Research and analysis

Cyber Security and Resilience (Network and Information Systems) Bill: impact assessment - RPC opinion (green-rated)

The RPC's opinion of the Department for Science, Innovation and Technology 's impact assessment for the Cyber Security and Resilience (Network and Information Systems) Bill, introduced in the House of Commons on 12 November 2025

• From: Regulatory Policy Committee
• Published: 17 November 2025

Documents

RPC Opinion: Cyber Security and Resilience Bill

PDF, 238 KB, 10 pages

This file may not be suitable for users of assistive technology.

Request an accessible format.

If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email enquiries@rpc.gov.uk. Please tell us what format you need. It will help us if you say what assistive technology you use.

Details

The Bill makes provision about the security and resilience of network and information systems, to enable the Government to respond to new and emerging cyber threats, and to update the UK’s only cross-sector cyber regulations - The Network and Information Systems Regulations 2018 - by bringing more entities into their scope and equipping regulators with proportionate powers to fulfil their duties better.

The reforms are intended to protect the services and other activities that are essential to the day-to-day functioning of society in the UK, and the economy, through safeguarding the systems that allow computers and other devices to communicate with each other.

The impact assessment (IA) outlines the problem under consideration, explaining how cyber attacks are becoming more frequent and sophisticated, while the current legislation (NIS Regulations 2018) is considered to be outdated. The IA includes evidence of the problem, referencing the number (and case studies) of significant cyber incidents, and the associated losses faced by businesses, and critical suppliers to essential services, like the NHS.

The IA presents an equivalent annual net direct cost to business (EANDCB) figure of £137.7 million. This consists of the costs for businesses to comply with the measures, including one-off familiarisation costs, additional physical security costs, contract change costs and cyber security costs. These costs will be incurred by newly-regulated entities, including managed service providers, data centres, and large loads controllers. All businesses in scope of the legislation (including those that are currently regulated under the 2018 NIS regulations) will also incur incident reporting costs. The IA states that, despite the negative EANDCB figure, the preferred option (primary legislation) is expected to have a positive impact on business due to the significant non-monetised benefit from the prevention of cyber attacks. The IA explains that the improvement in security would benefit the UK’s economic prosperity and output.

The Regulatory Policy Committee has rated the IA as fit for purpose; green-rated.

Published 17 November 2025