Cyber Security and Resilience Bill – what DPOs need to know

The Cyber Security and Resilience (Network and Information Systems) Bill was introduced on 12 November 2025. It looks likely to be the most significant piece of cyber and privacy legislation that the UK government will enact in 2026. 

While the Bill regulates cloud computing service providers, online marketplaces, and search engines, data protection officers (DPOs) at other types of organisations may also need to be aware of this law. For a DPO, this is a matter of best practice: information notices can be served on other types of organisations too.

How the ICO Will Shape the Cyber Security and Resilience Bill 

The Information Commissioner’s Office (ICO), which will become the Information Commission in 2026, will play a central regulatory role for the Bill. This is significant because DPOs are the first point of contact in an organisation, functioning as a bridge to the regulator. 

The ICO gets some new powers that could result in proactive communications with DPOs that they will need to be ready for. These include: 

• Information notices that can be served on regulated entities and any person likely to hold relevant information
• Inspections and enforcement actions
• Communications in respect of registration details. 

Some DPOs at public bodies should also expect to see communications regarding information gateways that will be set up to share relevant information. 

DPOs should also be aware that the Bill expands the ICO’s ability to recover costs for activities like inspections. As such, activities like this could come with more costs than previously would have been the case.

What should DPOs do to prepare? 

First, DPOs should consider whether they are the most appropriate point of contact for all ICO matters, or if someone else will be more appropriate for communications relating to the Bill. If it will be someone else, they will need to agree to take that on and will need to understand what it entails. The ICO will also need to be provided with the relevant details. 

Second, the DPO may need to support the organisation with developing appropriate policies and procedures. Even if someone else takes on this responsibility, that person may need assistance from the DPO as they will have the most relevant experience with dealing with the ICO. This work will include stakeholder mapping, training and awareness raising, documentation and negotiating with the relevant individuals to ensure that appropriate people understand and accept duties under the regulation. This should be started well in advance as this can be more complex than it first appears. 

Finally, the DPO is likely to need to work with and support the cybersecurity team to update risk assessments, controls, and documentation to comply with the new regulations. In the first instance, we would recommend ensuring that there is a list of all relevant documentation. The team should then review this to see when it was last updated, whether it is in the correct format and whether it has a current owner. We would also recommend reading our cyber security-focused piece on this topic, which contains recommendations for the cyber security team and Board to consider now.