Power to direct regulated entities
Published 12 November 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/cyber-security-and-resilience-network-and-information-systems-bill-factsheets/power-to-direct-regulated-entities
What are we going to do?
The Cyber Security and Resilience (Network and Information Systems) Bill will give the Secretary of State the power to direct entities regulated under the Network and Information Systems (NIS) regime to take necessary and proportionate action in response to imminent or live threats which put UK national security at risk.
Why are we going to do it?
Cyber attacks targeting NIS sectors (drinking water, transport, energy, health, digital infrastructure, some digital services, and, in line with other measures in the bill, also medium and large managed service providers and data centres) have the potential to seriously threaten the UK’s national security.
For example, in February 2024, the United States stated that China state-sponsored cyber actors had compromised US critical infrastructure by pre-positioning themself within IT networks for water, energy and transport infrastructure, potentially laying the groundwork for future disruptive cyber attacks. Currently, if a similar incident happened in the UK, the government would not have legal powers to issue directions to affected entities, requiring them to take necessary action to mitigate the threat.
The growing threat posed by high capability actors and hostile states – who may mount targeted highly sophisticated attacks or high volume less sophisticated attacks – means that this is a gap that could be exploited with increasing regularity and impact. The bill will give the government new powers to direct a regulated entity to take specific and proportionate action in response to a threat that presents a risk to national security.
How are we going to do it?
Issuing a direction
The Secretary of State will be granted a power to issue directions to regulated entities within this regulatory regime – which could include operators of essential services (OES), relevant managed service providers, relevant digital service providers and designated critical suppliers. A direction could only be issued if the Secretary of State considers that:
a. A security or operational compromise in relation to a relevant network and information system, or the threat of such a compromise, gives rise to a risk to national security, and
b. The direction is necessary and proportionate in the interests of national security.
When coming to a judgement about proportionality and necessity, the Secretary of State would typically be expected to consider if there are alternative ways of achieving the same outcome, and the potential impacts of a direction, such as economic impacts.
A direction would include specified actions for the regulated entity to take or refrain from taking, and a time period within which they must comply. For example, a direction might require a regulated entity to perform a technical investigation for activity that would indicate the presence of a hostile actor.
Before giving a direction, the Secretary of State must consult the regulated entity to which the direction applies, as well as any other relevant parties, unless the Secretary of State considers that doing so would be contrary to the interests of national security. This could involve engaging the relevant sector regulator. Once the Secretary of State has given a direction, a copy must be laid in Parliament, unless the Secretary of State considers that doing so would, or would be likely to, prejudice to an unreasonable degree the commercial interests of any person, or would be contrary to the interests of national security.
Monitoring compliance
Where a direction has been made to a regulated entity, the Secretary of State will be responsible for assessing and enforcing compliance with the requirements specified in the direction. To aid this process, the bill gives the Secretary of State the power to issue a ‘monitoring direction’ or a ‘monitoring request’ to a NIS regulator, which can require or request the NIS regulator to gather and provide information relevant to the Secretary of State’s assessment of a regulated entity’s compliance with a direction. The information provided can also be in relation to a regulated entity’s plan of how they intend to comply with requirements specified in a direction. A NIS regulator may be directed or requested to monitor all, or only some, of the requirements set in a direction. For the purposes of gathering such information, the bill enables NIS regulators to require information from regulated entities and, in some circumstances, to carry out inspections of regulated entities’ premises, relevant documents or other relevant information.
The bill also gives the Secretary of State a power to require information from regulated entities.
Enforcement
The bill gives the Secretary of State powers to enforce compliance with directions. The Secretary of State may issue a notification of contravention to a regulated entity if the Secretary of State determines there are reasonable grounds for believing that the provider is contravening, or has contravened, a requirement imposed by a direction.
Following a notification of contravention, and after considering any representations from the regulated entity, the Secretary of State may issue a confirmation decision to a provider. The confirmation decision may: a) require the provider to take immediate steps to comply with the requirements specified in the contravention notification and remedy the consequences of the contravention; and b) require the provider to pay a penalty. Contraventions could relate to, among other things, contraventions of a direction, non-disclosure requirement, information requirement or inspection notice requirement.
If an undertaking has been found to be non-compliant with a direction, the Secretary of State may impose a penalty up to a maximum of 10% of its turnover or £17 million, whichever is higher. The bill requires the Secretary of State to make regulations to define “undertaking” and to establish how an undertaking’s turnover is to be determined. The government intends for the regulations to set a presumption that penalties should take into account only the turnover of the regulated entity that received the direction and to set out clear factors that would lead to also considering the turnover of other entities in the group.
If a direction has been issued to a regulated entity that is not an undertaking, the maximum penalty for non-compliance would be £17 million. In the case of a continuing contravention, the maximum penalty would be up to £100,000 per day for both undertakings and regulated entities that are not undertakings.
In respect of the powers to require information and impose non-disclosure conditions, the maximum penalty is £10 million or, in the case of a continuing contravention, £50,000 per day. The actual penalty amount must be appropriate and proportionate to the contravention to which it relates.
The Secretary of State will introduce secondary legislation to determine how turnover is to be calculated for the purpose of determining penalties for non-compliance with requirements imposed under this power. A provider may seek judicial review of decisions made by the Secretary of State when exercising functions in relation to directions, including in relation to any enforcement decisions.
Hypothetical example
A hostile actor is assessed to be present on the networks of an OES. The actor is using ‘living off the land’ techniques to evade detection – i.e., techniques allowing attackers to operate discreetly, with malicious activity blending in with legitimate system and network behaviour making it difficult to differentiate, even by organisations with more mature security postures. The identity of the state actor, and the nature of their compromise of and presence on, the OES’s networks, creates an ongoing national security risk because this access might provide means for the state actor to disrupt the operation of the essential service at a future date.
In such a situation, the Secretary of State might consider using the power of direction to mandate that the OES takes specified action to confirm the presence of the state actor on the network, and if necessary, remediate. This direction would be subject to an assessment of whether the proposed directed action is necessary and proportionate.
Implementation
This measure will be brought into force through secondary legislation following Royal Assent.
Further detail on the calculation of turnover will be introduced through secondary legislation, before this measure is brought into in force.