A long-running policy thread covering the UK's twin-track approach to cyber resilience: mandatory regulation of operators of essential services and digital service providers under the NIS Regulations 2018 (as amended by SI 2020/1245 and to be replaced/expanded by the Cyber Security and Resilience Bill), plus voluntary incentives (Cyber Essentials, codes of practice for software vendors / AI / app stores, Cyber Local, LORCA, skills funding) and consumer-product regulation via Part 1 of the Product Security and Telecommunications Infrastructure Act 2022.
Cyber resilience of critical national infrastructure and the wider digital economy is a Tier 1 national-security risk, and the regime sets enforceable security duties, incident-reporting thresholds, penalties up to £17m, and the supply-chain levers (Cyber Essentials, software vendor code) on which procurement and insurance increasingly depend.
The Cyber Security and Resilience Bill was introduced to Parliament in November 2025 with a DSIT impact assessment and Keeling schedules of NIS 2018, and is the principal live legislative vehicle; in parallel DSIT is rolling out the modular Codes of Practice (software vendors, AI, app stores) and the new Software Security Ambassadors Scheme launched in January–February 2026.
Shows the consolidated text of NIS 2018 as it would read if the Bill were enacted; central vehicle for broadening NIS scope to data centres, managed service providers and designated critical suppliers.
Sets the policy frame for the current thread: where regulation should bite, where market incentives should be used, and the case for legislative reform of NIS.
Original strategic framework setting out the £1.9bn programme that produced NCSC, Cyber Essentials and the NIS implementation.
Substantial amendment of NIS 2018: introduces nominated UK representatives for non-UK OES (reg. 8A), broadens information-sharing and inspection powers, replaces independent review with First-tier Tribunal appeals (regs 19A–19B), restructures the penalty regime, and recalibrates oil, gas and digital infrastructure thresholds.
Policy basis for what became Part 1 of the PSTI Act 2022 on connected consumer products.
Government response confirming the voluntary code and signalling supply-chain assurance direction.
Earlier government response on amending NIS, leading into the 2022 consultation on broader cyber resilience legislation.
Voluntary code on app-ecosystem security and privacy.
Implementation scheme to socialise the software vendors code and build a community of practice.
Private-sector lever using Cyber Essentials certification to drive supply-chain cyber hygiene.
Independent parliamentary briefing on cyber security of critical national infrastructure; baseline scrutiny document.
Departmental impact assessment accompanying introduction of the Bill.
Underlying analytical publication for the 2022 review.
Original impact assessment for NIS 2018.
Independent review (Stephen McPartland MP) commissioned by the Deputy PM and SoS DSIT to examine cyber security as a growth enabler; ran a call for views Feb–Mar 2024.
Statutory PIR concluding the NIS Regulations were broadly effective but recommending scope expansion — directly informs the current Bill.
First-generation review that scoped whether additional regulation/incentives were needed beyond NIS; sets the long-run policy lineage of this thread.
Direct legislative precursor to the current Bill.
Closes the consultation loop that the Bill now operationalises.
Evidence base for the incentives side of the thread.
Operationalises a strand of the codes-of-practice framework.
Direct predecessor to the consumer connectable products regime.
Drove the non-UK DSP / nominated representative architecture later embedded in SI 2020/1245.
This government has ambitious plans to ensure that the increasingly diverse range of consumer products that can connect to the internet are more secure by having cyber security designed into them by default.
Why linked: Drove the legislation that became Part 1 of the PSTI Act 2022.
This strategy builds on the significant progress made through the National Cyber Security Strategy 2016-2021.
Why linked: Sets the overarching strategic frame within which the incentives-and-regulation thread sits.
Why linked: Bill introduced November 2025 with Keeling schedules and DSIT impact assessment.
Statement of intent between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the Federal Republic of Nigeria.
The March 2026 edition of the DSIT cyber security newsletter.
A scheme to champion secure software development and support a resilient cyber ecosystem.
The December 2025 edition of the DSIT cyber security newsletter.
Why linked: DSIT Impact Assessment accompanying the Cyber Security and Resilience Bill.
The June 2025 edition of the DSIT cyber security newsletter.
The April 2025 edition of the DSIT cyber security newsletter.
Cyber Local is the government's programme to deliver tailored support for the cyber security sector across the regions.
This diagram shows how the five cyber security codes of practice apply to different organisations and technologies.
The March 2025 edition of the DSIT cyber security newsletter.
The February 2025 edition of the DSIT cyber security newsletter.
Feedback from a call for views on the code of practice for software vendors, and the government's response.
The International Coalition on Cyber Security Workforces is working to develop and maintain skilled cyber security workforces.
A list of Cyber Local projects which received funding in 2025.
The November 2024 edition of the DSIT cyber security newsletter.
The December 2024 edition of the DSIT cyber security newsletter.
A joint statement on how the UK's leading banks are working with the government to expand the role of Cyber Essentials and improve supply chain cyber security.
The October 2024 edition of the DSIT cyber security newsletter.
The September 2024 edition of the DSIT cyber security newsletter.
The August 2024 edition of the DSIT cyber security newsletter.
The April 2024 edition of the monthly DSIT cyber security newsletter.
Why linked: Enforcement management model: transport sector — direct guidance on NIS enforcement options.
Helps operators of essential services understand the enforcement options under the Network and Information Systems Regulations (2018) and how DfT will apply these within the transport sector.
Why linked: Filled the "McPartland Review on cyber security and economic growth" gap via web research
The McPartland Review of Cyber Security and Economic Growth was seeking views and evidence to inform its work.
The February 2024 edition of the monthly DSIT cyber security newsletter.
The government has asked the Rt Hon Stephen McPartland MP to conduct an independent review into cyber security as an enabler of economic growth.
The December 2023 edition of the monthly DSIT cyber security newsletter.
Call for Information on the uses and security of Private Telecommunications Networks within the UK.
We’re seeking views on the opportunities for connected digital twins and other advanced cyber-physical systems to enable a national capability in CPI.
The November 2023 edition of the monthly DSIT cyber security newsletter.
This code of practice sets out minimum security and privacy requirements for app store operators and app developers.
Why linked: Implementation of NIS Regulations 2018 for the energy sector in Great Britain — sector implementation guidance.
High level policy principles for compliance with the Network and Information Systems (NIS) Regulations 2018, for operators in energy sector.
Why linked: NIS Regulations 2018: health sector guide — direct operational guidance for an OES sector.
A guide for designated operators of essential services for healthcare in England explaining the practical impact of the NIS Regulations.
Call for Information on the uses and security of Private Telecommunications Networks within the UK.
The September 2023 edition of the monthly DSIT cyber security newsletter.
An evaluation of the government's LORCA programme to help cyber security businesses innovate, develop and grow.
The August 2023 edition of the monthly DSIT cyber security newsletter.
The July 2023 edition of the monthly DSIT cyber security newsletter.
Call for Information on the uses and security of Private Telecommunications Networks within the UK.
The June 2023 edition of the monthly DSIT cyber security newsletter.
The February 2023 edition of the monthly DSIT cyber security newsletter.
The government is holding a call for views on plans to improve the security and privacy of apps and app stores.
In response to: Proposal for legislation to improve the UK’s cyber resilience
The government is consulting on proposals for new laws to improve the cyber resilience of organisations which are important to the UK economy. We received a number of positive responses which are being considered. The government hopes to respond to …
Why linked: Telecoms security regulations consultation outcome — defines the parallel telecoms regime carve-out.
The government is consulting on proposals for new regulations and a code of practice to improve the security and resilience of public telecoms networks and services.
Why linked: Consultation on NIS Regulations guidance for the energy sector — sector-specific implementation.
We're seeking views on proposed updates to guidance for operators in the energy sector on compliance with the Network and Information Systems Regulations 2018.
Why linked: Second Post-Implementation Review of NIS Regulations 2018 — the statutory review that drove the current Bill.
This review assesses the effectiveness of the NIS Regulations, which were introduced in 2018 to improve the security & resilience of essential & digital services.
The government is holding a call for views on plans to improve the security and privacy of apps and app stores.
We’re seeking views on the opportunities for connected digital twins and other advanced cyber-physical systems to enable a national capability in CPI.
The government is holding a call for views on plans to improve the security and privacy of apps and app stores.
The government is conducting research to evaluate the effectiveness of its cyber security growth and innovation programmes.
The government is consulting on proposals for new laws to improve the cyber resilience of organisations which are important to the UK economy. We received a number of positive responses which are being considered. The government hopes to respond to …
The April 2022 edition of the monthly DCMS cyber security newsletter.
We’re seeking views on the opportunities for connected digital twins and other advanced cyber-physical systems to enable a national capability in CPI.
The government is consulting on proposals for new laws to improve the cyber resilience of organisations which are important to the UK economy. We received a number of positive responses which are being considered. The government hopes to respond to …
This review details the progress made in improving cyber resilience in recent years and sets out further government intervention to protect organisations online
Why linked: Government response on amending the NIS regulations (2021) — direct precursor to the Bill.
The government's response to a call for views on amending the Security of Network and Information Systems (NIS) Regulations
In response to: Call for views on supply chain cyber security
Why linked: Call for views on security of network and information systems — companion document.
Call for views on security of network and information systems — companion document.
In response to: Call for views on amending the NIS regulations
Why linked: Call for views on amending the NIS regulations — direct evidence base for the Bill.
A call for views on amending the incident reporting framework for digital service providers within the Network & Information Systems (NIS) regulations.
The government's response to a call for views on proposals for regulating consumer smart product cyber security.
Why linked: NIS Regulations guidance for UK DSPs operating in the EU — companion cross-border guidance.
What UK digital services providers must do to comply with the regulations covering the security of network and information systems.
Why linked: NIS Regulations guidance for non-UK digital service providers — implements reg. 8A nominated representative regime.
What organisations based outside the UK offering services in the UK must do to comply with the regulations covering the security of network and information systems.
Why linked: Matched expansion phrase: National Cyber Security Strategy
The National Cyber Security Strategy 2016 to 2021 and progress so far against its strategic outcomes.
Why linked: SI 2020/1245 is a foundational statutory instrument for the regime; the attached document is the operationalising amendment of NIS 2018.
The Network and Information Systems Regulations 2018 (S.I. 2018/506) (“the 2018 Regulations”), as amended by the Network and Information Systems (Amendment) Regulations 2018 (S.I. 2018/629), implement Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for …
Why linked: Call for views on amending the NIS regulations 2018.
Call for views on amending the NIS regulations 2018.
In response to: Call for views on proposed amendments to the Network and Information Systems Regulations
In response to: Proposals for regulating consumer smart product cyber security - call for views
A call for views on proposals for regulating the cyber security of consumer 'smart' products ran from 16 July to 6 September 2020.
In response to: Cyber security incentives & regulation review: government response to the call for eviden…
A summary of evidence received by the government as part of the Review of Cyber Security Incentives & Regulation, plus associated research publications.
In response to: Proposed changes to the Cyber Security Breaches Survey
In response to: Consultation on regulatory proposals on consumer IoT security
Consultation on the Government’s regulatory proposals regarding consumer Internet of Things (IoT) security
A call for evidence to help improve cyber security across the UK economy.
Government response to a call for views on the proposed approach to cyber security certification following the UK’s departure from the EU.
Following EU Exit, the UK proposes to introduce a requirement for non-UK based DSPs offering services in the UK to comply with the NIS Regulations.
Following EU Exit, the UK proposes to introduce a requirement for non-UK based DSPs offering services in the UK to comply with the NIS Regulations.
Consultation on the Government’s regulatory proposals regarding consumer Internet of Things (IoT) security
Why linked: Filled the "Cyber security skills and workforce development initiatives" gap via web research
In response to: Cyber Security Skills Strategy
Consultation on the Government’s regulatory proposals regarding consumer Internet of Things (IoT) security
Following EU Exit, the UK proposes to introduce a requirement for non-UK based DSPs offering services in the UK to comply with the NIS Regulations.
The Government held a targeted consultation on the implementation of the NIS Directive and its associated Implementing Act for digital service providers.
The Department for Digital, Culture, Media & Sport (DCMS) is running a survey to gather data on the UK's cyber security industry.
Government response to feedback onSecure by Design: Improving the cyber security of consumer internet of things report published on the 7 March 2018
The Government held a public consultation on its proposals to implement the Directive on the security of Network and Information Systems (NIS Directive).
The Government held a targeted consultation on the implementation of the NIS Directive and its associated Implementing Act for digital service providers.
Why linked: NIS Regulations: Impact Assessment (2018) — baseline evidence for the original regime.
This document sets out the expected impact of the Network & Information Systems Regulations 2018.
The Government held a targeted consultation on the implementation of the NIS Directive and its associated Implementing Act for digital service providers.
Call for views on the European Commission’s proposed Regulation on ENISA, the “EU Cybersecurity Agency”, and on Cyber Security Certification.
Call for views on the European Commission’s proposed Regulation on ENISA, the “EU Cybersecurity Agency”, and on Cyber Security Certification.
Call for views on the European Commission’s proposed Regulation on ENISA, the “EU Cybersecurity Agency”, and on Cyber Security Certification.
The Government held a public consultation on its proposals to implement the Directive on the security of Network and Information Systems (NIS Directive).
Why linked: National Cyber Security Strategy 2016–2021 — predecessor strategic framework.
The National Cyber Security Strategy 2016 to 2021 sets out the government's plan to make Britain secure and resilient in cyberspace.
The Department for Digital, Culture, Media & Sport (DCMS) is running a survey to gather data on the UK's cyber security industry.
The Department for Digital, Culture, Media & Sport (DCMS) is running a survey to gather data on the UK's cyber security industry.
The Government held a public consultation on its proposals to implement the Directive on the security of Network and Information Systems (NIS Directive).
This review considered whether there is a need for additional regulation or incentives to boost cyber risk management in the wider economy.
The Cyber Security Incentives and Regulation thread is the UK's twin-track approach to digital resilience: a hard regulatory backbone in the NIS Regulations 2018 (as substantially amended by SI 2020/1245) and the PSTI Act 2022, plus a softer incentives layer built around Cyber Essentials, the modular Codes of Practice and growth-oriented reviews. The thread is now in an active legislative phase: the Cyber Security and Resilience Bill was introduced to Parliament in November 2025, with Keeling schedules of NIS 2018 published in January 2026 showing how the amended regime will read 1. Voluntary levers are simultaneously scaling — the Code of Practice for Software Vendors got its government response in March 2025 2, followed by the Software Security Ambassadors Scheme launch in February 2026 3. The McPartland Review reframes cyber security as a growth enabler 4, but its recommendations on fiscal incentives remain unanswered.
The regulatory baseline is the Network and Information Systems Regulations 2018, as comprehensively amended by SI 2020/1245 on 31 December 2020. Those amendments are doctrinally important: they replaced the independent-reviewer model with a First-tier Tribunal appeal on judicial-review grounds (regs 19A–19B), recast the enforcement-notice and penalty regime into a two-stage process with mandatory pre-notice representations (regs 17–18), broadened the inspection power into a fully intrusive entry/examination/test regime (reg. 16), and required non-UK headquartered OES in energy and digital infrastructure to nominate a UK representative (reg. 8A). Thresholds for the oil, gas and digital infrastructure subsectors were rebased — including the 30% UK-market-share IXP test and the 14-billion-queries TLD registry threshold (reg. 20). On top of that statutory baseline sits the strategic frame: the National Cyber Security Strategy 2016–2021 and its 2022 successor, the 2022 Cyber Security Incentives and Regulation Review 1, and the McPartland Review of Cyber Security and Economic Growth 2. Operationalising these are the five Cyber Security Codes of Practice (Cyber Governance, Software Vendors, AI, App Store, Cyber Essentials) mapped in DSIT's modular approach diagram 3, the Cyber Essentials Supply Chain Commitment with leading banks 4, and place-based programmes like Cyber Local 5. Telecoms providers sit outside NIS under ss.105A–105C Communications Act 2003, and consumer connectable products are regulated under Part 1 PSTI Act 2022 — with s.70 of that Act still uncommenced.
The most material recent development is the introduction of the Cyber Security and Resilience (Network and Information Systems) Bill, with Keeling schedules and a DSIT impact assessment published in November 2025 and January 2026. Read against the 2022 consultation outcome 1 and the second Post-Implementation Review of NIS 2, the Bill is the legislative answer to longstanding scope concerns — bringing managed service providers, data centres and designated critical suppliers within NIS's reach. On the incentives side, the Code of Practice for Software Vendors government response (March 2025) 3 and the Software Security Ambassadors Scheme (February 2026) 4 mark a meaningful step in the supply-chain assurance agenda. The DSIT-Nigeria statement of intent on cyber-enabled fraud and scams (March 2026) 5 adds an international-cooperation dimension. By contrast, a March 2026 written question confirms that section 70 of the PSTI Act 2022 remains uncommenced and that DSIT is still 'considering options' — a sign the consumer-product regime is not yet complete.
Three calendar items dominate the next 12 months. First, the Cyber Security and Resilience Bill's passage: the live questions are scope (data centres, MSPs, designated critical suppliers) and regulator capacity — NCSC, the Information Commissioner and sector competent authorities will absorb the operational load, and Parliament will look closely at the delegated powers underpinning designation. Second, government movement on the McPartland Review 1: the review reframes cyber security as a growth enabler but its recommendations on fiscal levers (tax relief, insurance alignment, procurement) have not yet produced a published government response. The April 2026 written question on aligning Cyber Essentials with insurance underwriting standards signals where parliamentary pressure is building. Third, the long-running PSTI section 70 commencement decision: written questions repeatedly press for commencement, and a decision either way will signal how aggressively the consumer-product regime is treated as complete. Beyond those three, watch (i) the next statutory NIS review under reg. 25 (intervals not exceeding five years after the May 2022 second report) 2; (ii) the codes-of-practice ecosystem and whether the Software Security Ambassadors Scheme converts voluntary uptake into procurement leverage 34; and (iii) any Public Accounts Committee report following its 2025 evidence session on government cyber resilience.
Doctrinal risk: the regime is layered (NIS, telecoms security, PSTI), and the carve-out in reg. 8(1A) means that an entity moving between regimes (e.g. a digital infrastructure provider acquiring telecoms-network functions) could face uncertainty over which regulator and duty applies. Capacity risk: SI 2020/1245's expansion of the inspection power and the future Bill's expanded scope will test NCSC, ICO and sector-regulator resourcing. Inferred from corpus gap: no NAO value-for-money review of the NIS regime or the Cyber Local programme has been retrieved into this build — independent audit coverage is therefore thinner than for comparable regulatory regimes. Inferred from corpus gap: scope notes for the Cyber Security and Resilience Bill's commencement clauses are not in the retrieved corpus (the Keeling schedules show amended NIS text but commencement detail must be read from the Bill itself). Finally, the McPartland Review's incentives recommendations remain unanswered in the public record, leaving the 'incentives' half of this thread under-resolved 1.
The current regime sits on three statutory layers and one strategic layer. The first statutory layer is the NIS Regulations 2018, which translated EU Directive 2016/1148 into UK law and imposed security and incident-notification duties on operators of essential services (OES) in five regulated sectors plus relevant digital service providers (RDSPs). The second layer is SI 2020/1245, which extensively amended NIS 2018 on IP completion day. The most consequential changes are (i) a new reg. 8A requiring non-UK OES to nominate a UK representative — anchoring jurisdiction post-Brexit; (ii) a substantially broader inspection regime in reg. 16 that gives competent authorities and the Information Commissioner entry, production, removal, testing and 'any other action reasonably required' powers; (iii) a more procedural enforcement architecture (pre-notice representations, separate intention-to-penalise notice, payment of penalty independent of compliance with enforcement notice); and (iv) replacement of the independent reviewer with a First-tier Tribunal appeal on judicial-review grounds and a parallel civil-enforcement route.
The third statutory layer is sector-specific carve-out. Reg. 8(1A) (inserted by SI 2020/1245) disapplies NIS from telecoms network and service providers who are within scope of ss.105A–105C Communications Act 2003 — meaning the Telecommunications Security Regulations 2022 / Ofcom code of practice route, and not NIS, governs public networks. Consumer connectable products run on a separate track under Part 1 of the PSTI Act 2022, with s.70 of that Act still uncommenced. This layered carve-out matters because the Cyber Security and Resilience Bill (introduced November 2025) keeps the same architectural model — extending NIS rather than collapsing the regimes — and the Keeling schedules show the Bill amending NIS 2018, not replacing the telecoms or PSTI regimes.
The strategic layer is the National Cyber Strategy 2022 (and its 2016–21 predecessor), the 2022 Cyber Security Incentives and Regulation Review, and the modular Cyber Security Codes of Practice. These do not create duties of their own but they (a) provide the policy steer for which sectors should next be brought into scope under the Bill (data centres, managed service providers, designated critical suppliers); (b) furnish the voluntary stick-and-carrot — Cyber Essentials, the Software Vendors Code, the AI and App Store Codes, the Cyber Governance Code — which feeds into procurement and insurance leverage; and (c) underpin programmes like Cyber Local, the Software Security Ambassadors Scheme and LORCA.
What the regime cannot do is regulate state-actor cyber operations, criminal investigation responses, or consumer data protection beyond product-security — those sit under separate regimes (military, law enforcement, UK GDPR). It also cannot reach pure supply-chain risk except through (i) the Bill's proposed designated critical supplier route; (ii) procurement and insurance pressure flowing from Cyber Essentials; and (iii) the voluntary software vendors code. The accountability and remedies architecture is therefore mixed: hard regulatory enforcement on OES/RDSPs (penalties up to £17m, FtT appeals), softer code-of-practice expectations on the wider tech and software ecosystem, and product-level CE-style requirements on consumer IoT.
For analysts, the live points of doctrinal tension are: scope creep through the Bill versus regulator capacity at NCSC, the Information Commissioner and sector regulators; the boundary between the Cyber Security and Resilience Bill (NIS expansion) and the parallel telecoms / consumer-product regimes; and the absence of statutory incentives (tax, insurance) despite the McPartland Review's growth framing.
A person deemed or designated under reg. 8 NIS 2018 as providing an essential service in energy, transport, health, drinking water or digital infrastructure where the relevant threshold is met.
Online marketplace, search engine or cloud computing service provider above SME threshold offering services in the UK, regulated by the Information Commissioner.
A person in the UK with authority to act on behalf of a non-UK-headquartered OES, including service of documents under reg. 24.
Any activity for verifying compliance with NIS or assessing/gathering evidence of potential or alleged failures, including entry, document/equipment examination and removal, statement-taking and direction to conduct tests.
A NIS contravention that exceeds the lowest penalty band, with band-D reserved for contraventions creating significant risk to or impact on service provision by the OES or RDSP.
Second Reading and Committee stages of the Cyber Security and Resilience Bill in the Commons.
Government response/decision on commencement of section 70 PSTI Act 2022.
First published outputs of the Software Security Ambassadors Scheme and uptake metrics for the Software Vendors Code.
Next statutory NIS review (reg. 25 NIS 2018 as amended requires reports at intervals not exceeding five years after the second report due by 9 May 2022).
DSIT's position is to broaden mandatory regulation (Cyber Security and Resilience Bill) into data centres, managed service providers and designated critical suppliers while running a parallel voluntary codes-of-practice programme (software vendors, AI, app stores, governance), backed by Cyber Local and the Software Security Ambassadors Scheme.Feb 2026Mar 2025Mar 2025Apr 2025
Argues cyber security should be reframed as an enabler of economic growth, with implications for incentives, supply-chain assurance and the UK's industrial strategy — the review's framing has fed into the codes-of-practice programme but its full recommendations on incentives remain to be answered by government.Feb 2024Feb 2024
Have publicly committed to use Cyber Essentials as a baseline procurement requirement to lift supply-chain cyber hygiene, demonstrating that voluntary certification can act as a market-driven regulatory lever.Oct 2024