Overview
- The bill enters Parliament with plans to update the UK’s NIS regime, bringing an estimated 900–1,100 managed service providers and data centre firms into scope.
- Medium and large IT service suppliers to essential sectors must report significant incidents to regulators and the NCSC within 24 hours, file a full report within 72 hours, and notify customers.
- Sector regulators gain powers to designate critical suppliers that must meet minimum security standards, while the technology secretary can instruct risk‑reduction steps where national security is at stake.
- The government signals a ban on public‑sector ransomware payments, alongside tougher turnover‑based penalties, enhanced ICO powers, and new cost‑recovery fees for regulators.
- NCSC chief Richard Horne and NHS security lead Phil Huggins publicly back the reforms as ministers cite 2024 MSP‑linked breaches and OBR modeling of a £30bn borrowing shock and roughly £15bn in annual cyber costs.