Teaming up with... AVIVA

Welcome to the UKGI weekly regulation update service for Aviva ABC brokers

We hope you find the Updates useful. If you are
interested in subscribing to our affordable
ABC compliance support package, please
email us at ABC@ukgigroup.com or
call UKGI on our dedicated ABC
contact line 01925 767893.

The UK Government Regulatory Policy Committee has rated the Cyber Security and Resilience Bill impact assessment fit for purpose

Nov 21, 2025 | Government UK

Link(s):Cyber Security and Resilience Bill – GOV.UK New cyber obligations for tech suppliers and data centres as UK ramps up cyber security scrutiny 

Context

The Cyber Security and Resilience (Network and Information Systems) Bill proposes new laws to improve UK cyber defences and protect essential public services. On 12 November, the Bill was introduced to Parliament, with links added to the Parliament website confirming details of the Bill, as well as links to the Bill impact assessment, factsheets explaining the measures in the Bill, and supporting research.

On 18 November 2025, a link was added to the Regulatory Policy Committee’s publication stating they have rated the impact assessment on the Cyber Security and Resilience Bill as fit for purpose; green-rated.

Key points to note and next actions

The Cyber Security and Resilience Bill will reform and add to the existing Network and Information Systems (NIS) Regulations 2018, to increase UK defences against cyber-attacks. The Bill will deliver a change in the UK’s national security, making essential and digital services more secure in the face of cyber criminals and states that want to disrupt our way of life. The reforms plan to underpin greater economic stability, helping grow the economy for working people, by reducing business cost and disruption, and supporting investment.

Companies that fail to provide adequate cyber security for key UK infrastructure may face large fines under the new powers announced, as regulators will be given the power to hit companies with stronger, turnover-based penalties for serious cyber security breaches.  Harmful incidents will now be required to be reported within 24 hours.

The new rules mean companies providing IT and cybersecurity services to private and public sector bodies, the NHS being one example, will now face additional cyber regulation as the UK looks to step up protection against the increasing threat of cyber-attacks. They will be regulated by the Information Commissioner’s Office (ICO) as ‘registered managed service providers’ (RMSPs).