NIS Regulations Keeling Schedule for the Cyber Security and Resilience Bill – how is the UK’s cyber security law changing

December 03, 2025
Marcus Evans Rosie Nance
Marcus Evans Rosie Nance
Posted in Tech Regulation insights

The UK’s Cyber Security and Resilience Bill (the Bill) has started making its way through Parliament.  The Bill proposes amendments to the UK’s Network and Information Systems Regulations 2018 (NIS Regulations).  The NIS Regulations implemented Directive (EU) 2016/1148, the EU’s first NIS Directive, and already impose cybersecurity obligations on some sectors. 

Part 2 of the Bill amends the NIS Regulations, but without a ‘Keeling Schedule’ marking up the amendments, these can be difficult to track. We have prepared a mark-up reflecting the proposed changes.  Please note that this is a working document prepared for reference while the Bill makes its way through Parliament. 

The Bill must now make its way through both Houses of Parliament before it becomes law, and is likely to be subject to change during the Parliamentary process.  Our mark-up reflects the Bill as laid before Parliament on 12 November 2025.

The government has not announced a target date for the Bill’s becoming law, the expectation is that it could receive Royal Assent by next spring. 

Download the mark-up

We include an overview below of the Bill’s changes:

Extended scope

Operators of Essential services: the Bill adds two additional essential services -

  • provision of a data centre service - provision of a physical structure which contains an area for the housing, connection, and operation of relevant IT equipment and provides supporting infrastructure for or in connection with the operation of relevant IT equipment (subject to threshold requirements of 10 megawatts for provision on an enterprise basis and 1 megawatt for provision otherwise); and
  • large load control - control of electrical load to and from energy smart appliances, such as battery energy storage systems, with the potential to control 300MW or more of electrical load to and from relevant electrical smart appliances.

Operators of data centre services and large load controllers will be in-scope as operators of essential services. 

See our additional post for an overview of obligations falling on the data centre sector.

Managed service providers: the Bill adds a new category of Relevant Managed Service Providers (RMSP), for “provision of ongoing management of information technology systems” via the supplier’s connecting to or obtaining access to network and information systems relied on by the customer.  The government’s April 2025 policy paper had suggested we would see an exclusion for intra-group service provision, but the Bill does not appear to include this exclusion.

Critical suppliers: alternatively, organisations can be brought into scope via designation by a competent authority as a critical supplier to an OES, RDSP, or RMSP.

Penalties

The Bill introduces the possibility of penalties of up 4% worldwide turnover (or the maximum can remain at £17m if higher).

Incident notification

The threshold for notification of an incident has been lowered, with incident notification now required to report incidents where they have the potential to cause significant impacts.  An initial notification within 24 hours has been introduced, to be followed by a fuller report within 72 hours.

A new customer notification requirement has also been introduced for data centres and RMSPs.

Cost recovery 

A cost recovery mechanism is introduced to allow competent authorities to recover costs from the organisations they regulate.

Statement of strategic priorities and secondary legislation

In addition to the changes to the NIS Regulations, the Bill also allows the Secretary of State to set strategic priorities, to drive consistency between regulators.  They may make additional regulations relating to the security of network and information systems.

The EU position under Directive (EU) 2022/2555 (NIS2)

Many of the changes proposed by the Cyber Security and Resilience Bill were inspired by NIS2, such as lowering the incident notification threshold and introducing a 24-hour notification requirement. 

However, there are various differences on scope and application.  There is no critical supplier equivalent under NIS2, but NIS2 covers a much broader range of sectors.  NIS2 introduces personal liability for senior management, unlike the Cyber Security and Resilience Bill.  Maximum penalties under NIS2 are a little lower, at 2% worldwide turnover in the previous financial year or EUR 10 million (exact penalties will be set on a member state level).

Our take

Organisations not previously in scope – like providers of data centre services, as well as managed service providers – will need to familiarise themselves with the new obligations and prepare to comply.

Organisations already in-scope should also ensure they are ready to comply with new obligations, and in the meantime, ensure they are complying with existing obligations.  The NIS Regulations came into force in 2018, and were somewhat overshadowed by the GDPR.  As a result, it is not unheard of for organisations to be unaware that they already have obligations under UK cyber security legislation. 

Alongside UK obligations, organisations may also have obligations under NIS2 in the EU. If they serve the financial services sector, Regulation 2022/2554 (DORA) may also mean that they have contractual obligations as ICT service providers, or may be brought under direct supervision as critical suppliers. Organisations in the aviation sector may also have obligations under Regulations (EU) 2023/203 and 2022/1645 (Part-IS). 

With turnover-based penalties proposed under the Bill, and obligations to navigate under NIS2 (and potentially regimes like DORA and Part-IS), it will be crucial for organisations to ensure they comply with obligations across the EU and UK and get ready to comply with new obligations in the UK. 

With thanks to Riya Patel for preparing the mark-up