The government has introduced the Cyber Security and Resilience Bill (12 November 2025) to strengthen cyber defences for essential services under its Plan for Change. While public electronic communications networks and services are not directly in scope, many telecoms operators and service providers may be indirectly impacted via supplier obligations, data centre operations and incident reporting dependencies.
The Bill brings managed service providers, digital service providers and data centres into scope and tightens reporting rules: in-scope organisations must notify regulators of incidents within 24 hours and submit a full report within 72 hours. Regulators will be able to designate critical suppliers, set minimum security standards, and recover costs, while the Technology Secretary can direct proportionate action to prevent or mitigate attacks.
