Security Minister Dan Jarvis used a House of Commons address on 24 November to set out the government’s current cyber agenda: the Cyber Security and Resilience (Network and Information Systems) Bill now before Parliament, a Counter Political Interference and Espionage Action Plan, and a set of National Cyber Security Centre tools for organisations. The speech was delivered at the Cybersecurity Business Network’s inaugural Parliament and Cyber conference.
Jarvis situated the update against a marked rise in serious incidents. The NCSC’s 2025 Annual Review period recorded 429 incidents, including 204 classed as nationally significant and 18 as highly significant; ministers have also written to FTSE 350 chief executives urging board‑level oversight of cyber risk.
Legislation is the centrepiece. The Cyber Security and Resilience (Network and Information Systems) Bill was introduced in the Commons on 12 November 2025 and is awaiting a date for second reading. DSIT’s policy statement, laid on 1 April 2025, explains the objective: update and expand the NIS 2018 framework so regulators can require higher standards and government gains earlier visibility of serious incidents.
Scope will widen materially. Operators of data centre services provided on an enterprise basis at or above a rated IT load of 10 megawatts will be regulated as operators of essential services. Managed service providers will acquire explicit duties to manage risks to the systems they rely on, and relevant digital service providers remain in scope. Regulators will also gain a mechanism to designate “critical suppliers” where disruption could significantly affect essential or digital services.
Reporting obligations are tightened. The Bill establishes a two‑stage model requiring an initial notification within 24 hours of awareness and a full report within 72 hours, with copies sent to the NCSC in its CSIRT role. In addition, regulated entities must notify customers they consider likely to have been affected by a reportable incident. Formats and further detail will be set out in regulations and regulator guidance.
Enforcement and oversight are strengthened. Regulations made under the Bill may set maximum penalties up to the greater of £17 million or 10% of worldwide turnover for undertakings in specified cases, alongside broader information‑gathering and cost‑recovery powers for regulators. A new Statement of Strategic Priorities will guide regulatory activity; regulators must have regard to it and the Secretary of State must report to Parliament on delivery.
The Home Office will run a parallel programme to deter state interference. Jarvis confirmed a Counter Political Interference and Espionage Action Plan including security briefings for parties, guidance for candidates, cooperation with professional networking platforms and tighter political donation rules via a forthcoming Elections Bill. MI5 and the National Protective Security Authority have also issued guidance for those in political roles.
Operational support accompanies the legislative track. The NCSC’s Cyber Action Toolkit, launched on 14 October, offers step‑by‑step advice for sole traders and small organisations and sits alongside existing services such as the “Check Your Cyber Security” tests. Jarvis also pointed to the public‑sector Takedown Service and the Early Warning alerting service, which he said now serves more than 13,000 organisations.
Baselines and certification remain central. Cyber Essentials shifted to the “Willow” question set on 28 April 2025 with updates covering authentication, remote working terminology and verification of network subsets; DSIT reports record quarterly uptake and notes strong links between baseline controls and lower insurance claim rates. Organisations not in regulated sectors are still encouraged to certify.
For boards and operators, the practical takeaway is clear. Entities likely to fall in scope-data centre operators, relevant digital service providers and managed service providers-should test their ability to meet the 24‑hour/72‑hour reporting timetable, build customer‑notification playbooks and review contracts and controls where they could be designated as critical suppliers. All boards should adopt the Cyber Governance Code of Practice, validate incident response plans against NCSC guidance, consider Cyber Essentials, and enrol in Early Warning.
Next steps are procedural but important. The Bill has completed first reading in the Commons and is awaiting scheduling for second reading. DSIT intends to commence key provisions via secondary legislation once Parliament has agreed the framework, and ministers say a National Cyber Action Plan will follow in 2026 to align operational support with the new duties.