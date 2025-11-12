Large organisations that provide IT services, including datacentres, will face regulation to ensure they have adequate cyber security and resilience plans, under laws being introduced in Parliament today.

The Cyber Security and Resilience Bill (CSRB) aims to ensure critical services, including healthcare, water, transport and energy, are protected against cyber attacks, which cost the UK economy almost £15bn a year.

Under the proposals, medium and large IT services companies providing IT management, helpdesk support and cyber security to critical services face regulation for the first time.

They will be required to report potentially significant cyber security breaches to regulators and the National Cyber Security Centre within 24 hours, with a full report within 72 hours, and to notify businesses and individuals who use their services of the incident.

New government powers The government will have new powers to instruct regulators and the organisations they oversee to take “specific, proportionate steps” to prevent cyber attacks where there is a risk to national security. This could include requiring them to strengthen security monitoring of their systems or isolate high-risk systems to protect and secure essential services. The proposed laws cover private and public sector providers of critical services, which, if attacked, could have “huge negative implications” for the economy. Regulators will be given new powers under the bill to “designate” organisations that supply essential services, such as health diagnostics to the NHS or chemicals to a water firm, requiring them to meet minimum security requirements.