The Information Commissioner has welcomed the Government’s Cyber Security and Resilience (Network and Information Systems) Bill, describing it as a “meaningful and necessary update” to the UK’s cyber regulatory framework, but warned that significant detail would still be required before organisations could comply with confidence.
In a statement published on 23 December, Information Commissioner John Edwards said the Bill - introduced to Parliament on 12 November - marked “an important milestone” in strengthening the UK’s cyber defences and improving the resilience of essential services, infrastructure and digital platforms.
The Information Commissioner’s Office (ICO) is the designated competent authority for relevant digital service providers (RDSPs) under the existing Network and Information Systems (NIS) Regulations 2018, covering cloud computing services, online marketplaces and search engines. Under the new Bill, its remit would expand to include relevant managed service providers (RMSPs) and designated critical suppliers, reflecting the growing reliance of public and private organisations on outsourced digital infrastructure.
The Commissioner said the reforms would support a shift from the ICO’s reactive approach to a proactive, risk based model, enabling regulators to assess high risk providers more systematically.
He highlighted several provisions in the Bill that would underpin this shift, including:
• Expanded information gathering powers, allowing the ICO to serve information notices on regulated entities and others likely to hold relevant information.
• New information sharing gateways between NIS regulators and public authorities.
• Powers to enforce registration requirements for in scope organisations.
• A strengthened cost recovery framework, enabling regulators to recover both operational and enforcement related costs.
Edwards said the new funding model would be “critical” to delivering the ambitions of the legislation, noting that the ICO would need to build new systems, infrastructure and regulatory capacity to oversee RMSPs and critical suppliers.
Complex supply chains pose ongoing regulatory challenges
While supportive of the Bill’s direction, the ICO warned that regulating increasingly interdependent digital supply chains would remain challenging even with enhanced powers.
The Commissioner pointed to the rise in significant cyber incidents caused by supply chain vulnerabilities, noting that “an attack on one supply chain can cause widespread disruption” to essential services.
He stressed that no single regulator could address these systemic risks alone, calling for continued collaboration between government and competent authorities, and urging ministers to support improved information sharing mechanisms across the regulatory landscape.
The ICO said several key elements of the new framework remained unclear and would depend heavily on forthcoming secondary legislation. Areas requiring further detail included:
• Thresholds for determining “significant impact” in incident reporting.
• Security and resilience requirements for regulated entities.
• Criteria for identifying “critical suppliers” and their duties.
• Application of new enforcement and penalty measures, including turnover calculations.
• Further enhancements to information gathering powers to support proactive oversight.
Edwards emphasised that industry would need to “clearly and easily understand” any changes to scope and definitions under the revised NIS regime, particularly given the Bill’s requirement for organisations to notify incidents likely to have significant UK impact within 24 hours.
He also warned that until secondary legislation was finalised, the ICO would have “a limited ability to provide clear guidance” to help organisations prepare.
Significant implementation work lay ahead
The ICO said it would need sufficient time to validate the size and risk profiles of both existing RDSPs and newly in scope RMSPs, and to establish the infrastructure required for proactive regulation.
The Commissioner also emphasised the need for strong coordination between NIS regulators, particularly in identifying and overseeing designated critical suppliers. He encouraged government to take an active role in risk identification.
Overall, the ICO described the Bill as a “positive and balanced package of reforms” that should help regulated entities meet appropriate levels of cyber security and resilience. However, Edwards reiterated that the effectiveness of the new regime would depend on clear, practical secondary legislation and ongoing engagement with regulators.
The ICO said it awaited further detail on commencement dates and implementation timelines, and would continue to work with government and other competent authorities to shape the new framework.
