ICO publishes its response to the Cyber Security and Resilience Bill

by | Dec 23, 2025 | Hot Topics

The Information Commissioner’s Office has welcomed the introduction of the Cyber Security and Resilience (Network and Information Systems) Bill in the House of Commons.  It has also published its response to the Bill.

The ICO is the designated competent authority with responsibility for regulating relevant digital service providers (RDSPs) defined as cloud computing services, online marketplaces and search engines under the Network and Information Systems Regulations 2018 (NIS).

On 12th November 2025, the Secretary of State for the Department for Science, Innovation and Technology introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament. It is an important milestone in the evolution of the UK’s cyber security regulation. The Bill is the result of public consultation and a call for views.

  • The changes in the Bill and the updates to the NIS regulations reflect the fact that cyber threat landscape is constantly evolving. The following provisions included in the Bill to support the change in approach:
    • Expanded information gateways to ensure NIS regulators can share and receive information with and from UK public authorities and government departments to facilitate the exercise of NIS functions, subject to safeguards.
    • The introduction of powers to enforce a failure to register and keep registration details up to date.
  • The ICO is encourage the government to further increase the value of the proposed legislation by proactively supporting the information sharing between relevant UK regulators and assisting in building robust coordination mechanisms between regulators to facilitate the effective identification of risk. This could include:
    • government taking an active role in risk identification;
    • mechanisms to support the exchange of relevant information with government departments not part of the NIS regulations; and
    • technology to support the management and sharing of information between NIS regulators.
  • Overall, the Bill represents a positive and balanced package of reforms, but the ICO believes that there are some points that would benefit from additional clarity, in particular:
    • The factors and thresholds for determining what a “significant impact” is for incident reporting.
    • Security and resilience requirements.
    • Clarification of the criteria for assessing “critical suppliers” and further detail on their duties.
    • The application of the new enforcement and penalty measures and determination of turnover.
    • Further enhancement of the ICO’s information gathering powers, including the collection of information that will support risk assessment and prioritisation activities for proactive regulatory oversight.

UKGI is a trading style of UKGI Limited and UKGI Services Limited which are wholly owned subsidiaries within UKGI Group Ltd. UKGI Limited Registered in England No. 03544014. UKGI Services Limited registered in England No. 04953835. All Registered Offices Number 22 Mount Ephraim, Tunbridge Wells, England TN4 8AS. VAT registration number 347 2664 82.