The government has asked organisations across the economy to sign up to a new Cyber Resilience Pledge, as part of a raft of new cyber security measures.
The pledge asks organisations to commit to three steps: making cyber security a board-level responsibility; registering with the National Cyber Security Centre's free Early Warning Service; and requiring Cyber Essentials certification across their supply chains. The pledge is due to launch later in the year and can be read here: www.gov.uk/government/publications/cyber-resilience-pledge
The pledge forms part of a package of measures to strengthen the UK's cyber defences, including a new voluntary pledge for organisations, £90 million in cyber resilience investment, and confirmation that the Cyber Security and Resilience Bill will continue through Parliament following the King's Speech.
Ministers warned that a new generation of AI models is lowering the barrier for cyber criminals, enabling them to identify vulnerabilities and launch attacks at a speed and scale previously impossible according to research by the AI Security Institute into frontier models.
Recent data cited by the government shows 43% of UK businesses experienced a cyber breach or attack in the past year. The National Cyber Security Centre, reported 204 nationally significant incidents in the twelve months to early 2026, more than double the 89 incidents recorded the previous year.
The Cyber Security and Resilience (Network and Information Systems) Bill, introduced to the House of Commons in November 2025, was confirmed in today's King's Speech as a continuing legislative priority. The Bill represents the most significant update to UK cyber law in years and builds on the Network and Information Systems (NIS) Regulations 2018.
The key provisions of the bill include:
Expanded scope: The Bill brings medium and large managed service providers (MSPs), data centres above certain size thresholds, large-scale electricity load controllers, and "critical suppliers" into the NIS regulatory regime for the first time. This matters for public bodies because many councils and NHS organisations rely on third-party IT outsourcing, cloud hosting and managed security providers that will fall within the new scope.
Tighter incident reporting requirements: Organisations within scope will be required to notify regulators and the NCSC within 24 hours of becoming aware of a significant cyber incident, with a full report due within 72 hours. This goes further than the current NIS Regulations, which only require notification of incidents that have already had an adverse effect. The new duty also extends to incidents originating within the supply chain.
Supply chain obligations: The government intends to use powers in the Bill to enact secondary legislation requiring regulated entities to implement contractual requirements, security checks or continuity plans to address risks from their supply chains. Public bodies procuring IT services will need to ensure contracts with MSPs and hosting providers reflect these upcoming expectations.
Governance accountability. Mirroring the approach of the EU's NIS2 Directive, the Bill places cyber resilience squarely as a leadership responsibility, not merely an IT function. Senior leaders will be expected to demonstrate ongoing accountability for risk oversight and resource allocation.
Regulatory enforcement: Regulators will gain enhanced powers, including the ability to issue compliance notices, conduct audits and impose proportionate financial penalties.
The Local Government Association's policy briefing on the Bill noted that while councils are largely excluded from the legislation as direct subjects, the practical effects will ripple through supplier relationships. Councils and other public bodies using third-party data centres for hosting or storage should ensure those providers can demonstrate compliance with the incoming obligations. Procurement and contract management processes should be updated to incorporate compliance checks.
The Bill also proposes a new statutory information-sharing gateway, which would explicitly allow NIS regulators to exchange data with UK public authorities. The Cyber Assessment Framework (CAF) - already used by many central government departments under the GovAssure programme - is expected to become a legal requirement rather than a recommended standard.
One area of uncertainty remains the treatment of public sector shared services and local authority bodies that provide IT services commercially. The government has indicated it intends to consult on whether to exclude public bodies under direct public authority oversight from MSP-related provisions.
The Bill passed its Public Bill Committee stage in early 2026 and is anticipated to progress through its remaining parliamentary stages during this session, with enactment expected in 2026. The government intends to consult on secondary legislation implementation proposals during the year, with an appropriate adjustment period for those brought into scope.
