Consultation outcome

Proposal for legislation to improve the UK’s cyber resilience

This consultation has concluded

Download the full outcome

Detail of outcome

In January 2022, the government launched a public consultation on proposals for legislation to improve the UK’s cyber resilience. The proposals included seven policy measures to address the evolving cyber security threats the UK faces via amendments to the Network and Information Systems (NIS) Regulations 2018.

There were 304 survey responses received. The overall response to these proposals was positive, with six of the seven proposed measures receiving greater positive than negative support for their implementation. The one exception was the full cost-recovery for NIS functions, where there were more negative responses than positive towards the measure. Responses included a range of constructive and helpful feedback which the government has taken into account.

The attached document offers an overview of the responses and key findings, and provides the government response and next steps for policy development.

For more information, please see the press notice.

You can also read the written ministerial statement to Parliament.

The government will proceed with these proposals and amend the NIS Regulations accordingly. This will be subject to finding a suitable legislative vehicle.

Original consultation


The government is consulting on proposals for new laws to improve the cyber resilience of organisations which are important to the UK economy. We received a number of positive responses which are being considered. The government hopes to respond to this consultation as soon as it can in autumn 2022.

This consultation ran from

Consultation description

As part of the £2.6 billion National Cyber Strategy 2022 the government is working to improve the cyber resilience of businesses and organisations across the UK economy.

Recent high-profile cyber attacks, such as the December 2020 SolarWinds supply chain compromise, the May 2021 ransomware attack on the US Colonial Pipeline, and the July 2021 attack on the managed service provider Kaseya demonstrate how malicious actors are able to compromise a country’s national security and disrupt activities in the wider economy and society.

The government is therefore consulting on proposals for legislative changes which would drive up levels of cyber resilience, particularly in organisations which play an important role in the UK economy, like managed IT service providers.

A pre-consultation impact assessment has been provided to support the legislative proposals.

In addition, a separate consultation on Embedding standards and pathways across the cyber profession by 2025 is also being published. This details proposals for how a stronger cyber security profession can support better cyber resilience.

There is further analysis on the need to improve UK cyber resilience in the 2022 Review of Cyber Security Incentives and Regulation which is being published alongside this consultation.

Read more in the press notice.

Read the Written Ministerial Statement.


Published 19 January 2022
Last updated 30 November 2022 + show all updates
  1. Government response added.

  2. Made impact assessment PDF web accessible.

  3. First published.