NCC Group Expert Urges UK Businesses to Brace for Upcoming Cybersecurity Legislation

Organizations in Europe are poised to encounter a surge of cybersecurity legislation from both the European Union and the United Kingdom.

In the EU, the legislative landscape is becoming increasingly clear, with key regulations such as the updated Network and Information Systems Directive (NIS2), the Digital Operational Resilience Act (DORA), the Cyber Resilience Act (CRA), and the AI Act already adopted.

Conversely, in the UK, details remain scarce regarding two forthcoming laws: the AI Bill, aimed at regulating advanced AI models, and the Cyber Security and Resilience Bill.

As Katharina Sommer, Group Head of Government Affairs & Analyst Relations at NCC Group, highlights, her contributions to the firm’s recent Global Cyber Policy Radar report—published in April 2025—illuminate these trends in cybersecurity regulation.

Sommer will participate in a panel discussion at the upcoming Infosecurity Europe 2025 conference, wherein she will evaluate the implications of the evolving legislative landscape for UK and EU-based firms. This session, titled “Clarification on the upcoming tsunami of legislation,” is scheduled for June 4, 2025, at 13:55 BST, alongside Jonathan Kewley, Co-Chair of the Global Tech Group at Clifford Chance.

Cyber Security Resilience Bill: The UK's Response to NIS2

In a recent discussion, Sommer referred to the Cyber Security and Resilience Bill, introduced in July 2024 as part of the King’s Speech by the newly formed Labour government, stating it represents the UK’s answer to EU’s NIS2 directive. Although specific elements of the Bill are not yet public, Sommer advises UK organizations to proactively start considering necessary adjustments to their cybersecurity strategies in anticipation of future compliance deadlines.

Furthermore, experts predict that this Bill will encompass new sectors and aspects of the UK economy that were not included under NIS1. Potential areas of focus may include managed service providers (MSPs), critical suppliers, and possibly data centers with capacities of one megawatt or more—presumably increasing to ten megawatts for enterprise-level data centers. In an update regarding the Bill in April 2025, the UK government indicated its applicability to approximately 1,000 organizations in the UK.

Sommer anticipates that the Bill will introduce revisions to technical and security requirements and enhance incident reporting protocols, emphasizing the importance of timely reporting on incidents significantly impacting entities.

“Until the Bill is laid before Parliament, we will not know the extent of its provisions. However, we can surmise that security mandates will likely align with the Cyber Assessment Framework (CAF). Ongoing discussions will determine whether the primary legislation will be detailed or solely reference the CAF along with other standards,” Sommmer noted.

Additionally, the Bill may empower the UK Secretary of State to exert greater influence, potentially leading to more direct oversight of organizations’ approaches to cyber resilience and the methodologies employed.

Navigating Compliance Across Borders

Sommer indicated that many questions regarding compliance persist, particularly for organizations operating in both the UK and EU, which may face conflicting requirements.

Key concerns include:
– Differences in scope between NIS2 and the UK’s Cyber Security and Resilience Bill (for example, focusing on managed services).
– Variability in security mandates, particularly regarding incident reporting timelines for affected entities.
– Potential unique provisions for the financial sector within the Cyber Security and Resilience Bill, possibly conflicting with DORA provisions.

As Sommer asserts, organizations in scope, especially those with cross-border operations, have advocated for harmonization and alignment to streamline compliance between these two regulatory regimes.

Preparing for Cyber Regulation Trends

The complex landscape of cybersecurity regulatory compliance will be central to discussions at Infosecurity Europe. Organizations seeking to stay ahead should engage with resources from the UK Department for Science, Technology and Innovation (DSIT), which provides an overview of the government’s strategic direction.

DSIT plans to introduce the Bill to Parliament before year-end, with expectations for final details to be solidified in the autumn.

In summary, organizations must actively prepare for impending regulatory obligations in order to enhance their cybersecurity resilience and compliance readiness as the legislative framework continues to evolve.