New laws will strengthen cyber defences for essential public services

On 12 November 2025, the UK government introduced the Cyber Security and Resilience Bill to Parliament, signalling a significant overhaul of the nation’s approach to protecting critical infrastructure.

For suppliers and contractors in the construction sector, particularly those engaged with transport, energy, water, and healthcare projects, this legislation introduces new compliance obligations and commercial opportunities. The bill aims to fortify the essential services that underpin the UK economy against a backdrop of increasing cyber threats, which are estimated to cost businesses almost £15 billion annually.

A central element of the proposed law is the extension of regulatory oversight to companies providing managed IT and cybersecurity services. Firms that manage digital systems for public bodies like the NHS or for private operators of critical national infrastructure will, for the first time, be required to meet mandated security standards. This provision has direct implications for the construction supply chain, where digital service providers are integral to project management and operations. Contractors will need to ensure their IT partners comply with these new duties, which include the prompt reporting of significant cyber incidents.

Furthermore, the legislation grants regulators new powers to designate “critical suppliers” to essential services. This could include firms providing specialist components for energy facilities, diagnostic equipment for healthcare construction projects, or treatment chemicals for water infrastructure. Once designated, these suppliers will be legally required to meet minimum security requirements, effectively embedding cyber resilience deep within the infrastructure supply chain. This change presents a clear opportunity for security-conscious suppliers to gain a competitive advantage when bidding for contracts on sensitive projects.

The bill also modernises enforcement, introducing substantial turnover-based penalties for serious breaches. This financial imperative will cascade from asset owners and main contractors down to their subcontractors and suppliers, making robust cybersecurity a prerequisite for participation in infrastructure projects. The Technology Secretary will also gain new powers to direct organisations, such as transport authorities or utility companies, to implement specific security measures in response to national security threats. Such directives could generate new demand for specialist security contractors and consultants. By bringing data centres and smart energy management systems within its scope, the legislation addresses emerging areas of risk and opportunity where construction and technology converge, reinforcing that cyber resilience is now a critical component of project delivery and national security.