The UK’s cyber overhaul is testing regulator capacity

Britain is preparing to regulate cyber risk far more aggressively. The harder task may be building regulators capable of enforcing it.

The Cyber Security and Resilience Bill, now completing its committee stage in Parliament, will bring managed service providers, data centres, and critical supply chains under statutory oversight for the first time. 

It grants 12 regulators expanded enforcement powers, faster incident reporting timelines, and turnover-based penalties reaching the greater of £17 million or 10 per cent of worldwide revenue. 

It is the most significant overhaul of UK cyber regulation since the Network and Information Systems Regulations in 2018.

The ambition is clear. The enforcement capacity behind it is not.

Expanding the cyber perimeter

The bill widens the regulatory perimeter. An estimated 900 to 1,100 managed service providers will fall within scope for the first time, regulated by the Information Commissioner’s Office (ICO). 

Between 900 and 1,100 managed service providers will fall within the regulatory perimeter for the first time – overseen by a regulator that admits it does not yet fully possess the data needed to supervise them.

Data centres and large load controllers – organisations that remotely control the electricity use of smart appliances – are added as operators of essential services, overseen by the Office of Communications (Ofcom) and the Office of Gas and Electricity Markets (Ofgem) respectively. The secretary of state gains power to designate “critical suppliers” whose compromise could cascade through digital supply chains, subjecting them to direct regulatory obligations.

Yet during committee hearings, Amazon Web Services told MPs it is regulated for cyber security purposes by four different UK regulators. 

The remark exposes a structural problem the bill does not resolve. Twelve competent authorities – spanning energy, transport, health, water, digital infrastructure, and devolved administrations – share responsibility across sectors. For firms operating across sectors, or managed service providers serving healthcare, energy, and transport, the compliance architecture is fragmented by design.

Regulators themselves acknowledged the problem. 

During oral evidence on 3 February 2026, the ICO, Ofcom, and Ofgem all argued for a single, consolidated incident reporting portal to prevent firms from having to report the same event to multiple bodies under overlapping frameworks including GDPR, the Network and Information Systems (NIS) Regulations, and sector-specific rules. 

NCC Group’s chief scientist, Chris Anley, told the committee that reporting obligations add “to an already complicated situation”, noting that Australia has already implemented a single reporting system and the EU is pursuing similar streamlining.

What regulators told Parliament

Committee hearings revealed how far institutional readiness lags behind legislative intent. Ian Hulme, the ICO’s interim executive director of regulatory supervision, appeared alongside Ofcom’s Natalie Black and Ofgem’s Stuart Okin on 3 February. The ICO stressed the need for precise secondary legislation and clear definitions before issuing generic compliance advice, and warned that validating the size and risk profiles of the managed service providers it will newly regulate requires time, systems, and data it does not yet fully possess.

The ICO’s formal response to the bill, published in December 2025, was candid about what implementation requires: “significant work … to accurately validate the size and risk profiles of the RDSPs we currently regulate and the RMSPs we will regulate”, alongside building “the core infrastructure, systems and resources to take forward those new duties.” The regulator welcomed the bill’s cost-recovery provisions but underlined that government support and guidance would be needed to “ensure that we have the appropriate levels of funding and guidance to make this transition.”

“Can the Minister elaborate on how he will ensure that regulators have the capacity to cope with large-scale data reports?”

– Bradley Thomas MP,
Public Bill Committee, February 2026

Ben Spencer MP, the Conservative health spokesman and a former regulator, warned that leaving too much detail to secondary legislation creates legal jeopardy and a disproportionate compliance burden on smaller firms, risking a “chilling effect” on the UK tech sector. Bradley Thomas MP pressed the minister on whether funds raised through cost recovery would be reinvested in cyber security improvement rather than covering administrative overheads, and asked directly: “Can the Minister elaborate on how he will ensure that regulators have the capacity to cope with large-scale data reports?”

The exchange revealed the bill’s central paradox. Cost recovery is supposed to fund the regulators. But regulators need infrastructure, data, and staff before they can identify who to charge – and the fees to build that capacity cannot flow until the regime is operational.

Why capacity is strained

The strain is already evident. The National Audit Office reported in January 2025 that the cyber threat to government is “severe and advancing quickly.” A 2024 assessment of 58 vital departmental IT systems found widespread low maturity in fundamental cyber controls, including asset management, protective monitoring, and incident response planning. One-third of central government cyber security positions were unfilled or occupied by temporary staff, with some departments reporting more than 50 per cent of cyber roles vacant.

The government’s own Cyber Action Plan, published in January 2026, acknowledged that nearly 28 per cent of the government technology estate is legacy technology “highly vulnerable to attack.” It backed this admission with £210 million of central investment and a new Government Cyber Unit at the Department for Science, Innovation and Technology (DSIT). In February, the government announced a dedicated Cyber Profession – the first of its kind – to recruit and train public-sector cyber specialists, and reported that a vulnerability monitoring service had cut average fix times for critical DNS weaknesses from 50 days to eight.

These measures improve the government’s own cyber posture. They do little to strengthen the regulatory apparatus that must supervise a far larger private-sector perimeter.

One-third of central government cyber security positions were unfilled or occupied by temporary staff – and regulators are competing for the same specialists the private sector absorbs at significantly higher salaries.

The wider labour market offers limited relief. DSIT’s annual cyber-skills study found approximately 143,000 individuals in the UK cyber security workforce as of late 2024, with a stabilised workforce gap of around 3,800 professionals. That masks a structural problem: 49 per cent of UK businesses reported a basic technical cyber security skills gap, and core cyber job postings fell 33 per cent year on year. Regulators are competing for the same mid-career specialists that the private sector absorbs at significantly higher salaries.

The threat the bill is responding to

In June 2024, the Qilin ransomware group attacked Synnovis, a pathology provider serving NHS trusts in south-east London. The breach cancelled over 10,000 acute outpatient appointments and more than 1,700 elective procedures. Blood transfusions were suspended. An investigation later confirmed that delays caused by the attack contributed to a patient’s death – one of the first publicly confirmed cyber-related fatalities in the UK.

In April 2025, a ransomware attack crippled Marks & Spencer, forcing the retailer to suspend all online orders and warn investors the incident would shave roughly £300 million off annual profit. Within ten days, the Co-operative Group and Harrods disclosed separate attacks. Bradley Thomas told the committee that M&S representatives found it “much easier to get updates and information from the United States FBI than they did from our own authorities.” The National Cyber Security Centre (NCSC) reported a 130 per cent increase in nationally significant cyber incidents in its 2024–25 annual review – the three retail attacks alone accounting for some of the most disruptive episodes in that period.

These incidents exposed exactly the gap the bill is designed to close – but they also demonstrated how far enforcement and coordination capacity lag behind the threat.

The cost-recovery paradox

The bill’s funding mechanism is a cost-recovery regime allowing regulators to impose periodic fees on regulated entities, replacing the current system in which regulators can recover only retrospective costs and cannot charge for most enforcement activities. Regulators must publish a charging scheme, consult industry, and issue end-of-cycle statements showing how funds were spent.

The ICO has welcomed this as “critical” to delivering the bill’s ambitions. But the regime contains a bootstrapping problem. Before regulators can charge fees, they must know who falls within scope. Before they know who falls within scope, they must build registration systems, validate entity classifications, and assess risk profiles. Before they can do any of that, they need the staff and infrastructure the fees are meant to pay for.

Ben Spencer criticised the fee power as a potential “operational tax” that diverts money away from actual security improvements. The government argues the safeguards – consultation, transparency, no profit – are sufficient. Whether they are will depend on how quickly regulators can stand up the operational machinery.

International parallels

The bill does not exist in isolation. Australia’s Cyber Security Act 2024, the country’s first standalone cyber security law, moved into full operational mode in 2026 with mandatory IoT security standards, compulsory ransomware payment reporting, and a single-portal reporting system. The EU’s NIS2 Directive has been transposed across member states with broader scope and tighter timelines than the original NIS framework.

NCC Group told the committee that the UK should learn from Australia’s single reporting model and the EU’s Digital Omnibus package, which consolidates overlapping cyber, digital services, and financial-sector reporting into a more coherent structure. The contrast is clear: both Australia and the EU recognised that expanding obligations without rationalising reporting architecture simply multiplies compliance cost without proportionally improving intelligence.

Canada offers a cautionary tale on capability. As The Modern Regulator has reported, the federal Regulators’ Capacity Fund exhausted its C$14.2 million budget in March 2025 with no replacement announced, leaving regulators responsible for overseeing AI and digital systems without the institutional support those responsibilities demand. The UK risks a less dramatic but structurally similar outcome if the gap between legislative ambition and regulator capacity is not closed before the regime goes live.

The real test

The Cyber Security and Resilience Bill will almost certainly pass. The committee report was due by early March 2026, with third reading and Royal Assent expected late in the year. Cross-party support for the principle of stronger cyber regulation is essentially unanimous; the debate is about scope, implementation, and institutional capacity.

The legislation itself only covers an estimated 0.1 per cent of the UK private sector, as NCC Group noted – “one hundredth of the tip of the iceberg”. Whether that narrow statutory perimeter, policed by 12 regulators with uneven resources and no single reporting channel, can drive meaningful improvement in national cyber resilience is the question the bill leaves open.

The legislation will pass. Enforcement capacity will determine whether it matters.

Frequently asked questions

What is the Cyber Security and Resilience Bill?

The Cyber Security and Resilience Bill is the UK government’s most significant update to cyber security regulation since the Network and Information Systems (NIS) Regulations came into force in 2018. It expands the regulatory perimeter to include managed service providers, data centres, and critical digital supply chains for the first time. It grants 12 regulators enhanced enforcement powers, including turnover-based penalties of up to £17 million or 10 per cent of global revenue. The bill is currently at committee stage in Parliament, with Royal Assent expected by late 2026.

Which regulators are responsible for enforcing the new cyber rules?

Responsibility is divided across 12 competent authorities depending on sector. The Information Commissioner’s Office (ICO) will oversee managed service providers, while Ofcom and Ofgem cover digital infrastructure and energy respectively. Other regulators cover transport, health, water, and devolved administrations. During committee hearings, Amazon Web Services told MPs it is already regulated for cyber security purposes by four different UK bodies – a fragmentation the bill has not yet resolved.

Are UK regulators ready to enforce the expanded regime?

Not fully. The ICO’s formal response to the bill acknowledged the need for “significant work” to validate the size and risk profiles of newly regulated firms, and called for government support to build the core infrastructure, systems, and resources the new duties require. A January 2025 National Audit Office report found that one-third of central government cyber security positions were unfilled or held by temporary staff. The government has since launched a dedicated Cyber Profession and invested £210 million in its own estate, but those measures do not directly address the capacity of the regulatory bodies charged with overseeing the private sector.

How will the new cyber regulations be funded?

The bill introduces a cost-recovery mechanism allowing regulators to charge periodic fees to regulated entities, replacing a system that only permitted retrospective cost recovery. Regulators must publish a charging scheme, consult industry, and report annually on how funds were spent. The ICO described cost recovery as “critical” to delivering its new obligations, but critics – including Conservative MP Ben Spencer – warned it could function as an operational tax diverting money from actual security improvements.

How does the UK’s approach compare to Australia and the EU?

Australia’s Cyber Security Act 2024 moved into full operation in 2026 with a single reporting portal, mandatory ransomware payment reporting, and IoT security standards – a more consolidated model than the UK’s multi-regulator framework. The EU’s NIS2 Directive has been transposed across member states with broader scope and tighter timelines than its predecessor. Both jurisdictions recognised that expanding obligations without rationalising reporting architecture multiplies compliance cost without proportionally improving threat intelligence. The UK’s decision to maintain 12 separate competent authorities, each with their own reporting channels, risks exactly that outcome.