- Samsung will give you a free 27-inch Odyssey G55C monitor - how to qualify
- This $12 gadget tool is a permanent accessory on my keychain - here's why
- Designing a technical framework for AI digital twins
- I changed 3 settings on my PS5 to significantly improve the performance
- LG will give you a free 27-inch curved gaming monitor - here's how to qualify
NCC Group Expert Warns UK Firms to Prepare for New Cybersecurity Bill
Organizations in Europe are about to face a wave of cybersecurity legislation, coming from both the EU and the UK.
In the EU, the tech legislation roadmap is relatively clear, with most relevant regulations and laws already adopted, including the updated Network and Information Systems Directive (NIS2), the Digital Operational Resilience Act (DORA), the Cyber Resilience Act (CRA) and the AI Act.
In the UK, little is still known about the two upcoming tech laws which include the AI Bill, likely to focus on regulating frontier AI models, and the Cyber Security and Resilience Bill.
As the Group Head of Government Affairs & Analyst Relations at NCC Group, Katharina Sommer has contributed to the firm’s latest Global Cyber Policy Radar, a report on cybersecurity regulation trends published in April 2025.
Sommer will join a panel of speakers at the upcoming Infosecurity Europe 2025 conference to evaluate the European raft of upcoming and implemented laws, and what they mean for UK and EU-based companies.
The session, titled ‘Clarification on the upcoming tsunami of legislation,’ will take place on Wednesday, June 4 at 13.55 BST. Sommer’s fellow speaker is Jonathan Kewley, Co-Chair of the Global Tech Group at Clifford Chance.
Cyber Security Resilience Bill, UK’s Response to NIS2
Speaking to Infosecurity, Sommer said the Cyber Security and Resilience Bill, announced in July 2024 as part of the King’s Speech introducing the new Labour government, can be considered the UK’s response to the EU’s NIS2.
While the details of the Bill are scarce at this stage, Sommer said UK organizations should already “start thinking about required changes to their cybersecurity programs ahead of any compliance or enforcement deadlines.”
For instance, she said analysts expect the Bill to bring new sectors and parts of the UK economy into scope compared to NIS1, including managed service providers (MSPs), critical suppliers and possibly data centres at or above 1MW capacity (or at or above 10MW capacity for enterprise data centres).
In an April 2025 update regarding the Bill, the UK government stated that it is expected to apply to 1000 UK organizations.
She also suggested that the Bill should introduce updates to technical and security requirements and improve incident reporting, including capturing incidents that could have a significant impact and updating reporting times.
She added: “Until the Bill is laid before Parliament, we will not know the details it will include. That said, it is an informed guess that security requirements will mirror the provisions of the Cyber Assessment Framework (CAF). Discussion remains regarding how detailed primary legislation will be, as opposed to including references to the CAF, or other standards and guidance.”
Additionally, the Bill should grant the UK Secretary of State greater authority.
“While details are being awaited on this, it might herald more direct intervention into organizations’ cyber resilience approaches, measures and programs,” Sommer indicated.
Finally, she also believes that organizations within scope could benefit from improved information sharing, including from the UK government, which aims to gain better visibility of the threat landscape.
She recommended any UK organization willing to prepare for the upcoming legislation to read the UK Department for Science, Technology and Innovation’s (DSIT) Policy Statement as it includes a good overview of the government’s plans and intent.
“We understand that DSIT intends to introduce the Bill to Parliament before the end of the year, most likely in the Autumn, as final details of the proposals are being finalized,” she added.
Potential Cross-Border Security Requirement Overlaps and Clashes
Sommer told Infosecurity that many questions remained open regarding compliance, especially for organizations that operate both in the UK and the EU, which may face contradictory requirements across borders.
These include:
- Potential differences in scopes between NIS2 and the UK’s Cyber Security and Resilience Bill (e.g. managed services providers)
- Potential differences in security requirements between NIS2 and the Cyber Security and Resilience Bill (e.g. cyber incident reporting timeline for covered entities)
- Potential specific provisions for the financial sector in the Cyber Security and Resilience Bill, leading to potential clashes with DORA provisions
Regarding the possible clashes between NIS2 and the Cyber Security and Resilience Bill, Sommer stated, “Organizations in scope, particularly those operating across borders, have already made the case for harmonization and alignment across the two regulatory regimes to streamline their compliance efforts as much as possible.”
Learn More About Cyber Regulation Trends at Infosecurity Europe
The increased complexity of cybersecurity regulatory compliance will be a primary focus of this edition of Infosecurity Europe. Register here to attend and discover the latest trends from cyber cyber policy experts.
The full program can be viewed here.
The 2025 event will celebrate the 30th anniversary of Infosecurity Europe, taking place at the London ExCel from June 3-5, 2025.
