Howes Percival
Go to Howes Percival Homepage
About us Insights Events Contact Careers Client Login
People When it’s up to us it’s all about you Search website
Insights Image
Services
View all
Services
View all Academies and Conversions Advertising Agriculture and Estates AI & Cyber Security Banking & Finance Charity Church Law Commercial Commercial Advisory Services Commercial Property Company Secretarial Services Construction Contentious Trusts & Probate Corporate Data Protection and Privacy Digital & E-Commerce Dispute Resolution and Litigation Employment and HR Employment for individuals Employment Law Training Employment Tribunal Claims Environmental Law Family Services Fraud Recovery Health and Safety Law Immigration In-House Lawyers Insolvency and Corporate Recovery Intellectual Property International Business and Trading Overseas IT Law Licensing Planning Property Dispute Resolution Property Investment Regulation and Compliance Residential Conveyancing Social Housing Wills, Probate, Tax and Trusts
Howes Percival Sector Grass
Sectors
Read More
Sectors
View all Automotive Agriculture Development and Construction Food and Beverage Government and Public Sector Health & Social Care Leisure and Tourism Technology and Innovation
UK Countryside
Locations
View More
Locations
View all Cambridge Leicester Manchester Milton Keynes Norwich Northampton Oxford
Search website
Cyber Security
Back

The Cyber Security and Resilience (NNIS) Bill – What it means for you

24th February, 2026 by James Taylor

Cyber threats facing UK organisations are increasing in both scale and severity, with the National Cyber Security Centre reporting a record number of nationally significant incidents in the past year. In response, the government has introduced the Cyber Security and Resilience (NNIS) Bill to strengthen the UK’s defences. In this article, we look at what the proposed changes may mean in practice for businesses, including new obligations and potential consequences for non compliance.

1. Why was the Cyber Security and Resilience (NNIS) Bill introduced?

The National Cyber Security Centre (“NCSC”) published a report in October 2025 stating that they handled 429 cyber security incidents occurring between September 2024 – September 2025. Of those 429 incidents, 204 were classed as “nationally significant”, which is a record high. This number was up from 89 in the same period the previous year.  

Dr Richard Horne, Chief Executive of the NCSC has stated that:

Our collective exposure to serious impacts is growing at an alarming pace. That demands urgency from every business leader: hesitation is a vulnerability, and the future of their business depends on the action they take today. The time to act is now.

In light of this risk, the government stepped in and proposed the Cyber Security and Resilience (NNIS) Bill which adds to and works in conjunction with the existing Network and Information Systems (NIS) Regulations 2018 in an effort to bolster UK businesses defences against cyber-attacks by making essential services more secure.  

2. What stage is the Cyber Security and Resilience Bill at?

The bill was first introduced to Parliament for its First Reading on the 12th November 2025, with its Second Reading taking place on the 6th January 2026. Currently, the bill is at the Committee Stage, whereby MP’s in the House of Commons are undertaking a detailed examination, scrutinisation and debate on the contents of the Bill which shall take place over a number of weeks.

3. What does the Cyber Security and Resilience Bill change?  

The existing Network and Information Systems (NIS) Regulations 2018 focused on addressing the vulnerabilities in the UK’s essential services which the public rely upon daily such the NHS, utility providers, the transport sector and digital infrastructure.

The Cyber Security and Resilience Bill will extend this to include other UK businesses. By extending the scope, the affected UK businesses will be classed as “critical suppliers”, and therefore fall under the definition of “Operators of Essential Services” under the existing NIS regulations.  

This means that those businesses shall be subject to extra obligations which their relevant sector-specific regulators to impose on them. For example, certain NHS suppliers shall now be subject to oversight from the Department of Health and Social Care.    

The Bill also provides the Secretary of State and regulators with the power to direct regulated businesses to take defined actions such as the sharing of information, and the powers to impose higher fines for any failures to meet such requirements.

4. Which UK businesses are affected by the Cyber Security and Resilience Bill?

The businesses affected are:

  • Managed service providers, such as IT and cybersecurity service firms (potential exemptions for SMEs);
  • Data centres;
  • “Large load controllers” (organisations which control energy use in smart appliances such as batteries or electric vehicles);
  • Certain NHS suppliers; and
  • Any supplier in the supply chain that is deemed critical to any regulated organisation’s ability to provides its services.

If you are a business who may be classed as “regulated” once the Cyber Security and Resilience Bill receives Royal Assent, you need to be prepared to adhere to its requirements, or face sanctions imposed by your sectors regulator.

This includes increased incident report obligations such as a requirement to notify the regulator within 24 hours of you becoming aware that your business or your customers have been subject to a reportable incident, followed by providing the regulator with a full report within 72 hours.  

There will also be a duty to notify your customers of any potential or actual security incident affecting your business which is likely to have an impact on them.  

At Howes Percival, we can carry out an assessment on your business, and advise you on whether your business will be caught by the Cyber Security and Resilience Bill. Our Commercial Advisory Services team has solicitors in Leicester, Milton Keynes, Northampton and Oxford who are on hand to answer any questions you may have. For further information or to discuss how we can assist you, please contact Hannah Steggles.

 

 

The information on this site about legal matters is provided as a general guide only. Although we try to ensure that all of the information on this site is accurate and up to date, this cannot be guaranteed. The information on this site should not be relied upon or construed as constituting legal advice and Howes Percival LLP disclaims liability in relation to its use. You should seek appropriate legal advice before taking or refraining from taking any action.

Life more sure
Locations
Cambridge Solicitors Leicester Solicitors Milton Keynes Solicitors Northampton Solicitors Manchester Solicitors Norwich Solicitors Oxford Solicitors
Sectors
Agriculture Automotive Development Food and Beverage Healthcare Leisure and Tourism Technology and Innovation
Resources
Articles Case Studies Podcast Resources Video Gallery Newsletter Pay my invoice
Awards
Social
© 2026 Howes Percival | All Rights Reserved
Accessibility | Carbon Reduction Plan | Cookies Policy | Equality & Diversity | Legal & Regulatory (including Complaints) | Modern Slavery Statement | Privacy Policy |
Go to investors in people website (opens in new window)
Go to ISO website (opens in new window)
Go to Law Society website (opens in new window)
Go to resolution website (opens in new window)
Go to https://www.b.co.uk/companies/howes-percival website (opens in new window)