Cost recovery
Published 12 November 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/cyber-security-and-resilience-network-and-information-systems-bill-factsheets/cost-recovery
What are we going to do?
Regulators will now be empowered to recover the full costs associated with their Network and Information Systems (NIS) Regulations 2018 functions, so they are better resourced to carry out their responsibilities. This power will be underpinned by safeguards, including transparency and consultation requirements, and regulators will not be able to make a profit.
Why are we going to do it?
It is vital for our public services, national security and economic stability that UK regulators are sufficiently resourced to support organisations to enhance and maintain their cyber security and resilience. Currently, regulators are constrained in their ability to recover the full costs associated with overseeing and enforcing the NIS Regulations.
For example, they cannot recover costs related to most enforcement activities, and where they can recover costs, they can only do so after they have been incurred. This undermines the regulators’ effectiveness in carrying out their functions under the NIS Regulations.
The current regime also does not provide sufficient transparency and predictability for regulated entities. Cost recovery currently only includes retrospective costs, which does not provide clarity on expected costs for regulated entities, and there are no formal consultation and reporting requirements. Regulated entities also do not have sufficient visibility over how these funds are being used, and for what functions and purposes.
The new powers will allow regulators to recover full costs, either before or after they have been incurred, alongside new requirements to support greater transparency and predictability for regulated entities.
How are we going to do it?
The Cyber Security and Resilience (Networks and Information Systems) Bill amends the NIS Regulations to allow regulators to impose a new funding regime, through a combination of charges and fees. This will contain necessary safeguards to ensure that regulators are not double charging for the same duty, and that costs are limited only to enable regulators to discharge their duties under the law.
Exercise of this power – to recover costs through a fee regime and/or direct cost recovery – will be optional. It is a power, not a duty. This is in order to retain flexibility for regulators to put in place the most appropriate regime in their circumstance and for their sector.
The fee regime will allow regulators to choose to recover costs in different ways for different functions. This means that they can charge prospective charges for some functions while invoicing for fees incurred in relation to others. To create greater predictability and transparency for regulated entities, regulators recovering costs through the new charging model will be required to:
1. Publish a ‘charging scheme’, which would set out the factors used in determining the fees or charges. This ensures charges are transparent and predictable, so organisations can plan accordingly;
2. Consult their regulated entities ahead of the creation of the charging scheme. This serves to ensure that the charging scheme is appropriate for the sector and that there is transparency between regulators and regulated entities, leading to a more cooperative regulatory environment in the long term;
3. Only issue charges in accordance with their charging scheme, so that regulated entities have confidence in a stable and predictable regime; and
4. Issue an end-of-cycle statement, which sets out the costs of exercising their functions and if they have an underspend or overspend (which would be considered for the new charging period). This ensures that the sector is fully aware of how their funds were used, what costs regulators incurred, and what is left outstanding. It will mean increased accountability for regulators and provides confidence in the regime.
Regulators will also have the power to exclude regulated entities from their charging scheme, where it is not appropriate to charge them.
This approach is based on precedent cost recovery regimes found in the Online Safety Act 2023, the Telecommunications (Security) Act 2021 and the Data Protection Act 2018.
Implementation
The cost recovery measures will be brought into force through secondary legislation following Royal Assent. This will ensure that regulators have time to prepare and conduct consultations on fee regimes.
Further detail in relation to transitional provisions will be introduced through secondary legislation, before this measure is brought into force.