen their monitoring or isolate high-risk systems to protect and secure essential services
OBR estimates cyber-attack on critical national infrastructure could temporarily increase borrowing by over £30 billion
According to the Department for Science, Innovation and Technology, these are areas which could pose huge negative implications for the British economy and public services if targeted. The Office for Budget Responsibility (OBR) estimates that a cyber-attack on critical national infrastructure could temporarily increase borrowing by over £30 billion – equivalent to 1.1% of GDP.
New independent research published today shows the average cost of a significant cyber-attack in the UK is now over £190,000. This amounts to around £14.7 billion a year across the economy - equivalent to 0.5% of the UK’s GDP.
National Cyber Security Centre CEO Dr Richard Horne said:
“The real-world impacts of cyber attacks have never been more evident than in recent months, and at the NCSC we continue to work round the clock to empower organisations in the face of rising threats.
“As a nation, we must act at pace to improve our digital defences and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services.
“Cyber security is a shared responsibility and a foundation for prosperity, and so we urge all organisations – no matter how big or small – to follow the advice and guidance available at ncsc.gov.uk and act with the urgency that the risk requires.”
National Chief Information Security Officer for Health and Care at Department of Health & Social Care, Phil Huggins commented:
“The Bill represents a huge opportunity to strengthen cyber security and resilience to protect the safety of the people we care for.
“The reforms will make fundamental updates to our approach to addressing the greatest risks and harms, such as new powers to designate critical suppliers.”
Earlier this year, the government published the Cyber Governance Code of Practice setting out clear steps organisations should take to manage digital risks and safeguard their day-to-day operations.
The Bill targets those that will have the maximum impact on improving cyber resilience, bringing the services that retailers, hospitals, councils and others depend on into scope.
Organisations in scope will need to report more harmful cyber incidents to their regulator and the National Cyber Security Centre (NCSC) within 24 hours, with a full report within 72 hours, to ensure support can be on hand more quickly to help build a stronger national picture of cyber threats.
Bill will also bring data centres into scope of the regulations
The Bill will also bring data centres, which keep the UK running, into scope of the regulations, ensuring they meet robust cyber security standards.
If a data centre, or digital and managed service providers face a significant or potentially significant attack, they will have to notify customers which are likely to be impacted promptly so organisations can act fast to protect their business, people and services.
The Bill will help to deliver greater economic stability, protect businesses and working people from the impact of cyber attacks, and support further investment into the UK’s cyber security sector, which contributed £13.2 billion to the economy in the latest financial year.
It follows a recent letter from government ministers including the Technology Secretary, Chancellor and Business Secretary to business leaders and FTSE 350 firms, urging them to strengthen their cyber defences to face down the growing range of threats targeting the UK’s leading organisations.
Simon Sheeran, Head of Cyber Security Oversight at the UK Civil Aviation Authority said:
“The aviation sector contributes billions of pounds to the UK economy and provides critical national infrastructure.
“This Bill will help improve cyber defences essential for maintaining the already very high safety standards in aviation.
“The Civil Aviation Authority protect people and enable aerospace within a global eco-system, and the need for aviation to defend as one is a national imperative.”
Darktrace CEO: "Cyber Security and Resilience Bill is an essential piece of legislation"
Image: Darktrace CEO Jill Popelka
Jill Popelka, CEO of Darktrace, commented:
“In an era where cybercriminals move faster, experiment freely, and increasingly leverage AI to their advantage, the Cyber Security and Resilience Bill is an essential piece of legislation. It will improve the UK’s defences, enabling businesses and public services to securely harness the opportunities provided by technology and innovation.
“We’ve seen cyber attackers increasingly target supply chains and managed service providers in recent years, including vital institutions like the NHS and the Ministry of Defence. It’s promising to see the Bill recognise the risk across the digital ecosystem. It’s also good to see the government’s focus on future-proofing the regulatory environment for cyber security and creating a stronger role for NCSC’s Cyber Assessment Framework. These changes will help give organisations more confidence to adopt new technologies while staying prepared for the next evolution in threats.”
According to Sarah Walker, Chief Executive, Cisco UK and Ireland, Cisco’s latest research shows the scale of the challenge ahead, with only 8% of UK organisations are classed as ‘Mature’ in their cybersecurity readiness.
Events of 2025 prove "beyond doubt" improving national cyber security and resilience is essential for UK’s economic security
Jamie MacColl, Senior Research Fellow, Cyber and Tech, Royal United Services Institute added:
“The events of 2025 have proven beyond doubt that improving national cyber security and resilience is essential for the UK’s economic security. The arrival of new legislation to better protect our most critical national infrastructure is an important step in improving cyber resilience in the UK. However, it is also important that organisations outside of the scope of the Bill up their game on cyber security and resilience. We urgently need to build collective resilience to inspire confidence in the face of threats from hostile states and criminals.”
PureTec Separations, the Ledbury-based water treatment engineering firm, has appointed Dan Norman as its new Sales Manager – Water Process Systems, supporting the company’s continued growth in the UK and international markets.
bNovate has launched BactoCloud, a secure cloud-based platform that connects and manages its BactoSense instruments, enabling real-time monitoring and optimization of microbial water quality.
Amiblu, a global leader in Glass Reinforced Plastic (GRP) pipe systems for wastewater, stormwater, drinking water, irrigation, hydropower, and industrial applications, has announced the appointment of Martyn Turton as its Sales Director for the UK & Ireland, driving strategic market development in the infrastructure and water sectors, effective immediately.
As a project manager at Metasphere, a Grundfos-owned remote telemetry company at the cutting edge of innovation, Fey McHarg, has witnessed firsthand how the intelligent harnessing of data, specifically through the data-as-a-service model, is fundamentally reshaping and revolutionising the water sector.
Hear how Scottish Water has completed its £235 million Ayrshire Glasgow Resilience Project - customers across Greater Glasgow, Ayrshire and East Renfrewshire will now benefit from a more secure and resilient water supply.
Hear how United Utilities is accelerating its investment to reduce spills from storm overflows across the Northwest.
Find out more about the remarkable career opportunities on offer at WSP - scroll down to watch the inspirational video.