New laws to bolster UK’s defences against cyber attacks on NHS, transport and energy

Published: 12 November 2025. The English Chronicle Desk. The English Chronicle Online

IT companies that provide services for the NHS, as well as the UK’s energy, water and transport infrastructure, will face tough new security standards under a new law introduced by ministers to mitigate the threat of cyber attacks.

The Cyber Security and Resilience Bill is set to be introduced on Wednesday in a move aimed at strengthening national security by boosting cyber protections for the services that people and businesses rely on daily. Its primary objective is to keep taps running, lights on, and transport services moving amid a landscape where businesses, transport hubs, and government organisations continue to be targeted by cyber attacks.

In the past month, the National Cyber Security Centre (NCSC) highlighted a “significant threat” from Chinese and Russian hackers, contributing to a record number of serious online attacks. Economic forecasts underline the potential cost: the Office for Budget Responsibility (OBR) has warned that a cyber-attack on critical national infrastructure could temporarily increase borrowing by over £30 billion, equivalent to 1.1 per cent of the UK’s GDP. Research published on Wednesday shows that the average cost of a major cyber-attack in the UK now exceeds £190,000 per incident, amounting to £14.7 billion a year across the economy.

The proposed legislation will regulate IT management, IT help desk support, and cybersecurity firms that provide services to both private and public sector organisations. Medium and large companies holding trusted access to essential infrastructure and business networks will be required to meet clear security obligations and report major cyber incidents to government authorities and their clients.

Key providers of the UK’s essential services, such as healthcare diagnostics suppliers to the NHS or chemical suppliers to water utilities, may be categorised as critical suppliers. This will compel them to meet minimum security standards to close potential supply chain gaps that criminals could exploit. Regulators will have new powers to enforce compliance, while tougher penalties will be introduced to prevent organisations from cutting corners when providing taxpayer-funded services. Technology Secretary Liz Kendall will gain enhanced powers to instruct regulators and organisations to take preventative measures against cyber threats.

“Cyber security is national security,” said Ms Kendall. “This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target. We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”

The new bill has received backing from National Cyber Security Centre CEO Dr Richard Horne, who emphasised its significance: “The Cyber Security and Resilience Bill represents a major step towards ensuring the nation’s most critical services are better protected and prepared in the face of an increasingly complex threat landscape. Cyber security is a shared responsibility and foundation for prosperity, and so we urge all organisations, no matter how big or small, to follow the advice and guidance available at ncsc.gov.uk and to act on it with the urgency that the risk requires.”

National Chief Information Security Officer for Health & Care at NHS England, Phil Huggins, added: “The Bill represents a huge opportunity to strengthen cyber security and resilience to protect the safety of the people we care for.”