The UK government has set out the scope of its upcoming Cyber Security and Resilience Bill, a major piece of legislation aimed at strengthening the country’s digital defences and safeguarding critical national infrastructure against growing cyber threats.
Due to be introduced later in 2025, the Bill will introduce mandatory cybersecurity requirements for around 1,000 service providers and extend new protections to over 200 data centres, recognising their importance to the UK’s innovation ecosystem, particularly in artificial intelligence.
Under the proposed measures, more organisations and their suppliers will be required to implement robust cyber security practices, including improved risk assessments, stronger data protection, and enhanced network defences. Regulators will also be granted expanded powers to enforce compliance and demand greater incident reporting, enabling the government to build a clearer picture of emerging cyber risks.
The move comes as cyber threats continue to intensify. The National Cyber Security Centre (NCSC) managed 430 cyber incidents in the 12 months to September 2024, 89 of which were classed as nationally significant. Government research also found that half of UK businesses experienced a cyber breach in the past year.
Technology Secretary Peter Kyle said the Bill forms a core part of the government’s Plan for Change, designed to drive economic growth through greater digital resilience.
“Economic growth is the cornerstone of our Plan for Change, and ensuring the security of the vital services which will deliver that growth is non-negotiable,” Kyle said.
“This legislation will help make the UK’s digital economy one of the most secure in the world — giving us the power to protect our services, our supply chains, and our citizens.”
Andy Ward, SVP International at Absolute Security, welcomed the government’s focus on the supply chain, saying “Supply chains are only as strong as their weakest link. Malicious actors only need one entry point — an unpatched endpoint, for example — to breach a network. A comprehensive cyber resilience strategy, not just technology tools, is key.”
Ward emphasised the importance of centralised visibility across networks and endpoints to detect threats early and act decisively before data is compromised.
Mike Hellers, Product Development Manager at the London Internet Exchange (LINX), called for the Bill to support redundancy strategies that help maintain uptime and operational resilience.
“Building a redundant network encourages uptime and security. At LINX, we offer two independent fabrics in the London Metro area to maximise availability and protect against disruption.”
The Bill will also play a vital role in reinforcing public trust in essential services such as hospitals, utilities, and emergency services, which are increasingly reliant on digital systems and interconnected supply chains.
Once implemented, the Cyber Security and Resilience Bill is expected to establish the UK as a global leader in digital security, protecting both the infrastructure that underpins the economy and the data privacy of millions of citizens.