Policy paper

Enforcement

Published 12 November 2025

What are we going to do?

The Cyber Security and Resilience (Network and Information Systems) Bill will reform the enforcement mechanisms in the Network and Information Systems (NIS) Regulations 2018, with the aim of ensuring a more effective and proportionate regime, and better compliance. This will mean:

• simplifying the penalty band structure, so the penalties for non-compliance can be more easily targeted at the appropriate level and with increased transparency;
• expanding the factors that can be considered when determining what constitutes a proportionate penalty, to ensure that relevant considerations – such as mitigating actions or patterns of non-compliance – are taken into account; and
• introducing new maximum penalties that better reflect the costs of non-compliance and the turnover of regulated entities.

Why are we going to do it?

The success of the Cyber Security and Resilience Bill will depend upon the steps that regulated entities take to meet their regulatory responsibilities, invest in their cyber security and protect their services. Support from regulators and government will be critical in helping organisations to achieve the necessary levels of protection and resilience, but effective enforcement also has a key role to play in ensuring a culture of compliance. Where organisations understand there are meaningful and predictable consequences for non-compliance, there will be less incentive to cut corners; and where organisations are confident that the relevant circumstances will be considered fairly and fully when non-compliance has taken place, they will be more inclined to engage with their regulators to resolve the situation.

However, the enforcement regime under the NIS Regulations is currently not as effective as it could be. Enforcement is constrained by unclear band structures which do not reflect the relative significance of non-compliance and are not sufficiently transparent; this can lead to unnecessary legal challenges and difficulties in using enforcement action. Similarly, regulators are constrained in terms of the factors they can consider when assessing an appropriate level of penalty, meaning that other relevant circumstances – whether mitigating or aggravating – cannot be taken into account. Finally, the maximum penalty of £17 million is also not proportionate to the emerging risk landscape, as it represents a small proportion of turnover for larger regulated entities. Therefore, for many of them, this means that the maximum fine can be less than the cost of being compliant with these cyber security laws. In some instances, fines are significantly lower than fines that can be levied by the same regulators in other regulatory regimes. Regulators have indicated it is insufficient to deter non-compliance across certain NIS sectors.

In light of the considerable risks arising from non-compliance with the NIS Regulations – including disruption to essential services relied on by the public and businesses across the economy every day – it is vital that the enforcement regime is reformed to ensure the success of the regime and the resilience of our critical national infrastructure. The goal of these reforms is not the widespread use of fines, but rather a culture of compliance that renders the ongoing use of fines unnecessary.

How are we going to do it?

Banding structure

There is currently a three-band penalty structure under the NIS Regulations:

• Non-material contraventions – with a maximum fine of £1 million,
• Material contraventions – with a maximum fine of £8.5 million, and
• Material contraventions which have or could have created a significant risk to, or significant impact on, or in relation to, the service provision by the regulated entity – maximum fine of £17 million.

Within this banding structure, the distinction between the two types  of “material contravention” is problematic for regulators and for regulated entities who need certainty about how penalties are calculated. The challenging way in which the test for using the highest penalty band is constructed means that regulators take an inconsistent approach to its application, while the test’s focus on ‘impact’ overlooks the fact that other forms of non-compliance – such as failure to respond to information notices – can be extremely significant in terms of their ability to frustrate the regulatory process’.

The Cyber Security and Resilience Bill will modify this into a simplified two-band penalty structure, with the band level proportionate to the severity of the contravention – and it will clearly set out in law which breaches of duty correspond to which bands. The band in which the contravention comes under will depend on its severity. For example, those relating to notification of incidents and the fulfilment of security duties will fall under the higher band, whereas the failure to notify a registration of a relevant digital service provider or relevant managed service provider will fall under the standard band.

This approach will create a more consistent and transparent enforcement regime for both regulators and regulated entities. It will ensure regulated entities have increased predictability and make the regime more streamlined and easier to enforce, leading to an overall improvement of the security of vital UK services.

Proportionality 

Regulators must take a proportionate approach when determining a penalty amount to impose. As a result of the new reforms, they will now be able to take into consideration a much wider range of circumstances when determining what constitutes a proportionate penalty. To ensure consistency, regulators will also need to consider a minimum number of factors, such as attempts by the regulated entity to mitigate the impacts of the breach and the regulated entity’s history of non-compliance. They could also, for example, consider matters like the sector, impact on service users, and impacts on investment or growth.

Maximum fines 

Under the current NIS Regulations, regulators are able to issue a financial penalty only up to £17 million for “material contraventions which have or could have created a significant risk to, or significant impact on, or in relation to, the service provision by the regulated entity”. This falls behind many other comparable regimes, and does not adequately reflect the vital importance of protecting the infrastructure upon which the UK economy and society rely.

The new regime will introduce new maximum penalties corresponding to the two new bands: 

• Up to £17 million, or 4% of a regulated entity’s worldwide turnover, whichever is higher for more series breaches, and 
• Up to £10 million, or 2% of a regulated entity’s worldwide turnover, whichever is higher, for less serious breaches.  

While the precise definition of ‘turnover’ will be set out in secondary legislation, the intention is that it would be limited to a level that is proportionate to the regulated services provided to the UK economy and society. There may be circumstances in which the turnover of other members of a group may need to be considered (e.g. where a parent company has influenced decision making relevant to the breach). Further details will be set out in due course, with the proposed secondary legislation being subject to public consultation and appropriate parliamentary scrutiny.  

These changes will ensure that the enforcement regime is strong, proportionate and effective – taking into account both the relative significance of non-compliance, as well as the turnover of the regulated entity. Together with the wider changes outlined above, they will provide regulators with the essential enforcement mechanisms they need to ensure compliance with the regime, ensuring that penalties are applied in a predictable and consistent manner, which is proportionate to the cyber risk landscape.

An example of how will this work? 

1. If a regulator has reasonable grounds to believe that a regulated entity has not complied with its obligations under the NIS Regulations, they can issue a regulated entity with a notice of intention to impose a penalty.

2. Regulators may also serve an enforcement notice in relation to the same breach, requiring corrective action. A penalty notice is not reliant on an enforcement notice, and both could be issued at the same time, if necessary.

3. Regulated entities may then provide representations, which the regulator would take into account. If regulators are still minded to impose a financial penalty, they may issue a final decision to impose a penalty (an administrative fine).

4. Not every breach will result in a financial penalty, and steps taken by the regulated entity to remedy non-compliance will be factored into the decision-making of the regulator.

5. The penalty amount will be dependent on the severity of the breach, alongside other circumstances relevant to the case. Regulators are required to act appropriately and proportionately, and will consider both mitigating and aggravating factors, in line with their penalty and enforcement policies. For example, the penalty amount may be greater if the organisation has a pattern of non-compliance, or smaller if it is clear they have tried to remedy the contravention. It will be up to the regulator to consider these factors, and others relevant to the case, when determining what a proportionate penalty to impose is. If the regulated entity is part of a group, the regulator will consider whether it is appropriate for the turnover of any other members of the group to be included when determining the penalty. The extent to which this will be a key factor will be determined following public consultations and subsequent secondary legislation.

6. Regulated entities will also have the opportunity to appeal the penalty through the First-tier Tribunal. 

Implementation

The enforcement measures will be brought into force through secondary legislation following Royal Assent. This will give regulators have time to prepare for the new regime and allow for the coordinated introduction of further detail, such as the determination of turnover.