The UK government has unveiled sweeping new cyber security laws aimed at protecting hospitals, energy grids, water supplies and transport networks from an escalating wave of
digital attacks.
The Cyber Security and Resilience Bill, introduced to Parliament today, is part of the government’s Plan for Change and seeks to bolster national security while safeguarding the economy from cyber criminals and hostile state actors.
According to new research, cyber attacks now cost the UK almost £15 billion a year, with the average incident exceeding £190,000 in damages. Officials warn that an attack on critical national infrastructure could temporarily increase government borrowing by more than £30 billion — around 1.1% of GDP.
New powers for regulators and government
Under the proposed legislation, digital and essential service providers — including those in healthcare, transport, energy, and water — will face tougher cyber protection standards. For the first time, IT service providers that manage networks for public bodies such as the NHS will also come under regulation.
Companies in scope will be required to:
- Report significant cyber incidents within 24 hours, and provide full details within 72 hours;
- Maintain robust response plans to manage the fallout from breaches;
- Notify affected customers promptly if their systems are compromised.
Regulators will gain new powers to designate critical suppliers, such as firms providing medical diagnostics to the NHS or chemicals to water utilities, and ensure they meet minimum security requirements.
Enforcement measures will also be strengthened, with turnover-based fines for serious violations — a move aimed at ensuring that “cutting corners is no longer cheaper than doing the right thing.”
The Technology Secretary will have authority to order regulators and public bodies, such as NHS trusts or water firms, to take direct steps to prevent attacks that pose a national security threat.
“Cyber security is national security”
Science, Innovation, and Technology Secretary Liz Kendall said:
“Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target.
We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge”.
Protecting vital infrastructure
The National Cyber Security Centre (NCSC) welcomed the legislation, calling it “a crucial step” in defending the UK’s most vital systems.
National Cyber Security Centre CEO Dr Richard Horne said:
“The real-world impacts of cyber attacks have never been more evident than in recent months, and at the NCSC we continue to work round the clock to empower organisations in the face of rising threats.
As a nation, we must act at pace to improve our digital defences and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services.
Cyber security is a shared responsibility and a foundation for prosperity, and so we urge all organisations – no matter how big or small – to follow the advice and guidance available at ncsc.gov.uk and act with the urgency that the risk requires”.
National Chief Information Security Officer for Health and Care at Department of Health & Social Care, Phil Huggins said:
“The Bill represents a huge opportunity to strengthen cyber security and resilience to protect the safety of the people we care for.
The reforms will make fundamental updates to our approach to addressing the greatest risks and harms, such as new powers to designate critical suppliers.
Working with the healthcare sector, we can drive a step change in cyber maturity and help keep services available, protect data, and maintain trust in our systems in the face of an evolving threat landscape”.
Lessons from recent attacks
The government pointed to recent incidents, including the 2024 Ministry of Defence payroll breach and the Synnovis cyber attack on NHS pathology services, which disrupted over 11,000 medical appointments and cost an estimated £32.7 million.
Under the new rules, data centres and organisations managing smart energy systems — such as electric vehicle charge points — will also face stricter regulations to prevent disruption to consumers and the national grid.
A foundation for growth and security
Officials say the Bill will underpin the UK’s National Security Strategy, drive resilience across supply chains, and strengthen investor confidence in Britain’s growing cyber sector, which contributed £13.2 billion to the economy last year.
The legislation follows a joint letter from senior ministers urging FTSE 350 firms to step up cyber defences amid mounting global threats.
Businesses and public bodies are being encouraged to use free guidance from the NCSC, including Cyber Essentials, Active Cyber Defence services, and the Cyber Assessment Framework, to bolster their resilience.
Simon Sheeran, Head of Cyber Security Oversight at the UK Civil Aviation Authority said:
“The aviation sector contributes billions of pounds to the UK economy and provides critical national infrastructure.
This Bill will help improve cyber defences essential for maintaining the already very high safety standards in aviation.
The Civil Aviation Authority protect people and enable aerospace within a global eco-system, and the need for aviation to defend as one is a national imperative”.
Jill Popelka, CEO of Darktrace, said:
“In an era where cybercriminals move faster, experiment freely, and increasingly leverage AI to their advantage, the Cyber Security and Resilience Bill is an essential piece of legislation. It will improve the UK’s defences, enabling businesses and public services to securely harness the opportunities provided by technology and innovation.
We’ve seen cyber attackers increasingly target supply chains and managed service providers in recent years, including vital institutions like the NHS and the Ministry of Defence. It’s promising to see the Bill recognise the risk across the digital ecosystem. It’s also good to see the government’s focus on future-proofing the regulatory environment for cyber security and creating a stronger role for NCSC’s Cyber Assessment Framework. These changes will help give organisations more confidence to adopt new technologies while staying prepared for the next evolution in threats”.
Julian David OBE, CEO of techUK, said:
“techUK welcomes today’s introduction of the Cyber Security and Resilience Bill to Parliament which signals the government’s ambition to modernise and future-proof the UK’s cyber laws while fostering the resilience that will underpin our economic growth. It marks a significant step forward in prioritising the security of our nation’s essential services.
techUK looks forward to continuing to engage with the government as the Bill makes its way through Parliament, to help ensure that the measures are fit for purpose, practically implementable and can deliver their intended outcomes, protecting the UK from a diverse range of threats and enabling organisations to harness the benefits that technology can offer”.
Sarah Walker, Chief Executive, Cisco UK and Ireland
“We welcome the government taking action to overhaul the UK’s cyber framework with the Cyber Security and Resilience Bill. This is a significant step in securing the UK against ever-increasing cyber threats. Our latest research shows the scale of the challenge ahead; only 8% of UK organisations are classed as ‘Mature’ in their cybersecurity readiness. As AI reshapes both attack and defence, we need regulation that keeps pace with this changing threat landscape. We are looking forward to collaborating with the UK government and working with our international partners to continue securing the UK’s digital economy”.