Policy paper

Futureproofing

Published 12 November 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/cyber-security-and-resilience-network-and-information-systems-bill-factsheets/futureproofing

What are we going to do? 

The government will be more agile and responsive to evolving cyber threats with powers to make changes to the regime in secondary legislation, such as bringing more sectors into scope, or updating security requirements.  

Why are we going to do it? 

The Strategic Defence Review stated that “The world has changed. The threats we now face are more serious and less predictable than at any time since the Cold War, including war in Europe, growing Russian aggression, new nuclear risks, and daily cyber-attacks at home.” The cyber threat is constantly evolving, and the government must ensure the rules and regulations governing the security and prosperity of the UK keep pace, remain relevant, and are effective. 

However, following the UK’s departure from the EU, the government no longer has appropriate powers to amend the Network and Information Systems (NIS) Regulations 2018 to address these threats without requiring primary legislation. This has allowed our cyber security legislative framework to fall behind, unable to respond to new threats or changes in technology or the increasing reliance on essential services. This risks the cyber resilience of the services that UK business and the public rely on.

Case studies 

The government’s two post-implementation reviews of the NIS Regulations showed that, while the NIS Regulations were having a positive impact, further improvements were needed. In the first instance, the reviews illustrated the need for additional services and activities to be brought into scope of the NIS Regulations, noting the increasing reliance on certain services, and the risks to supply chains and the wider economy and society.

Case study 1: The need for new services in scope of the NIS regulations  

The Cyber Security and Resilience (Network and Information Systems) Bill will bring data centres, large load controllers, and large and medium managed service providers – that meet the criteria and thresholds set out in the legislation – into scope of the NIS Regulations. This requires primary legislation. Proposed new laws would enable other entities essential to the day-to-day functioning of UK society or the economy to be added through secondary legislation. This supports faster improvements to cyber security and resilience, for example, if sectors need to be bought into scope due to their importance, changes in the threat landscape, or even technical changes in the sectors they operate in.

Such examples are indicative of how the scope of the NIS Regulations could be expanded in future. However, the reviews also suggested that the NIS Regulations, and the functions of the regulators themselves, could be strengthened to increase the effectiveness of the regime in the face of new and developing cyber threats.

Case study 2: Addressing supply chain vulnerabilities 

Based on input from both regulatory reviews and threat intelligence, the government recognised the need to introduce additional tools for regulators to tackle supply chain security, as one of the most prominent security threats to critical national infrastructure.  

As a result, the Cyber Security and Resilience Bill will enable NIS regulators to designate ‘critical suppliers’, to ensure the most important suppliers to essential and digital services are subject to mandatory cyber requirements. Please see our factsheet on ‘designated critical suppliers’ for more information. 

The government has also committed to clarify, in secondary legislation, duties on regulated entities to manage supply chain cyber risks. These duties will be designed to ensure appropriate and proportionate measures are taken – such as contractual requirements, security checks, or continuity plans – to prevent vulnerabilities in suppliers from undermining essential or digital services. These duties will be introduced under the futureproofing powers, which also enables them to be updated to ensure they remain up to date given the threat landscape, with initial introduction and any changes subject to consultation.

Due to other factors, such as the increasing dependency of the economy on certain services, the developing threat landscape, and the emergence of new technologies, the UK’s cyber legislation must be adaptable and swift to respond to new challenges. 

The National Cyber Security Centre (NCSC) reports that there is a widening gap between the increasingly complex threats and collective defensive capabilities in the UK. It is highly likely that future cyber legislation reviews will showcase additional areas for improvement. For these reasons, the government must be able to quickly and effectively respond through necessary reforms in the future.

How are we going to do it? 

Scope of the power

The bill will introduce 11 delegated powers, with clear safeguards and limitations, to enable the Secretary of State to make regulations that could make changes to the NIS regime. 

Including new services and activities in scope

To balance the need to adapt the regulations with proportionality and reasonableness, the Secretary of State could only designate new services if they fulfil a high bar for inclusion: that they are (or have become) essential to the economy, or the day-to-day functioning of society in the UK, or any part of the UK.

The legislation is not prescriptive in how this assessment is met, but it is expected that any such determination would be based on evidence, such as threat intelligence, impact assessments, and substantial policy development.

The power also requires that the Secretary of State consult with relevant persons before any statutory instrument is laid. Any proposal to introduce new services or activities to the scope of the NIS Regulations will be subject to the affirmative procedure, ensuring that parliamentary approval will be required before such changes are made.

Ensuring vital services’ security and resilience 

Changes could be made in relation to the: 

1. Identification, management and reduction of risks of security or operational compromises in relation to the most important network and information systems, which are connected to the provision of the UK’s most vital services and activities that contribute to the UK economy (such as manufacturing);

2. Mitigation of adverse impacts and consequences of those compromises; and

3. Such regulations enacted under these futureproofing powers could include:

  • Establishing particular duties and requirements on designated critical suppliers, to ensure that such organisations are clear on their duties and expectations, and to allow them to prepare and be confident in their compliance;
  • Updating and/or introducing the security and resilience requirements for regulated entities; to bring obligations up to date in the face of an evolving technological and threat landscape, and drive consistency in security and resilience risk mitigation of vital UK services and activities;
  • Introducing the incident reporting thresholds used to determine whether a relevant incident is significant, define a ‘significant incident’, and to provide clarity for regulated entities as to the specific incidents required to be reported under the regulations; and
  • Expanding the requirements as to information that data centre, relevant digital, and relevant managed service providers must provide their regulator upon designation or registration.

As with introducing new services and activities into the scope of the NIS Regulations, this power requires that the Secretary of State consults with relevant persons before any statutory instrument is laid. All proposals listed above would be subject to the affirmative procedure, ensuring that parliamentary scrutiny and approval would be required before such changes were made.

However, this power could not, for example: 

  • allow for the introduction of criminal offences as part of the sanctions regime; or 
  • extend the regulations to aspects that do not concern networks and information systems. 

Implementation

Futureproofing powers will be critical to enabling the implementation of the bill so this measure will be in force on Day 1 following Royal Assent.

The government intends to consult on the initial use of these powers to introduce technical detail and measures to implement these reforms. Any additional measures will be laid before Parliament, and relevant stakeholders will be given an appropriate period to adjust their practices.

To keep pace with the advent of emerging technologies and an evolving threat landscape, and therefore ensure the regulatory framework remains effective, the government is currently considering other prospective uses of these futureproofing powers.

Future post-implementation reviews and regular engagement with regulators and regulated entities and technical authorities will help inform areas for improvement, and ensure any changes are proportionate and appropriate. This includes, for example, informing whether the scope or content of security and resilience requirements require updating.

There may be other triggers to review the services designated under the NIS Regulations, such as from wider cyber security and resilience reports, national security assessments, and threat intelligence, to name a few. These will form the evidence base for future use of the powers.

Back to top