Statement of strategic priorities
Published 12 November 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/cyber-security-and-resilience-network-and-information-systems-bill-factsheets/statement-of-strategic-priorities
What are we going to do?
The Secretary of State will be given powers to drive better consistency in how regulators implement the Network and Information Systems (NIS) Regulations through setting the priority outcomes regulators will have a duty to seek to achieve. These outcomes will be set out in a designated public statement of strategic priorities.
Why are we going to do it?
The NIS Regulations apply across multiple sectors and are enforced by 12 regulators. This system helps ensure regulators can apply their expertise in a given area – for example the technology used – when helping organisations manage cyber risks. However, we recognise the implementation and success of the NIS Regulations have been inconsistent. This has led to some NIS sectors being relatively more vulnerable to hostile activity and disruption.
How are we going to do it?
To ensure the NIS Regulations work consistently and successfully, the Cyber Security and Resilience (Network and Information Systems) Bill will allow the Secretary of State to designate a ‘statement of strategic priorities’. Statements of strategic priorities are common across different regulatory areas, including telecoms and online safety.
The statement will include the government’s strategic priorities for the security and resilience of network and information systems related to the provision of specified services in the UK. It will also set out the roles and responsibilities of different actors involved in working towards those priorities, and objectives specifically for regulators in relation to the priorities. Regulators will have duties to have regard to the statement, as well as to seek to achieve those objectives when exercising their NIS functions.
Any draft statement will be subject to robust consultation with regulators. The objectives within a statement could relate to the way in which regulators’ guidance reflects National Cyber Security Centre (NCSC) advice, or could seek to ensure that different sectors have contingency plans in place to increase security at times of heightened threat. Overall, the objectives and priorities set are expected to support delivery of the UK’s national cyber strategy.
Before designating a statement of strategic priorities, the Secretary of State will be required to consult with all the NIS regulators on a draft version. Once the Secretary of State has considered any responses and made any appropriate changes to the draft, they will then lay a copy of the statement in Parliament, where it will be subject to the negative procedure.
Once the statement is in effect, the Secretary of State will be required to publish an annual report on the actions that regulators have taken in the previous 12 months with regard to the content of the statement, and the actions that they intend to take in the following 12 months.
Implementation
The government will work with the NCSC, regulators and other interested parties in the development of a draft statement of strategic priorities. Once a draft has been developed, regulators will all be given the opportunity to share their views on it through a formal consultation period.
The final draft statement will be laid in Parliament for approval under the negative procedure.