The bill, expected to receive Royal Assent in 2026, updates the UK’s Network and Information Systems Regulations (NIS) 2018, expanding coverage to include managed service providers (MSPs), data centers, and key suppliers for the first time. It supports the government’s Plan for Change strategy aimed at strengthening national resilience while driving economic growth, the statement added.
Turnover-linked penalties and a behavioural shift
The bill marks a turning point in how the UK enforces cybersecurity compliance. “The penalties change behaviour in a way flat fines never could,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research. “For large operators, every breach now carries a cost proportionate to their market reach. That link between impact and liability forces investment before the incident, not after it.”
The legislation introduced significantly tougher enforcement powers than those found in the EU’s NIS2 Directive or GDPR, said Madelein van der Hout, senior analyst at Forrester. “The bill sets a precedent for stricter cybersecurity enforcement by combining turnover-based penalties with emergency government powers.”
