NIS2 in the United Kingdom

United Kingdom

The UK is no longer required to transpose EU Directives into national law, as it left the European Union in 2020. However, the 2016 EU Network and Information Security Directive (NIS1) was transposed into UK law prior to Brexit and remains in effect, while there are NIS2 harmonizations planned with the UK’s Cyber Security and Resilience Bill (CS&R) in 2026.

  1. EU NIS in UK
  2. CS&R (NIS2)
  3. Scope in UK
  4. Further Information

The UK government announced plans in 2024 to introduce the Cyber Security and Resilience Bill, which aims to improve the UK’s cross-sector NIS1 cybersecurity framework in line with EU NIS2. In November 2025, the UK government introduced the CS&R Bill in the House of Commons. The Bill will expand UK NIS regulations with additional services and supply-chain in scope, more incident reporting and regulatory powers, and align with many of the principles of the EU NIS2 Directive.

Adjustments with the 2026 CS&R bill are annotated.

EU NIS in the United Kingdom

Current legislation

The UK implemented the NIS Directive (2016/1148) through the NIS Regulations 2018, which came into force on May 10, 2018 as part of the UK’s £2.8b National Cyber Strategy.

An EU NIS2 follow-on for the UK is being taken forward through the CS&R (NIS2) Bill, introduced in the House of Commons on 12 November 2025. The UK government is keen to maintain alignment with developments in EU legislation, in particular EU NIS2, noting that previous EU regulations have been superseded (...) and require urgent updating in the UK to ensure that our infrastructure and economy are not comparably more vulnerable.

The Information Commissioner's Office (ICO) is the UK regulator (competent authority) for data protection and oversees relevant digital service providers (RDSPs) under NIS1. For Operators of Essential Services (OES), the UK assigned sector-specific competent authorities.

Relevant digital service providers are regulated under the NIS Regulations’ RDSP framework, overseen by the Information Commission, with incident reporting updated by the CS&R Bill (including 24-hour initial and 72-hour full notifications, a CSIRT copy, and subsequent customer notifications where affected).

Forthcoming adjustments under CS&R (2026)

  • Expand the scope of the NIS Regulations to additional categories of entities and designated critical suppliers.
  • Introduces a new designation regime for critical suppliers so that important suppliers and essential and digital services can be directly regulated.
  • Update incident reporting obligations, including a two-stage reporting structure (initial notification and full report) and expanded criteria that capture serious cyber incidents even before they cause service disruption.
  • Strengthen regulator powers and tools (e.g. clearer information-sharing, cost recovery, enforcement tools and a Statement of Strategic Priorities issued by the Secretary of State).
  • Improve supply chain security by setting stronger duties on OESs and RDSPs.
  • Allow sectors, thresholds and security requirements to be updated via secondary legislation, subject to consultation.

up

Authorities

The UK has defined the competent authorities and Computer Security Incident Response Teams (CSIRTs) under EU NIS1 as follows:

  • Government Communications Headquarters (GCHQ) serves as the Single Point of Contact (SPOC) for cybersecurity issues in the UK.
  • National Cyber Security Centre (NCSC), which is part of GCHQ, acts as the UK’s primary Computer Security Incident Response Team (CSIRT), responsible for coordinating and responding to significant cybersecurity incidents.
  • NCSC is the UK’s technical authority on cyber threats, providing a unified national response to cybersecurity challenges and supporting public and private sector organizations.
  • While GCHQ (via NCSC) is the SPOC and plays a central role, regulatory oversight is not centralized in the UK. In some cases additional regulators have been given additional oversight responsibilities:

Detailed competent authorities are listed in the Annex (Authorities)

up

Scope of UK NIS

Entities

NIS Regulations apply to Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSPs), as defined under Part 3 (Art. 8-11) and Part 4 (Art. 12-14) of NIS Regulations. OES are organizations that provide services critical to the economy and society, RDSPs offer specific digital services.

  • Operators of Essential Services (OES): Providers in specific sectors.
  • Relevant Digital Service Providers (RDSP): Several online providers.
  • CS&R Relevant Managed Service Providers (RMSPs): Managed IT service providers become regulated.
  • CS&R Designated Critical suppliers: The UK regulators will likely gain a mechanism to designate a small number of suppliers as critical in cases where disruption could significantly impact essential, digital or managed services (designation can apply even where the supplier is not UK-established, and can cover cross-border supply chains).
  • CS&R SMEs: The micro/small enterprise exclusion remains for RDSP/RMSP status, but size does not prevent designation as a critical supplier where the criteria are met.

Operators of Essential Services (OES)

An OES provides an essential service where:

  • The service depends on network and information systems.
  • An incident would have significant disruptive effects on that service.
  • Head office located in the United Kingdom.
  • A nominated representative based in the UK.
  • Employs ≥ 50 FTE staff or has an annual turnover/balance sheet total >€10m.
  • CS&R OES identification may apply whether or not a person is established in the UK (with a carve-out for public electronic communications networks/services).
  • CS&R Head office is replaced with principal office.
  • CS&R Changes to the nominated representative (name, address or contact details) must be notified within 7 days.
  • CS&R No new general OES size threshold; coverage continues to hinge on sector/subsector thresholds in Schedule 2 (with updates/additions for certain services, incl. data centres).

Relevant Digital Service Providers (RDSP)

An RDSP provides one or more of the following services:

  • Online marketplace.
  • Online search engine.
  • Cloud computing service.

An RDSP falls within scope where:

  • Head office is outside the UK but offers relevant digital services within the UK.
  • It is not a micro or small enterprise:
    <50 FTE staff and annual turnover/balance sheet total < EUR 10m.
  • CS&R The definition of cloud computing services is updated and excludes in-house-only services as well as managed services.
  • CS&R RDSP status will apply to providers offering relevant digital services in the UK whether or not they are established in the UK; separate UK-representative rules apply.
  • CS&R Micro/small enterprise exclusion is retained and additional RDSP conditions added: public-authority oversight and an income test, and no designated as a DCS in relation to that service.

up

Sectors in UK NIS

NIS Regulations in the UK define sectors and essential services in Schedule 2 with sector-specfic threshold requirements and differentiates between Great Britain and Northern Ireland. Thresholds operators of essential services (OES) for sectors and subsections under NIS are:

Sector
Subsector		 Threshold
Great Britain		 Threshold
Northern Ireland
Energy (sector)
Electricity
supply		 Electricity undertakings that carry out the function of supply to >250,000 final customers; or electricity undertakings that carry out the function of supply, or electricity undertakings that carry out the function of supply, and generation via generators that when cumulated with the generators operated by affiliated undertakings would have a total capacity, in terms of input to a transmission system, ≥ 2 gigawatts The holder of a supply licence under Art. 10 (1)(c) of the Electricity (Northern Ireland, hereafter 'NI') Order 1992 M21 who supplies electricity to >8,000 consumers, and the holder of a generation licence under Art. 10(1)(a) of the same legislation with a generating capacity ≥ 350 megawatts. Nuclear electricity generators and generators that are not connected to a transmission system are excluded
Electricity
transmission		 Transmission system operators with a potential to disrupt delivery of electricity to > 250,000 final customers; holders of offshore transmission licences where the offshore transmission systems of that licence holder and its affiliated undertakings are directly connected to generators, that have a total cumulative capacity, in terms of input to a transmission system, ≥ 2 gigawatts; or holders of interconnector licences where the electricity interconnector to which thelicence relates has a capacity, in terms of input to a transmission system, ≥1 gigawatt The holder of a transmission licence under Article 10(1)(b) of the Electricity (NI) Order 1992 M23
Electricity
distribution		 Distribution system operators with the potential to disrupt delivery of electricity to > 250,000 final customers.This does not include transmission systems for which an offshore transmission licence or interconnector licence applies The holder of a distribution licence under Article 10(1)(bb) of the Electricity (NI) Order 1992 M24
Oil
upstream		 For the essential service of the conveyance of oil through relevant upstream petroleum pipelines, the threshold requirement, in the UK is the operator of a relevant upstream petroleum pipeline which has a throughput of >3,000,000 tonnes of oil equivalent per year excluding natural gas, if that operator does not fall within another threshold requirement in relation to this pipeline under this schedule
Oil
pipeline		 Operators of any pipeline with throughput of >500,000 tonnes of crude oil based fuel per year (not including transmission of crude oil) Operators of any pipeline with throughput of >50,000 tonnes of crude oil based fuel per year
Oil
processing		 A relevant oil processing facility (an operator of a facility with a throughput of >3,000,000 tonnes of oil equivalent per year) or
A relevant upstream petroleum pipeline which is connected to and operated from a relevant oil processing facility (operator of a pipeline with a throughput of >3,000,000 tonnes of oil equivalent per year)
Oil
crude		 Storage of 500,000 tonnes of crude oil based fuel, or
Production of 500,000 tonnes of crude oil based fuel per year; or
Supply of 500,000 tonnes of crude oil based fuel per year 		The operator of a facility which has a storage capacity >50,000 tonnes of crude oil based fuel
Oil
petroleum		 Relevant offshore installation which is part of a petroleum production project (an operator of an installation with a throughput >3,000,000 tonnes of oil equivalent per year), or
A relevant upstream petroleum pipeline which is connected to and operated from such an installation, [an operator of a pipeline with a throughput of >3,000,000 tonnes of oil equivalent per year]
Gas
supply		 Supply undertakings that supply gas to >250,000 final customers The holder of a supply licence under Article 8(1)(c) of the Gas (NI) Order 1996 M39 who supplies gas to >2,000 customers
Gas
transmission		 Transmission system operators with a potential to disrupt delivery to >250,000 final customers (does not include transmission systems for which an interconnector licence applies), or
Holders of interconnector licences where the gas interconnector to which the licence relates has the technological capacity to input >20m cubic metres of gas per day to a transmission system		 The holder of a gas conveyance licence under Art. 8(1)(a) of the Gas (NI) Order 1996
Gas
distribution		 Distribution system operators with a potential to disrupt delivery to >250,000 final customers The holder of a licence under Article 8(1)(a) of the Gas (NI) Order 1996
Gas
storage		 Storage system operators where the storage facility has the technological capacity to input >20m cubic metres of gas per day to a transmission system The holder of a licence under Article 8(1)(b) of the Gas (NI) Order 1996
Gas
LNG		 LNG system operators where the LNG facility has the technological capacity to input >20m cubic metres of gas per day to a transmission system The holder of a licence under Article 8(1)(d) of the Gas (NI) Order 1996
Gas
processing		 An operator of a relevant gas processing facility, an operator of a facility with a throughput >3,000,000 tonnes of oil equivalent per year, or
A relevant upstream pipeline and associated infrastructure that is connected to and operated from such a relevant gas processing facility, and critical to the continued operation of that facility, an operator of a pipeline with a throughput of >3,000,000 tonnes of oil equivalent per year]
Gas
petroleum		 A relevant offshore installation which is part of a petroleum production project (other than a project which is primarily used for the storage of gas), or arelevant upstream petroleum pipeline which is connected to and operated from such an installation. An operator of an installation or pipeline with a throughput of >3,000,000 tonnes of oil equivalent per year
Transport (sector)
Air transport
aerodrome		 For the essential service of the provision of services by the owner or manager of an aerodrome, the threshold requirement in the UK is an owner or manager of an aerodrome with annual terminal passenger numbers >10 million
Air transport
air traffic		 An entity which is granted a licence by the Secretary of State or the Civil Aviation Authority to provide en-route air traffic services in the UK, or
An a air-traffic service provider at any airport which has annual terminal passenger numbers >10 million
Air transport
carrier		 Air carrier which has >30% of the annual terminal passengers at any UK airport which has annual terminal passenger numbers >10 million; and >10 million total annual terminal passengers across all UK airports
Rail transport
rail service		 In GB, any operator of a mainline railway asset (exluding railway assets solely for the provision of international rail services; railway assets for metro, tram and other light rail, including underground, systems; heritage, museum or tourist railways, whether or not they are operating solely on their own network; and networks which are privately owned and exist solely for use by the infrastructure owner for its own freight operations or other passenger or freight services for third parties and operators of passenger or freight services on those networks (including high speed rail services) Any railway undertaking in NI
Rail transport
high-speed		 For the essential service of high speed rail services the threshold requirement in the UK is an operator of a railway asset for high speed rail services
Rail transport
metro		 For the essential service of metros, trams and other light rail services (including underground services), the threshold requirement in the UK is an operator with >50 million annual passenger journeys
Rail transport
international		 For the essential service of international rail services the threshold requirement in the UK is an operator of a Channel Tunnel train or the infrastructure manager of the Channel Fixed Link
Water transport
shipping		 For the essential service of shipping in the UK, the threshold requirement is: A shipping company which handles >5 million tonnes of total annual freight at UK ports; and >30% of the freight at any individual UK port which fulfils at least one of the following criteria (it handles >15% of the total roll-on roll-off traffic in the UK; it handles >15% of the total lift-on lift-off traffic in the UK; it handles > 10% of the total liquid bulk traffic in the UK; or it handles >20% of the total biomass fuel traffic in the UK
A shipping company with over 30% of the annual passenger numbers at any individual UK port which has annual passenger numbers greater than 10 million.
Water transport
harbour		 A harbour authority for a port which has annual passenger numbers greater than 10 million, or
A harbour authority for a port which fulfils at least one of the following criteria (it handles >15% of the total roll-on roll-off traffic in the UK; it handles >15% of the total lift-on lift-off traffic in the UK, it handles >10% of the total liquid bulk traffic in the UK; or it handles >20% of the total biomass fuel traffic in UK.
Water transport
port facility		 An operator of a port facility which handles passengers at a port which has annual passenger numbers >10 million; or
An operator of a port facility at a port which fulfils at least one of the following criteria (it handles >15% of the total roll-on roll-off traffic in the UK; it handles >15% of the total lift-on lift-off traffic in the UK; it handles >15% of the total liquid bulk traffic in the UK; or it handles > 20% of the total biomass fuel traffic in the UK), and where that port facility operator handles the same type of freight for which the port fulfils one of the criteria mentioned in the aforementioned criteria
Water transport
vessels		 An operator of vessel traffic services at a port which has annual passenger numbers >10 million; or an operator of vessel traffic services at a port which fulfils at least one of the following criteria (it handles >15% of the total roll-on roll-off traffic in the UK; it handles >15% of the total lift-on lift-off traffic in the UK; it handles >10% of the total liquid bulk traffic in the UK; or it handles 20% of the total biomass fuel traffic in the UK
Road transport For the essential service of road transport services, the threshold requirement in the UK is a road authority (EU definition - Delegated Regulation (EU) 2015/962) responsible for roads in the UK that have vehicles travelling >50 billion miles in total on them.
For the essential service of road services provided by Intelligent Transport Systems (EU definition - Article 4(1) of Directive 2010/40/EU), the threshold requirement in the UK is a road authority that provides Intelligent Transport Systems services which covers roads in the UK that have vehicles travelling >50 billion miles in total on them, per year
Health (sector)
Healthcare Regionally (England, Wales, and Scotland) different thresholds. Generally defined under National Health Service Act (England, Wales) 2006 and National Health Service (Scotland) Act 1978 Health and Social Care Trusts within the meaning of HSC Trust in section 31 of the Health and Social Care (Reform) Act (Northern Ireland) 2009
Water (sector)
Water The threshold requirement which applies to the essential service of the supply of potable water in the UK is the supply of water ≥200,000 or more people
Digital Infrastructure (sector)
Digital Infrastructure
TLD		 For the essential service of a TLD Name Registry, irrespective of its place of establishment (whether within, or outside of, the UK):
  • ≥ 14 billion queries from any devices located within the UK in any consecutive 168-hour period for domains registered within the Internet Corporation for Assigned Names and Numbers
Digital Infrastructure
DNS		 For the essential service of a DNS resolver service provided by a DNS service provider, irrespective of its place of establishment (whether within, or outside of, the UK):
  • ≥ 500,000 different IP addresses used by persons in the UK in any consecutive 168-hour period
For the essential service of a DNS authoritative hosting service provided by a DNS service provider, irrespective of its place of establishment (whether within, or outside of, the UK):
  • 100,000 or more domains registered to persons with an address in the UK
Digital Infrastructure
IXP		 For the essential service of an IXP provided by an IXP operator, irrespective of its place of establishment (whether within, or outside of, the United Kingdom):
  • ≥ 30% market share amongst IXP operators in the UK, of interconnected autonomous systems
CS&R Data Infrastructure
Data centre services/data infrastructure		 For the essential service of the provision of a data centre service in the United Kingdom:
  • Non-enterprise data centres: rated IT load ≥ 1 MW.
  • Enterprise data centres (used solely for the operator’s own undertaking): rated IT load ≥ 10 MW.

up

Security and obligations

Cybersecurity measures as regulated by UK NIS are split into obligations for Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSP).

Operators of Essential Services (OES)

  • Nominate a UK-based representative in writing with authority to act on their behalf.
  • Notify the designated competent authority of the required identification and contact information.
  • Follow the NCSC Cyber Assessment Framework (CAF) with 14 principles and 39 sector-specific outcomes
  • CAF principles include governance, risk management, and recovery planning
  • Proactively audited by sector-specific competent authorities (e.g., Ofgem, NHS Digital)
  • Report "significant impact" incidents (assessed by user numbers, duration, geographic spread) to sector-specific regulators within 72 hours
  • CS&R The nomination duty is retained but extended to additional essential-service categories; changes to the nominated representative (name, address or contact details) must be notified within 7 days.
  • CS&R For OES providing data centre services, an additional information-provision requirement is introduced (incl. more detailed entity information and up-to-date contact details), alongside a 7-day deadline to notify relevant changes.
  • CS&R Incident reporting is adjusted. Initial notification within 24 and full notification within 72 hours; a copy must be sent to the CSIRT at the same time.
  • CS&R The incident definition test is expanded to cover impacts on the operation or security of the relevant systems and whether the confidentiality, authenticity, integrity or availability of user data is compromised.
  • CS&R Separate incident-reporting rules are introduced for data centre services, including continuity impacts, with the same 24h/72h and CSIRT-copy structure.
  • CS&R Competent authorities/the CSIRT can (subject to conditions) provide incident information to the public or direct the regulated entity to do so where needed/public interest.

Relevant Digital Service Providers (RDSP)

  • Notify the designated competent authority with relevant information (name, address, contact).
  • Implement appropriate and proportionate technical and organizational measures to manage risks to the systems relied on for providing the relevant digital service.
  • Adopt ISO/IEC 27001 (information security) and ISO/IEC 22301 (business continuity)
  • Monitored by the Information Commission, with investigations typically triggered by incidents rather than routine audits
  • Report substantial impact incidents (disruptions) to the Information Commission within 72 hours
  • CS&R RDSPs register with (and notify changes to) the Information Commission; required information is expanded, with a 3-month registration window and a 7-day deadline for change notifications.
  • CS&R Risk-management duties are specified as having regard to relevant guidance.
  • CS&R Incident reporting is rewritten: initial notification within 24 hours and a full notification within 72 hours; a copy must be sent to the CSIRT at the same time.
  • CS&R RDSP security duty is refocused on managing risks to the security of the network and information systems relied on for providing the relevant digital service, and RDSPs must have regard to relevant Information Commission guidance.
  • CS&R The significant impact assessment is set out via an explicit list of factors (these include disruption extent, affected users, duration, geography, CIA of user data, downstream impacts on users’ systems, and wider economic and societal impacts.
  • CS&R Managed service providers (RMSPs) are brought into the NIS framework with security risk-management duties and the same 24h/72h incident-reporting structure.
  • CS&R Competent authorities/the CSIRT can (subject to conditions) provide incident information to the public or direct the regulated entity to do so where needed/public interest.

Sanctions

UK NIS Regulations introduced a structured system of fines for non-compliance:

  • Up to £1m for any contravention that could not result in a NIS incident.
  • Up to £3.4m for a material contravention that has caused or could cause an incident leading to a significant reduction in service.
  • Up to £8.5m for a material contravention that has caused or could cause an incident resulting in a major disruption of service.
  • Up to £17m for a material contravention that has caused or could cause an immediate threat to life or a significant negative impact on the UK economy.
  • Continuous learning and adaptation to enhance compliance.
  • CS&R Turnover-linked maxima: the standard maximum amount becomes the greater of £10m and 2% of worldwide turnover (otherwise £10m); the higher maximum amount becomes the greater of £17m and 4% of worldwide turnover (otherwise £17m).
  • CS&R Wider reach: penalties can apply across the broadened NIS perimeter (incl. new in-scope categories such as RMSPs) and updated duties (incl. rewritten incident-reporting requirements).
  • CS&R Future requirements via secondary legislation: the Bill creates a separate framework for regulations on security/resilience requirements and backs those with sanctioning powers (including financial penalties capped, for undertakings, at up to the greater of £17m and 10% of worldwide turnover).
  • CS&R The Bill introduces a dedicated regime for directions issued on national-security grounds, with separate enforcement and financial-penalty provisions.

The UK Competent Authority determines the appropriate level of fines based on the severity of the incident and the level of compliance by OES, with a maximum fine of £17m.

up

Cyber Security and Resilience (CS&R)

Overview CS&R

In January 2022, the UK government launched a public consultation process on proposals for legislation to improve the UK's cyber resilience. When the process closed in November 2022, the responses provided the government's response and next steps for policy development. Within two weeks of the UK Labour Party's election in the 2024 general election, it announced plans to update the NIS Regulations from 2018 and improve cross-sector cybersecurity.

In 2024 the British Government announced that it intends to present the Cyber Security and Resilience Bill to Parliament in 2025. The Bill, which was officially proposed as part of the King’s Speech (at the State Opening of Parliament) in July 2024, aims to strengthen the UK’s cross-sector cybersecurity legislation to better protect the British economy and infrastructure.

The resulting Cyber Security and Resilience (Network and Information Systems) Bill ("CS&R Bill") was introduced in the House of Commons on 12 November 2025.

National differences (CS&R and NIS2)

The UK’s implementation of the Cyber Security and Resilience (CS&R) framework will likely feature the following national distinctions:

  • The UK government is considering including data centres within the scope by designating data infrastructure as a relevant sector and data as an essential service—subject to threshold criteria. This would apply to facilities with a capacity above 1MW, except for enterprise data centres, where the threshold would be set at over 10MW.
  • Introduction of new powers for the Secretary of State to issue a Statement of Strategic Priorities.
  • New executive powers enabling the government to direct an entity or authorise a regulator to take action in the interest of national security, subject to safeguards. This mirrors mechanisms in the Telecommunications (Security) Act 2021.

up

Scope

UK CS&R will additionally regulate Managed Service Providers (MSPs) and Designated Critical Suppliers under UK regulation for cybersecurity, analogous to EU NIS2.

CS&R aims to provide flexibility to refine the duties and threshold criteria through secondary legislation, subject to appropriate consultation, to ensure that the requirements can be updated in line with changes in technology, emerging threats and lessons learned from implementation.

Managed Service Providers (MSP)

As in EU NIS2, the CS&R Bill will bring Managed service providers (MSPs) into scope, defined in the policy statement from 1 April 2025 as:

  • Service provided to another organisation (i.e., not in-house)
  • Relies on the use of network and information systems (NIS) to deliver the service
  • Relates to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications, and/or IT networks, including for the purpose of activities relating to cyber security
  • Involves a network connection and/or access to the customer’s network and information systems.

Designated Critical Suppliers (DCS)

Under the CS&R Bill, regulators will be able to individually designate a supplier as a Designated Critical Supplier (DCS) if the supplier›s goods or services are so critical that disruption could have a significant impact on the essential or digital service it supports. DCSs are therefore expected to represent a very small number and percentage of suppliers providing goods or services to the OES and RDSP.

The DCS framework will give UK regulators a direct lever over a limited number of suppliers whose disruption could materially affect essential or digital services, bringing them into scope through designation with due-process safeguards and the possibility of revocation. Other European countries, like Germany, are pursuing a similar objective by layering additional national-security scrutiny onto NIS2 implementation. In Germany’s case, however, the mechanism is component- rather than entity-led, relying on ordinance-based designation of critical components and enabling authorities to restrict or prohibit their deployment where public-order or security concerns arise.

Through designation DCSs are directly brought within the scope of core security requirements and incident reporting obligations, ensuring consistent standards across supply chain. The Bill defines a critical supplier as a person designated under new regulation 14H. A designated competent authority may designate a person (P) if

  • P supplies goods or services directly to an OES for which the authority is the designated competent authority,
  • P relies on network and information systems (NIS) for the purposes of that supply,
  • the authority considers that an incident affecting the operation or security of any NIS relied on by P has the potential to cause disruption to (i) the provision of the relevant essential service by the person to which the supply is made, or (ii) the provision of essential services, relevant digital services or managed services by persons to which P supplies goods or services, and that any such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom,
  • the designation is not prevented by the restrictions on designation.
Provision Summary
Factors for DCS designation
Alternative sourcing §14H (3) CS&R Regulators consider whether the customer could realistically switch provider if the supplier’s NIS were impacted.
Significant impact assessment §14H (4) CS&R Regulators consider the likely nature, scale and duration of disruption when assessing whether impacts would be significant.
Need for direct designation §14H (6) CS&R Regulators consider whether duties on the OES/RDSP/RMSP, or other oversight, would be sufficient without designating the supplier.
Designation scope
Multiple designations §14H (5) CS&R The same supplier can be designated by multiple competent authorities and/or the Information Commission.
Non-UK establishment §14H (7) CS&R Designation is possible even where the supplier is not established in the United Kingdom.
Cross-border supply covered §14H (8) CS&R Supply relationships are in scope whether the goods or services are supplied within the UK or from/to outside the UK.
Designation procedure
Consultation and representations §14J (1) CS&R Consult relevant parties, notify the supplier with reasons and time for written representations, and take representations into account.
Who must be consulted §14J (2)–(3) CS&R Consult regulators with a relevant connection and any other persons the regulator considers appropriate.
Confirmation notice §14J (5) CS&R Issue a confirmation notice stating reasons and the effective date, and share it with consultees.
Deferral of effective date §14J (6) CS&R The effective date can be moved to a later date via further notice to the same recipients.
Restrictions on designation
No double-scoping §14I (a)–(c) CS&R Designation is not available where the person is already in-scope as an OES (for that subsector) or as an RDSP/RMSP by virtue of providing those services.
Revocation of DCS designation
Revocation power §14K (1)–(2) CS&R The designating regulator may revoke where it considers the designation conditions are not met.
Supplier notification duty §14K (3)–(6) CS&R A DCS must notify the relevant regulator (and, in certain cases, the Information Commission) with evidence if it believes the designation conditions would not be met absent existing designation.
Revocation procedure §14K (7) CS&R The same consultation and notification safeguards apply to revocation as to designation.
Coordination between regulators
Coordination duty §14L (1)–(3) CS&R Regulators coordinate on whether criteria are met and which regulator(s) should designate.
Relevant regulators definition §14L (4) CS&R Sets out when a regulator is relevant for coordination purposes, including where designation is current or reasonably anticipated.
Information requests §14L (5) CS&R Regulators may request information needed for coordination.
Proportionality §14L (6) CS&R Coordination duties do not apply where compliance would be disproportionate to the benefits.

Small and medium enterprises (SME)

Additionally, the CS&R Bill is expected to extend regulation to certain SME RDSPs. While under the NIS Regulations, small and micro RDSPs are exempt from the 2018 Regulations as described above, the forthcoming Bill may change this. UK regulators might designate smaller RDSPs as critical suppliers if they meet the DSC designation criteria to ensure regulation of high-risk providers regardless of size.

up

Reporting

According to the UK government, significant cyber and network disruptions go unreported under the NIS Regulations. This limitation hinders the ability to identify and assess vulnerabilities in critical systems. The government views adjustments to the reporting of significant cyber incidents as an essential tool for regulators and the NCSC to better understand the evolving threat landscape.

The Cyber Incident Reporting Bill seeks to update and enhance the current incident reporting requirements for regulated entities by introducing the following key changes:

  • Expanding the incident reporting criteria.
  • Updating the timeframes for incident reporting.
  • Streamlining the reporting process.
  • Enhancing transparency requirements for digital services and data centres.

The Bill will be complemented by ongoing work on ransomware, which is under consultation. Both the Department for Digital, Culture, Media and Sport (DSIT) and the Home Office (British Department of the Interior) will continue to collaborate to ensure alignment with future frameworks, avoiding unnecessary duplication. These measures are intended to strengthen the position of regulators in addressing emerging risks, ultimately contributing to improved cyber resilience.

Major changes

Under current NIS regulations, an incident is reportable only if it disrupts the continuity of an essential or digital service. However, the UK government believes this scope is too narrow and excludes many important incidents. The Bill aims to expand the criteria to include incidents that may significantly impact the provision of essential or digital services, such as:

  • Compromising the confidentiality, availability, or integrity of a system.
  • Spyware attacks targeting Managed Service Providers (MSPs) that act as vectors to compromise other organizations.
  • Other incidents severely affecting the integrity of critical systems.

The Bill will introduce a two-stage reporting structure that requires regulated entities to:

  • Notify their regulator and inform the NCSC of a significant incident no later than 24 hours after becoming aware of it.
  • Submit a full incident report within 72 hours.

This initial notification will serve as an early warning, ensuring that the regulator is informed sooner than under current practices. This mirrors the requirements outlined in EU NIS2, ensuring consistency across jurisdictions.

To simplify the reporting process, regulated entities will be required to notify both their regulator and the NCSC at the same time. This will ensure that both parties receive the same information concurrently, fostering a more cohesive understanding of the threat landscape.

Entities providing digital services and data centres will be required to alert affected customers when a significant incident occurs. This requirement aims to promote greater transparency, openness, and accountability among service providers within the scope of the Bill.

up

Further Information

Sources

  1. Cyber Security and Resilience (Network and Information Systems) Bill, House of Commons, 12th November 2025, Bill 329
  2. The Guide to NIS, Information Commissioner's Office, February 2025
  3. The Guide to NIS, Information Commissioner’s Office, February 2025
  4. NIS Regulations. How does it differ from the EU version? Arcanum Cyber Security, March 2025
  5. The Network and Information Systems Regulations 2018, Website of the UK government, March 2025
  6. Policy paper. Cyber security and resilience policy statement, Website of the UK government's Department for Science, Innovation & Technology, April 2025

Competent authorities

Sector specific competent authorities under NIS1 in the UK (2018) and adjustments made under CS&R (2026)
NIS Sector Subsector Competent Authority
Energy Electricity Secretary of State for Energy Security and Net Zero (England, Wales and Scotland) and the Office of Gas and Electricity Markets (Ofgem) Authority jointly
The Department of Finance (Northern Ireland)
Oil Secretary of State for Energy Security and Net Zero (England, Wales, Scotland)
Department of Finance (Northern Ireland)
Gas Secretary of State for Energy Security and Net Zero for the essential services (England, Wales, Scotland)
Otherwise, the Secretary of State for Energy Security and Net Zero and The Gas and Electricity Markets Authority (acting jointly)
The Department of Finance (Northern Ireland)
Transport Air Transport Secretary of State for Transport and Civil Aviation Authority (jointly) (UK)
Rail Transport Secretary of State for Transport (England and Wales and Scotland)
Department of Finance (Northern Ireland)
Water Transport Secretary of State for Transport (United Kingdom)
Road Transport Secretary of State for Transport (England and Wales)
Scottish Ministers (Scotland).
Department of Finance (Northern Ireland)
Health Health care Secretary of State for Health (England).
Welsh Ministers (Wales)
Scottish Ministers (Scotland).
Department of Finance (Northern Ireland)
Drinking Water Supply and Distribution Secretary of State for Environment, Food and Rural Affairs (England)
Welsh Ministers (Wales).
Drinking Water Quality Regulator for Scotland (Scotland).
Department of Finance (Northern Ireland)
Digital Infrastructure Digital Infrastructure Office of Communications (Ofcom) (United Kingdom).
Data Infrastructure Secretary of State for Science, Innovation and Technology and the Office of Communications (Ofcom) (acting jointly) (United Kingdom).