Policy paper

Power to direct regulators

Published 12 November 2025

What are we going to do?

The Cyber Security and Resilience (Network and Information Systems) Bill will give the Secretary of State the power to direct Network and Information Systems (NIS) Regulations regulators to take action in response to threats which put UK national security at risk.

Why are we going to do it?

The current system requires regulated entities to undertake ‘appropriate and proportionate’ measures to secure themselves against cyber threats, and regulators issue guidance to their sectors to help them interpret this duty. Geopolitical or technological developments could lead to rapid, unexpected increases in the cyber threat – either for a specific organisation, across a sector, or economy wide. The bill will address the risk of sudden sectoral or economy wide cyber developments, by providing the power for the Secretary of State to direct regulators to advise their sectors to adopt more stringent cyber security measures, where this is necessary for national security.

How are we going to do it?

The Bill will allow the government to issue directions to NIS regulators to take action to address national security threats in their sectors. This could include requiring regulators to update the statutory guidance that they give to their sectors, to drive them to increase their resilience when faced with emerging threats.

A direction will only be issued if the Secretary of State judges that:

a) The direction is necessary for national security. The Secretary of State would need to consider if there are alternate ways of achieving the same outcome.
b) The direction is proportionate to the national security risk. The Secretary of State would consider the potential impacts of a direction, such as economic impacts.

A direction would include specified actions for the regulator to take or refrain from taking, and a time period within which they must comply. For example, a direction might require a regulator to gather information from their sector on behalf of the Secretary of State, or to communicate an advisory to their regulated entities.

Before giving a direction, the Secretary of State would be expected to engage the regulator to which the direction applies, as well as any other relevant parties, including the Secretary of State of lead government departments. Directions could be issued to a regulator named as a designated competent authority in the NIS Regulations or to the Information Commission. However, directions could not be issued to regulators that sit within other government departments, or within the devolved governments.

The following regulators could receive a direction under this power:

• the Civil Aviation Authority (CAA)
• Ofcom
• Ofgem
• the Drinking Water Quality Regulator for Scotland (DWQR)
• the Information Commission (ICO)

Once the Secretary of State has given a direction, a copy must be laid in Parliament, unless the Secretary of State considers that doing so would be contrary to the interests of national security. The Secretary of State may also exclude any information (i) which might harm the commercial interests of any person to an unreasonable degree; and (ii) would be contrary to the interests of national security, from what is laid before Parliament.

Hypothetical example

In the event that one of the UK’s international partners was invaded by a hostile state, the National Cyber Security Centre (NCSC) could assess that there has been a heightened cyber threat for the UK. This could manifest through greater risks of espionage and disruption to the UK’s critical national infrastructure. Using this power, the Secretary of State could consider directing regulators to update their guidance to advise regulated entities to take the action needed to respond to the heightened threat environment.

Implementation

This measure will be brought into force through secondary legislation following Royal Assent.