Cyber Security and Resilience Bill – Policy Briefing

• The Bill is primarily directed at enhancing national supply chain resilience and primarily applies to essential service operators, digital providers, data centres, managed service providers (MSPs), and critical suppliers. The direct effects on councils are limited as they are largely excluded from the legislation, though the proposed measures may introduce new supplier related risks and requirements.
• The Bill emphasises that cyber security is an organisation wide responsibility, not just a matter for IT teams.
• Councils may benefit from strengthened supply‑chain resilience measures and more stringent incident‑reporting requirements. The proposals signal new expectations around cyber assurance in procurement and commissioning.
• The Bill expands what counts as a reportable incident, meaning organisations, including council suppliers, may face stronger assurance expectations and potentially a higher volume of required reporting.
• The Bill includes future‑proofing powers that allow the scope to be widened over time, which could bring local councils and council‑relevant suppliers into scope in future phases of implementation.

Cyber security under the new Bill is positioned as an organisation-wide responsibility, not just an IT issue. It places strong emphasis on supply chain resilience, recognising that many risks stem from third-party providers. The existing Network and Information Systems (NIS) Regulations 2018 established security and incident reporting duties for essential service operators and digital service providers. This Bill builds on that foundation by widening the scope to include more sectors and suppliers, tightening reporting requirements, and granting regulators greater enforcement powers.

Incident reporting

The Bill proposes a new two stage incident reporting structure to strengthen national response planning. If enacted, operators of essential services and relevant managed and digital service providers would be required to:

• notify their regulator and the National Cyber Security Centre (NCSC) within 24 hours of becoming aware of a significant cyber incident
• submit a comprehensive report within 72 hours, detailing the nature of the incident, its impact, and the mitigation steps taken
• inform affected customers promptly, enabling councils to take appropriate protective measures.

A “significant incident” will be defined by factors such as:

• the scale and duration of disruption
• the number of users affected
• the impact on the confidentiality, integrity, or availability of data.

The Bill also introduces new duties requiring data centres, and digital and managed service providers, to notify customers of any cyber breaches that are likely to have affected them. Strengthening these notification requirements is intended to improve transparency across the supply chain and will support councils in taking timely, proportionate action to mitigate potential harm when supplier systems are compromised.

Councils should be aware that they may need to review their incident response plans and will likely benefit from more stringent reporting standards being placed on suppliers.

Beyond the 24/72‑hour structure, the Bill also widens what counts as a reportable incident, including:

• incidents affecting confidentiality, integrity, availability or authenticity (CIAA)
• incidents “capable of having a significant impact,” even if the impact does not ultimately materialise.

Critical suppliers

Under the proposals, regulators would gain new powers to designate critical suppliers, those whose disruption could significantly impact essential or digital services. Designated suppliers would be subject to mandatory cyber security requirements, addressing a current gap where no statutory duties apply to suppliers whose failure could undermine continuity of public service delivery, including local government.

The government intends to consult on whether to exclude public sector organisations under direct public authority oversight from these provisions. For suppliers brought into scope, compliance would mean meeting statutory security standards and taking proactive steps to manage and mitigate cyber risks. Regulators would also gain enhanced enforcement powers, including the ability to issue compliance notices and impose proportionate penalties, ensuring accountability across the supply chain.

Managed service providers

The Bill proposes bringing certain managed service providers (MSPs) into scope under NIS Regulations. MSPs include providers delivering IT outsourcing, managed security, or cloud hosting services in the UK. Small and micro businesses are excluded. In-scope MSPs must implement proportionate cyber risk measures and report significant incidents to regulators. Public sector entities such as local authority shared services, and organisations where less than half of income comes from commercial activities, are exempt.

Digital service providers

The Bill strengthens requirements for digital service providers (DSPs), including online marketplaces, search engines, and cloud computing services. It clarifies what qualifies as a cloud service and imposes stricter duties to prevent and minimise the impact of incidents. DSPs will also be required to notify affected customers promptly following a significant incident.

Setting strategic priorities

The Bill proposes giving the Secretary of State powers to set national cyber security priorities through formal Statements of Strategic Priorities. Regulators will be required to report annually on how they are delivering against these priorities. The Secretary of State can also classify certain activities as “essential” ensuring the regulatory framework adapts quickly to emerging threats and technologies. This means compliance expectations from regulators may shift annually based on national threat assessments. Councils should prepare for evolving regulatory focus areas, which could affect procurement, and risk management priorities.

Future Proofing Powers

Proposed powers will allow the Secretary of State to change the regulatory framework including: 

• adding new sectors, services, or supplier types into scope
• adjusting duties or thresholds
• updating definitions or requirements as technology and threats evolve.

These will be legal powers to amend the framework via secondary legislation.

For local government, this could mean that although councils are largely out of scope today, future changes to the regulations could alter the expectations placed on suppliers and potentially introduce new duties for councils themselves. Ongoing monitoring and engagement will be important to ensure councils can anticipate and prepare for any shifts in scope.

Data centres

The proposed Bill would amend NIS Regulations to classify data infrastructure as a regulated sector and designate data centres as essential services. UK operators of data centres with a Rated IT Load above 1 MW (including enterprise centres exceeding 10 MW) would face new regulatory duties. 

Operators would be required to:

• implement mandatory cyber security measures
• report significant incidents within strict timelines
• notify affected customers promptly.

Councils that use third-party data centres for hosting or storage should ensure those providers can comply with the proposed obligations if the Bill becomes law. Procurement and contract management processes should incorporate compliance checks for data centre operators to confirm adherence to statutory security requirements.

Information sharing

The Bill proposes a new statutory gateway to clarify what information regulators can share and with whom. This gateway would explicitly allow NIS regulators to exchange information with UK public authorities, including local government.

This could mean councils will benefit from more formal and reliable flows of cyber intelligence from regulators and the NCSC, improving early warning and response. This may remove some of the current legal uncertainty around sharing sensitive information, enabling faster collaboration during incidents.

Strengthened enforcement powers

The Bill introduces strengthened enforcement powers for regulators across all in scope organisations. Regulators would gain enhanced inspection and oversight capabilities, enabling more proactive audits, detailed assessments of security measures, and stronger requirements for organisations to demonstrate compliance. The Bill also proposes expanded enforcement and penalty powers, allowing regulators to issue compliance notices and impose penalties on organisations that fail to meet statutory requirements. In addition, the introduction of cost recovery mechanisms would allow regulators to recover the costs of supervision and enforcement activities directly from regulated organisations. This may include costs associated with inspections, monitoring, and incident response oversight.

Although councils remain largely out of scope, the strengthened enforcement regime will have supply chain impacts, with suppliers facing tighter audits, potential penalties, contract changes, cost passthrough, and faster reporting requirements that raise expectations on councils’ own incident response coordination.‑chain impacts, with suppliers facing tighter audits, potential penalties, contract changes, cost pass‑through, and faster reporting requirements that raise expectations on councils’ own incident‑response coordination.

Large load controllers

The proposed Bill introduces new provisions for large load controllers, recognising their critical role in managing electrical demand and supply through energy-smart technologies such as battery storage. It amends the NIS framework to classify load control as an essential service, strengthening oversight and resilience in this area.

Under the proposals, any organisation controlling an electrical load of 300 MW or more will fall within scope, ensuring these high-impact operators are subject to enhanced security and incident reporting requirements.

While this primarily affects energy operators, councils involved in smart energy projects, partnerships, or local energy schemes should review whether any arrangements could bring them into scope or require additional due diligence.

The Cyber Security and Resilience Bill is proposed legislation currently progressing through committee stage and not yet enacted, meaning further changes may still be adopted before it receives Royal Assent. If passed, the Bill may significantly reshape how council suppliers approach cyber risk. Councils may  benefit from strengthened supply chain resilience measures and more stringent incident reporting requirements. Although the direct impact on councils is limited, the proposals signal new expectations around cyber assurance in procurement and commissioning.

The LGA welcomes the government’s proposals to strengthen supply chain resilience, enhance incident reporting, and improve threat intelligence, as these measures address longstanding vulnerabilities in local government cyber security. It is also positive to see local authorities explicitly included in the Bill’s ambitions around improved information sharing, which could support more consistent intelligence flows and faster incident response across the sector.

However, the LGA believes that clarity and support will be essential to ensure these measures are practical, proportionate, and deliver the intended benefits for councils. Many authorities operate legacy systems and have limited specialist cyber expertise, which may affect their ability to provide the level of assurance expected of them. While councils are responsible for assuring that suppliers meet new requirements, this can be challenging in practice, as relationships with suppliers vary and obtaining detailed assurance is not always straightforward. Additional guidance and support will therefore be important to help councils manage these expectations effectively without adding disproportionate pressure on already stretched teams.

The LGA is already engaging with both the Ministry for Housing, Communities and Local Government and the Department for Science, Innovation and Technology, and will continue to do so in any forthcoming consultation process and introduction of secondary legislation. The LGA will continue to support clear compliance expectations, realistic implementation timelines, and appropriate exemptions for public sector organisations. The LGA will also advocate for a unified approach to supplier assurance and improvements to the cyber insurance market, which remains challenging for councils. Sustained collaboration between councils, regulators and central government will be essential to support effective intelligence sharing and coordinated incident response.

Next steps include gathering feedback from councils on the proposals and providing updates as the Bill progresses through Parliament. The LGA will continue to work closely with members to ensure local government voices are heard and that any new duties are supported by practical guidance and resources.