Information sharing
Published 12 November 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/cyber-security-and-resilience-network-and-information-systems-bill-factsheets/information-sharing
What are we going to do?
The Cyber Security and Resilience (Network and Information Systems) Bill includes strengthened information sharing provisions. The intention is to improve the flow of information related to the Network and Information Systems (NIS) regime, create new information sharing gateways and provide greater clarity on what information regulators can share or receive, and with or from whom, to support delivery of NIS functions while minimising burdens on businesses.
Why are we going to do it?
Information sharing is fundamental to the successful functioning of the NIS Regulations. However, current provisions are limiting effective information exchange due to ambiguities regarding current information sharing gateways. For example, the absence of an explicit gateway for NIS regulators to share information with the Department for Science, Innovation and Technology (DSIT) limits the information we can receive for the purposes of fully monitoring and evaluating the NIS Regulations. Ambiguities are also creating uncertainty for regulated entities and adding administrative burdens and costs for regulators. Changes are required to ensure information can be shared and exchanged where appropriate, for certain purposes and subject to safeguards. This will support the delivery of regulatory functions, monitoring and evaluation of the regulatory framework, and inform government policy development where appropriate.
How are we going to do it?
The Bill includes four targeted changes to current information sharing provisions in the NIS Regulations.
Firstly, the bill creates a new gateway to ensure NIS regulators can share information with UK public authorities, and vice versa. This means NIS regulators will be able to share and receive information from organisations outside of the NIS framework, such as other regulators and bodies such as Companies House. The reasons the NIS regulators can share and receive information is set out in the provisions, with the aim that this will support alignment across different regulatory regimes and allow NIS regulators to gain further information on entities that fall under the NIS regime. Sharing information between these organisations will only be permitted for purposes prescribed by the NIS Regulations and subject to certain safeguards, such as the information having to be relevant and proportionate to the purpose of the disclosure.
Secondly, the bill enables information sharing between NIS regulators and UK government departments. There is currently no explicit gateway for this. The new gateway enables information exchange to support evaluation of the NIS regime and the security and resilience of essential and digital services, and for the purposes of assessing of and developing policy relating to cyber security and resilience, national security and data centre services in the UK.
Thirdly, the bill strengthens safeguards on how information can be used once it has been shared under the NIS Regulations by restricting onward disclosure. As an additional safeguard for industry, the onward disclosure of information other than for purposes set out in the NIS Regulations requires the consent of any identifiable business to which the information relates.
Lastly, the Bill enables the sharing of lists of registered relevant digital service providers (RDSPs) and relevant managed service providers (RMSPs) with the Government Communications Headquarters (GCHQ) to support the delivery of GCHQ functions. This may include, for example, allowing GCHQ to prioritise and support RDSPs and RMSPs during an incident.
Hypothetical case study
The Information Commission is adopting a risk-based approach to its regulatory oversight of RDSPs and RMSPs. Under the new information sharing provisions, the Information Commission will be able to exchange information with UK public authorities, such as HM Revenue and Customs, Companies House and the Office of National Statistics (ONS), who may have information needed to support the Information Commission’s risk assessment of RDSPs and RMSPs, subject to certain safeguards.
Implementation
These information sharing measures will come into force two months after the Bill receives Royal Assent.