A new chapter begins: Cyber security and resilience for the UK water sector

This industry commentary featured in the December 2025 edition of The UK Water Report publication for the UK water sector.

The UK water industry is undergoing a rapid transformation. Across distribution networks and treatment works we are seeing increased deployment of smart meters, IoT sensors, real-time analytics and the remote control of critical assets becoming standard. With this greater visibility and operational agility comes an increased exposure to cyber threats. The upcoming Cyber Security and Resilience Bill recognises this evolution – and signals a shift in expectations for how water companies must manage cyber risk to protect the outcomes customers and regulators care most about, from uninterrupted water supply to environmental performance.

The Bill seeks to reform and enhance the existing Network and Information Systems Regulations 2018 (the “NIS Regs”). For water companies already investing to meet NIS expectations, this is an evolution with sharper teeth, wider scope and firmer accountability.

The reforms recognise that essential services are only as strong as the digital ecosystem that supports them – your SCADA platform, your enterprise IT, the data centres you depend on, your managed service partners, and the critical suppliers that keep the mechanics of water treatment running day to day.

What the bill does

Two elements particularly matter for the water sector. Firstly, the scope is expanding, meaning medium and large managed service providers and data centres are included, reflecting their systemic importance. This will matter if telemetry or operational data platforms sit with third parties, or if an outage in a data centre supporting field operations could impact service.

Secondly, regulators will gain the power to designate critical suppliers and apply mandatory cyber duties to them. As an example, this could apply to chemical suppliers needed in the water treatment process – a single vulnerable supplier could directly impact water treatment continuity, compliance and directly lead to a public health risk.

Speed and transparency will also increase. Today, many incidents are only reportable once disruption has occurred, and then only within 72 hours. Under the Bill, in-scope organisations must issue an initial notification within 24 hours and a fuller report within 72 hours, informing the NCSC as well. That enables earlier coordinated support and a better national threat picture; it will also test whether Security Operations (“SecOps”) across IT and OT are genuinely integrated and ready to act at pace.

Compliance impact

Changes are also happening to the enforcement regime. Instead of today’s approach where the absolute value of fines is capped, a link to organisational turnover will be introduced. Regulators will be able to levy up to £17m or 4% of worldwide turnover (whichever is higher) for more serious breaches, and up to £10m or 2% for less serious breaches – accompanied by a simplified two‑band structure and a broader proportionality test.

Government feedback reinforces that this is to build a culture of compliance. Ultimately for most water companies these changes will significantly increase the financial risk associated with failure.

The Bill also seeks to strengthen consistency. Government can set strategic priorities and, where national security is at stake, instruct regulators and regulated entities to take proportionate steps, such as isolating high‑risk systems. Regulators will also be empowered to recover the full costs of their NIS duties through transparent charging schemes. For water companies, this points to greater clarity about oversight costs alongside tighter expectations on performance and evidence.

Aligning with existing frameworks

For many in the industry, an obvious question is whether this sidelines the NCSC’s Cyber Assessment Framework. It doesn’t; the Bill elevates CAF’s role as the guiding framework. CAF v4.0, released this summer, is already used by most UK cyber regulators; the changes aim to keep pace with a rising threat, codifying clearer expectations.

Water companies have spent significant sums improving cyber governance, segmentation, monitoring and incident response. This Bill elevates this: earlier reporting, better supply‑chain control, clearer accountability and demonstrable resilience across IT, OT and cloud. It will land alongside wider priorities – fixing leaks, improving river water quality, reducing pollution, upgrading ageing assets – priorities customers can see and feel on their bills.

It’s tempting to frame cyber as an ethereal threat next to tangible environmental outcomes, however, digitisation underpins these directly. If cyber fails, the “visible” service quickly becomes visibly disrupted. The pragmatic approach is to link cyber investment to service outcomes: fewer unplanned outages, safer operations, faster restoration, and stronger public confidence in water continuity.

This is also a conversation about affordability and fairness, the Bill’s cost‑recovery provisions relate only to regulators; however, companies must prioritise the additional investment required to balance environmental delivery, customer experience and resilience. Cyber is not a parallel spend, but instead a part of delivering the outcomes customers value – because the data, automation and control that improve outcomes only deliver if they are secure.

What leaders need to do

In the near term, companies should ensure that they take one view of risk across IT and OT, with a single incident response playbook tested against realistic scenarios. Asset inventories must extend to edge devices and cloud dependencies; third‑party access needs tighter guardrails; and security monitoring must watch plant networks as clearly as enterprise systems.

On the supply‑chain side, map critical suppliers to essential functions – chemicals, telemetry, telecommunications, data‑centre dependencies – and be ready for designation criteria and duties once secondary legislation comes into force.

Finally, treat CAF v4.0 as the stable framework for prioritisation. This Bill is an accelerator not a diversion: close gaps against your target profile, evidence controls, and bring operations teams into the heart of SecOps. If you don’t yet have an agreed profile for your most critical assets, now is the time to set one – baseline where appropriate, enhanced where threat and consequence demand it.

Explore our cyber security and water sector capabilities to learn how CGI helps water companies embed resilience across IT, OT and supply chains.

Contact our team to discuss your readiness for the Cyber Security and Resilience Bill.