The UK is being attacked almost daily – now the government is stepping in
Hospitals, energy and water supplies, and transport networks will be better protected from the threat of cyber-attacks under new laws being introduced in Parliament on Wednesday (12 November).
The Cyber Security and Resilience Bill strengthens national security and protects growth by boosting cyber protections for the services that people and businesses rely on every day.
In the face of increasing cyber threats, it will prevent disruption – keeping the taps running, the lights on and the UK’s transport services moving – while making sure those who supply our vital services have tougher cyber protections.
These proposed laws would cover certain digital and essential services, including healthcare, transport, energy, and water.
New independent research published today shows the average cost of a significant cyber-attack in the UK is now over £190,000. This amounts to around £14.7 billion a year across the economy – equivalent to 0.5% of the UK’s GDP.
The National Cyber Security Centre (NCSC) managed 204 significant or highly significant cyber incidents in the year leading up to September 2025. These are the incidents defined as having a serious impact on essential services, public safety, or economic stability. The NCSC managed, on average, one of these significant incidents every two days, it said.
Under the proposals:
- Medium and large companies providing services like IT management, IT help desk support and cyber security to private and public sector organisations like the NHS, will also be regulated for the first time. Because they hold trusted access across government, critical national infrastructure and business networks, they will need to meet clear security duties. This includes reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences
- Regulators will be given new powers to designate critical suppliers to the UK’s essential services such as those providing healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria. This would mean they’d have to meet minimum security requirements – shutting down gaps in supply chains criminals could exploit which could cause wider disruption
- Enforcement will be modernised, including tougher turnover-based penalties for serious breaches so cutting corners is no longer cheaper than doing the right thing. That’s because companies providing taxpayer services should make sure they have tough protections in place to keep their systems up and running
- The Technology Secretary gets new powers to instruct regulators and the organisations they oversee, like NHS trusts and Thames Water, to take specific, proportionate steps to prevent cyber attacks where there is a threat to UK national security. This includes requiring that they beef up their monitoring or isolate high-risk systems to protect and secure essential services.
These are areas which could pose huge negative implications for the British economy and public services if targeted. The Office for Budget Responsibility (OBR) estimates that a cyber-attack on critical national infrastructure could temporarily increase borrowing by over £30 billion – equivalent to 1.1% of GDP.
