Information Commissioner publishes response to Cyber Security and Resilience (Network and Information Systems) Bill
The Information Commissioner’s Office (ICO) has published a formal response to the Cyber Security and Resilience (Network and Information Systems) Bill, which was introduced to Parliament on 12 November 2025, signalling broad support for the proposed reforms while highlighting areas that will require further clarity.
Key Takeaways
Strengthening the UK’s cyber defences
The Information Commissioner views the Bill as an important step in strengthening the UK’s cyber security framework. It reflects the growing complexity of digital ecosystems and the increasing reliance on interconnected service providers. In particular, the Bill is seen as modernising the regulatory approach to better address contemporary cyber risks.
Expansion of the ICO’s regulatory role
A key feature of the Bill is the expansion of the Information Commissioner’s Office (ICO) remit. If enacted, the ICO would regulate not only digital service providers currently caught by the Network and Information Systems Regulations 2018, but also managed service providers, and critical suppliers within digital supply chains.
This change recognises the role these entities play in maintaining cyber resilience and the potential systemic impact of failures within supply chains.
Shift to a proactive, risk‑based approach
The Bill would mark a shift away from the ICO’s traditionally reactive role towards a more proactive, risk‑based oversight approach. This would be supported by enhanced regulatory powers, including:
- Broader information‑gathering powers, allowing the ICO to require data from regulated entities and third parties
- Improved information‑sharing mechanisms with other regulators and public authorities, subject to appropriate safeguards
- New enforcement tools, including penalties for registration failures and expanded cost‑recovery powers
Together, these measures are intended to allow earlier intervention and more effective supervision of cyber risks.
Need for Secondary Legislation and Guidance
While supportive of the Bill’s objectives, the ICO notes that many critical details remain to be set out in secondary legislation. This includes:
- Thresholds for what constitutes a “significant impact” in incident reporting
- Specific cyber security requirements
- Criteria for identifying critical suppliers
The ICO emphasises that clear and timely guidance will be essential to help organisations understand and comply with the new regime.
Get in touch
Final thoughts
The ICO’s response highlights the importance of adequate funding and resourcing for the ICO. Regulating complex, interdependent digital supply chains will require sufficient expertise and capacity to ensure the new framework operates effectively.
Overall, the ICO’s response frames the Bill as a positive and necessary development, but one that will depend heavily on careful implementation. Businesses potentially within scope should monitor developments closely, particularly the forthcoming secondary legislation and guidance, as these will determine the practical impact of the new cyber security regime.
If you have any queries regarding the contents of this legal article, please get in touch with Molly McCormick.
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.
Law Firm of the Year
We are proud to have been named Law Firm of the Year at the prestigious Legal Business Awards 2024!
Legal Business is the market-leading monthly magazine for the UK and global legal market. Its readership spans the UK, Europe, Asia and the US, and the awards celebrate the very best in the legal profession.
This win is absolute recognition for all the hard work across the firm over the past year.
Contact us today
Whatever your legal needs, our wide ranging expertise is here to support you and your business, so let’s start your legal journey today and get you in touch with the right lawyer to get you started.
Get in touch
For general enquiries, please complete this form and we will direct your message to the most appropriate person.