Overview
- In a major update to the NIS regime, the bill introduced on 12 November expands regulation to managed service providers, data centres and elements of smart energy infrastructure such as EV charging networks.
- Organisations in scope must report significant incidents to their regulator and the NCSC within 24 hours, file a full report within 72 hours, and notify affected customers.
- Regulators will be able to designate critical suppliers that must meet minimum security standards, and the technology secretary will have powers to issue emergency instructions such as enhanced monitoring or system isolation during national security risks.
- Enforcement will include tougher turnover-based penalties, with potential daily fines of up to £100,000 or 10% of daily turnover for serious violations.
- Public-sector ransomware payment prohibitions are expected to feature in the framework, while industry voices welcomed the direction but called for clear guidance and timelines, as the government cites annual cyber losses of roughly £14.7–15bn and the OBR warns a major CNI attack could add over £30bn to borrowing.