The UK bill proposes amendments to the existing UK Network and Information Systems (NIS) Regulations that would bring the UK cybersecurity regime closer to the EU framework established under the NIS2 Directive. In particular, it would:

• expand the scope of regulated entities to include data centres, relevant managed IT service providers, large electrical load controllers and critical suppliers to secure the entire supply chain; and
• introduce stricter incident reporting requirements by, for example, widening the reporting criteria to include attacks, even if no impact has occurred yet but a significant one is likely to materialise.

However, the bill remains distinct from the NIS2 in several aspects, including by relying more on secondary legislation to set out detailed security requirements.

In addition, the bill would enable the UK government to update the cybersecurity framework, for example, by bringing more sectors into scope or introducing new security and resilience requirements.

The UK bill was introduced to parliament on 12 November 2025.

For more information and to read the full report, please click on “Access the full content” - or on “Request full report”, in case you are not subscribed to our European Digital Economy service.