This website uses cookies to ensure you get the best experience on our website. Learn more
Preparing for the UK’s New Cyber Security and Resilience Bill
Table of Contents
Last updated on November 17, 2025
The UK government introduced the Cyber Security and Resilience (Network and Information Systems) Bill on 12th November 2025. The Bill updates the UK’s NIS Regulations 2018 to broaden scope, strengthen reporting duties, and increase regulators’ enforcement powers.
If you work in healthcare, energy, water, transport, or supply IT services to these sectors, this legislation will directly affect how you manage cybersecurity. Based on typical parliamentary timelines, we should expect implementation by 2026 with potential phased requirements – so it makes sense to be prepared.
Some details remain to be finalized through secondary legislation. So we’ll run through what we do know, where there’s still ambiguity, and where we can draw sensible parallels with the EU NIS2 Directive to suggest likely expectations.
Why is this new bill important?
Specops Senior Product Manager, Darren James, said: “This is great news! For too long, critical infrastructure has been an easy target for cyber-attacks, whether it be a criminal gang looking to exhort money or a nation-state hoping to undermine the trust in the government’s ability to protect these vital assets. Ensuring that both the organizations providing these services and also the supply chains around them are secure is a fundamental step in the right direction.
“Specops has been helping the NHS, Central and Local Government, Energy suppliers and other critical infrastructure organizations from all over the world resolve these vulnerabilities for many years. We’ll continue to do so as the threats that challenge them continue to evolve.”
Who will the new bill apply to?
According to the government press release, the bill will seek to boost protection for:
- Essential services (healthcare, energy, transport, water etc.).
- Key digital infrastructure (medium- and large-sized IT and security service providers e.g. MSPs, help desks).
- The bill also grants regulators new powers to designate “critical suppliers” (e.g. key data centre or medical diagnostic providers) as subject to minimum security requirements.
What has been confirmed in the Cyber Security and Resilience Bill
The bill builds on the old NIS regime, which imposed risk-management and incident-reporting duties on “operators of essential services” (OES) and “relevant digital service providers” (RDSP). In practice, all entities covered under the new bill will need formal cybersecurity risk-management programs. This means documenting how they handle threats, patch systems, secure access controls, train staff, and so on (the bill does not list technical solutions by name).
One practical, confirmed duty in the draft is accelerated incident notification: organizations will need to give an initial notification promptly (the Bill indicates a 24-hour window in line with reported summaries) followed by a fuller report within a short period. Exact reporting formats and timelines will be finalized in regulations and guidance.
Other provisions include:
- Regulators can issue codes of practice and audit organizations for compliance
- Business managers could be compelled to take specific security steps if the Secretary of State deems it necessary; and failing to fulfill duties (or hiding incidents) can trigger hefty penalties
- It also introduces turnover-based fines. In fact, draft provisions set the maximum fine at the greater of £17 million or 10% of worldwide turnover – much higher than under the 2018 NIS rules.
What is still unclear or ambiguous?
It’s worth stressing what is not yet clear. The bill does not (so far) spell out exact technical standards. For example, it does not itself dictate password rules or MFA. Instead, it focuses on outcomes (manage risk, be resilient, report breaches). This means companies must use best practice. Drawing on NIS2 guidance, we know regulators expect strong access controls – including robust password policies and multi-factor authentication – as part of meeting “appropriate and proportionate” measures.
Where NIS2 & CAF give useful guidance
Because the UK is not bound by EU law, the Cyber Security and Resilience Bill does not automatically mirror NIS2. However, NIS2 is a mature, public standard and provides a reasonable baseline for what UK regulators may expect in practice. For a practical UK benchmark on maturity and outcomes to aim for, organizations can also follow official guidance on the NCSC’s Cyber Assessment Framework (CAF).
What organizations can do now
1. Map scope and supply chain. Identify whether you are an Operator of Essential Services, a digital service provider, an MSP, a data centre, or a supplier likely to be designated critical.
2. Baseline AD and password hygiene. Credential compromise remains a top initial vector. Start with an Active Directory password audit and block known breached passwords. (This recommendation is consistent with NIS2 expectations).
3. Add MFA where risk is highest. Protect Windows logon, RDP and VPN access as priority controls. This is an easy-to-evidence and high-impact step.
4. Harden service-desk processes. Enforce verification for password resets and high-risk requests and log verification events for audits.
5. Assemble evidence packs. Export reports, logs, policies and ownership records mapped to CAF outcomes to accelerate regulatory assessments.
How Specops supports compliance with AD-focused controls
The table below maps key compliance needs to Specops solutions that can help meet them. Since the bill’s final scope is still being refined, we focus on general security practices implied by the law (and by analogous NIS2 and CAF requirements). Organizations should combine them with patching, monitoring, incident response, and supplier governance to form a complete compliance program.
| Likely regulatory need | Specops product | How Specops supports compliance |
|---|---|---|
| Strong password policies and prevention of breached-password use | Specops Password Policy | Enforces granular AD password rules and blocks use of known breached passwords. This addresses the “strong password hygiene” outcome regulators expect. |
| Multi-factor authentication for logon and remote access | Specops Secure Access | Adds MFA to Windows logon, RDP and VPN sessions, reduces risk from credential compromise — a control emphasized by both CAF and NIS2. |
| Secure self-service password reset (MFA-protected) | Specops uReset | Provides MFA-enabled self-service resets with phishing-resistant factors (CAF explicitly pushes organizations toward phishing-resistant factors.). |
| Service-desk verification workflows | Specops Secure Service Desk | Enforces agent-side verification steps to reduce help-desk exposure to social engineering. |
| AD password posture visibility | Specops Password Auditor | Conducts a read-only audit of AD passwords (blank, reused, compromised) to provide an evidence baseline for risk assessments. Free tool! |
Final note on compliance strategy
Because the bill is not yet law, some details remain to be determined. However, the direction is clear: UK policy is moving towards enforcing best practices as seen in laws like NIS2 and frameworks like CAF). Skipping basics like MFA or breached-password blocking is no longer an option. By taking stock now – assessing risks, tightening access controls, and preparing processes – organizations can get ahead of the curve.
Need support in getting prepared for the new UK bill? Or meeting existing regulations around NIS2 and CAF? Book a one-on-one chat with a Specops expert.
Last updated on November 17, 2025