The UK government has unveiled a new Cyber Security and Resilience Bill alongside a £90 million investment package designed to strengthen digital defences against an escalating wave of nation-state cyber threats. The legislation will expand existing cybersecurity regulations to cover managed IT companies, data centers, energy companies and critical suppliers to essential services, while requiring organizations to report harmful cyber incidents within 24 hours and imposing tougher penalties based on company turnover in cases of serious breaches.
Britain now handles four nationally significant cyber incidents every week according to Richard Horne, chief executive of the National Cyber Security Centre, who revealed this figure during the annual CYBERUK conference in Glasgow. The incident rate has held relatively steady since it was first disclosed in October, but the origin of those attacks has shifted dramatically.
Nation-State Threat Replaces Criminal Activity
Horne told the conference that the majority of the nationally significant incidents that his teams are now handling originate directly or indirectly from nation states. This represents a fundamental shift in the UK cyber threat landscape, moving away from financially motivated criminal hackers toward sophisticated state-sponsored operations targeting critical infrastructure and essential services.
At the heart of the legislative agenda is the Cyber Security and Resilience Bill, which will widen UK oversight of critical infrastructure. Data centres will be brought into the national cybersecurity reporting regime, signalling a policy shift that treats data facilities as essential utilities on par with water and energy. UK citizens can expect mandatory, enforceable security standards and tighter regulatory scrutiny for operators and the wider supply chain.
New Cyber Resilience Pledge for Major Organizations
Security Minister Dan Jarvis used the Glasgow conference to announce the £90 million investment package and a new Cyber Resilience Pledge, which the government will ask major organizations to sign this summer, committing them to treat cybersecurity as a board-level responsibility. This move recognizes that cyber defence has evolved beyond a technical IT issue into a strategic business priority requiring executive oversight and governance.
Jarvis invoked a recent attack on Jaguar Land Rover to illustrate the stakes, arguing the damage inflicted would have been equivalent, in physical terms, to hundreds of masked criminals smashing up dealerships and driving cars off forecourts across the country. The minister emphasized there is no significant difference between these types of attacks. His analogy underscores the real-world economic impact that digital intrusions now carry for British businesses.
Artificial Intelligence Reshaping Threat Landscape
Both officials pointed to artificial intelligence as reshaping the threat landscape at speed. Horne warned that frontier AI is already enabling adversaries to discover and exploit vulnerabilities at scale, while Jarvis cited testing of Anthropic models that had autonomously identified thousands of previously unknown vulnerabilities. The application of advanced AI tools by hostile actors represents a significant escalation in both the volume and sophistication of cyber threats facing the United Kingdom.
According to the cyber security breaches survey 2026, around 43% of businesses reported a cyber breach or attack in the last year, which shows that these incidents have become common. This widespread impact affects organizations of all sizes and across all sectors, from small enterprises to major corporations and government departments.
Critical Infrastructure Under Pressure
The new legislation comes as essential services face mounting pressure from persistent attacks. Cyber incidents affect public services, businesses, infrastructure and even national security. Over the last few years, attacks targeting hospitals, government departments, telecom providers and financial institutions have shown how disruptive cyber incidents can become when systems are deeply connected. The interconnected nature of modern digital infrastructure means that a successful breach in one organization can cascade across multiple sectors.
The UK cyber security sector generates £14.7 billion in revenue, contributes £9.1 billion in Gross Value Added, and employs nearly 70,000 highly skilled people across more than 2,600 firms. This substantial economic contribution highlights the importance of maintaining a robust domestic cybersecurity industry capable of defending against state-sponsored threats while supporting business growth.
Mandatory Reporting and Enhanced Penalties
The 24-hour incident reporting requirement represents a significant tightening of cybersecurity obligations for British organizations. Under the new framework, companies will face limited time to assess and report cyber incidents to regulatory authorities, forcing them to implement robust detection and response capabilities. The penalties for serious breaches will be calculated based on organizational turnover, ensuring that fines are proportionate and carry genuine deterrent value even for large multinational corporations.
The NCSC helps protect the UK from cyber threats. It gives practical cybersecurity advice, handles major cyber incidents, supports businesses and public services, and works with organizations to improve online safety and overall cyber resilience. The agency will play a central role in implementing the new regulatory framework and supporting organizations as they adapt to enhanced reporting requirements.
Industry Response and Implementation Timeline
The government initiative reflects growing concerns about digital sovereignty and the vulnerability of essential services to foreign interference. By bringing data centres and managed IT providers under the same regulatory umbrella as traditional critical infrastructure operators, the legislation acknowledges the fundamental role these facilities play in modern economic activity. The Cyber Resilience Pledge will formalize cybersecurity as a board-level concern, requiring senior executives to take direct accountability for their organizational cyber posture and incident response capabilities.