Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, what consideration she has given to the potential merits of introducing mandatory minimum cyber resilience standards for strategically important firms and supply chains.

The Network and Information Systems Regulations 2018 provides the UK’s only cross-sector cyber legislation, focused on protecting the security and resilience of essential services. The regulations impose security duties on Operators of Essential Services (OES) and relevant digital service providers (RDSPs) to take "appropriate and proportionate technical and organisational measures" to manage risk and prevent and minimise the impact of cyber incidents.

The Cyber Security and Resilience (Network and Information Systems) Bill, introduced in November 2025, updates these regulations to ensure it is fit for today, and the future. It will cover a wider range of critically important entities, including data centres and large load controllers and relevant managed service providers (RMSPs). The Bill will also allow, through secondary legislation, for security and resilience requirements to be set for regulated entities. Our proposals for this legislation will be linked to existing, high level security duties and be consistent with the NCSC’s Cyber Assessment Framework.

Regulators will also have the power under the Bill to designate certain suppliers as “critical” if a compromise or outage in their systems can cause a disruption to their services that would have serious, cascading impacts for our society and economy. Proportionate cyber security and resilience duties and requirements to applying to those designated suppliers, with associated requirements will be developed through secondary legislation and guidance. This will ensure that these critical suppliers have the appropriate cyber security and resilience measures in place, helping to protect the UK’s critical infrastructure from disruption.

The Bill sits alongside other regulatory regimes, such as for public telecoms providers and financial services, and a range of other tools to help organisations actively improve their cyber resilience. For example, the government offers the Cyber Essentials certification scheme to prevent the most common cyber attacks. Organisations with Cyber Essentials are 92% less likely to make a claim on their cyber insurance than those without it.