From compliance to collaboration, the new Cyber Security and Resilience (Network and Information Systems) Bill could elevate cybersecurity as a board-level priority and sets the stage for a more resilient digital economy.
In November 2025, ISC2 hosted a timely roundtable in the UK Parliament, sponsored by David Reed MP, on the Cyber Security and Resilience (Network and Information Systems) Bill. This Bill provides a long-awaited update to UK cybersecurity legislation introduced in 2018. Following ISC2’s roundtable discussion, the Bill was introduced in Parliament later that day, marking an important step in extending the scope and powers of the UK cybersecurity legislation.
The ISC2 roundtable was centered on the Bill’s key implications. Attendees included Members of Parliament David Reed MP, Dame Chi Onwurah MP, Dr. Ben Spencer MP, Alison Griffiths MP, as well as leaders from across the cybersecurity sector. The participants explored how the Bill can strengthen the UK’s cybersecurity resilience and how to better equip organizations to meet the evolving cyber threats, focusing on the crucial role of a skilled cybersecurity workforce in ensuring the legislation’s success.
What Does the Cyber Security and Resilience Bill Propose?
The Cyber Security and Resilience Bill introduces several important measures designed to strengthen the UK’s cyber defenses and ensure mission-critical services are better protected. Here is what it aims to achieve:
1. Expanding Cybersecurity Regulations
One of the most significant changes to the 2018 legislation is expanding the existing regulations to bring more entities into scope, including digital services, managed service providers, data centers and critical suppliers. This part of the legislation means more organizations, especially those delivering essential services, will be legally required to implement robust security measures to safeguard their systems.
2. Strengthening Regulatory Oversight
The Bill also seeks to empower regulators with greater authority and resources to enforce compliance. This item includes new powers to proactively investigate vulnerabilities in systems and supply chains, as well as cost-recovery mechanisms to fund enforcement activities.
3. Enhancing Cyber Incident Reporting
Another key provision is stricter reporting requirements for cyber incidents. Organizations will need to report incidents more promptly and in greater detail. This proposal would give the government and regulators better data on the frequency, scale and impact of cyber threats to enable faster and more informed responses.
4. Closing Gaps in the Current Framework
While the UK’s existing cybersecurity regulations, introduced in 2018, have delivered progress, post-implementation reviews in 2020 and 2022 revealed that updates are overdue. The new Bill addresses shortcomings by modernizing and expanding the framework to keep pace with evolving threats and ensure essential services remain resilient.
Key Themes of ISC2’s Roundtable on the Cyber Security and Resilience (Network and Information Systems) Bill
ISC2’s roundtable brought together elected officials, policymakers and industry leaders to unpack the Bill’s implications for organizations across the public and private sectors, focusing on the following topics:
Risk-Based Approach
One of the main clarifications discussed was the scope of the Bill. Public sector bodies such as the National Health Service (NHS), as well as critical infrastructure in rail and aviation, will fall under its remit. The regulation adopts a risk-based framework, meaning that organizations that pose higher or colossal risks (whether to human life or economic stability) will face stricter compliance requirements. This approach ensures proportionality while prioritizing sectors where a breach could have catastrophic consequences.
A Catalyst for Ecosystem Collaboration
More than a compliance mandate, the Bill is a catalyst for collaboration across the UK’s cybersecurity ecosystem. Participants noted that this legislation aligns with broader policy initiatives and creates opportunities for organizations such as Skills England to address pressures on the cybersecurity workforce and skills needs. As demand for cybersecurity expertise grows, coordinated efforts will be essential to build a talent pipeline capable of supporting these new requirements.
Cybersecurity at the Board Level
The discussion also touched on governance, exploring whether the Bill necessitates tech specialists on corporate boards. The consensus was clear: rather than appointing niche experts, boards need a foundational understanding of cybersecurity risk. Embedding cybersecurity into boardroom language ensures informed decision-making and reinforces its status as a strategic risk, not just an IT issue.
Harmonization Across Cybersecurity Legislation
Participants emphasized the need for alignment or harmonization between the UK Bill and the EU’s NIS2. A fragmented global regulatory environment creates confusion and risk for the cybersecurity profession, workforce and organizations. Regulatory harmonization would streamline compliance, enhance interoperability and strengthen global cyber resilience.
Supply Chain Resilience
Supply chain resilience emerged as another critical theme. Recent ISC2 research validates this need for heightened legislative attention to supply chain risk. The 2025 ISC2 Supply Chain Risk Survey found that 70% of cybersecurity professionals said their organizations are highly (i.e., very or extremely) concerned about cybersecurity risks in their supply chains.
The Human Factor and Continuous Education
The discussion emphasized the role of humans as the strongest defense — not the weakest link — provided they receive proper training. Continuing education across all levels, including awareness, foundational and specialist, will be vital to building a culture and practice of cybersecurity resilience at both public and private organizations.
Challenges for Small and Medium-sized Enterprises
Participants also discussed the implications of the Bill for small- and medium-sized enterprises (SMEs). Many SMEs already struggle with being short-staffed and managing limited resources, particularly in cybersecurity.
From Operational to Strategic Risk
Perhaps the most significant shift that will be driven by the Bill is the elevation of cybersecurity to a strategic risk category. This change will influence organizational priorities, budget allocations and governance structures. By embedding resilience into core business strategy, the UK aims to create a more secure and competitive digital economy.
The Beginning of a Broader Conversation about the UK’s Cybersecurity Posture
Participants agreed that the timing of the roundtable was fortuitous with the Bill being announced later on the same day, sharing that this roundtable is essentially the beginning of ongoing discussions. The Bill will now progress through both Houses of Parliament, a process that will take several months as parliamentarians scrutinize, amend and ultimately approve the Bill. Progression through Parliament is intended to finetune the Bill to ensure it does what it is intended to do: protect critical national infrastructure.
This legislation is an important Bill for ISC2 members, and ISC2 will advocate for them every step of the way, including engaging with MPs and communicating with our members. To learn more about ISC2 Advocacy, visit https://www.isc2.org/about/advocacy.
