UK: The King’s Speech 2026 – Cybersecurity at the Forefront

By Rachel de Souza on May 18, 2026

Posted in Cyber security, Cyber-crime, Data security and breaches, Digital transformation, New laws, Privacy Law, UK

The UK Government’s legislative agenda, set out in the King’s Speech on 13 May 2026, places cybersecurity and digital resilience firmly at the centre of national policy. Against a backdrop of increasing geopolitical instability and rapidly evolving technological risks, the proposed measures continue the shift towards a more interventionist and systemic approach to safeguarding the UK’s critical infrastructure and services.

Cybersecurity as a pillar of national security

The 2026 King’s Speech emphasises that the UK is operating in an “increasingly dangerous and volatile world”, with UK’s digital economy “increasingly being attacked by cyber criminals and state actors, affecting essential services and infrastructure“. Within this context, it is clear that cyber risk is being treated not as a discrete technical issue, but as a key component of national resilience.

Central to this agenda is the proposed Cyber Security and Resilience Bill, which has been carried forward from the previous Parliamentary session, and which aims to strengthen the country’s defences against cyber threats. This reflects the government’s assessment that cyber incidents pose an existential threat to the resilience of essential and important infrastructure and services underpinning our societies.

Cyber Security and Resilience Bill:

As set out in our previous blog, a notable aspect of the proposed reforms is the extension of cybersecurity regulation across a broader range of critical sectors. Alongside the sectors already within scope under the current NIS Regulations 2018, the Bill includes certain Managed Service Providers (“MSPs”) within the regulatory perimeter. MSPs would be subject to equivalent obligations as ‘relevant digital service providers’ under the current NIS Regulations. MSPs (which are also regulated under the EU’s NIS2) are business-to-business providers of IT systems, infrastructure and network support.

The Bill also introduces updated incident reporting criteria. Organisations in scope will need to report a greater range of harmful cyber incidents to their regulator and the National Cyber Security Centre (NCSC) within 24 hours, with a full report within 72 hours. The Bill also amends the penalties regime under the current NIS Regulations, with higher penalties for non-compliance.

The Bill aims to bolster supply chain security for operators of essential services and relevant digital service providers that meet certain thresholds. Additionally, regulators will have the power to identify suppliers of critical services whose disruption could cause significant impacts on the essential/digital service being supplied. These will be classed as “designated critical suppliers”, bringing them within scope of core security requirements and reporting obligations. The Bill will also provide the Secretary of State with new powers to make changes to the regime in secondary legislation, such as bringing more services into scope, or updating security requirements.

Reform of legacy cybercrime legislation

In parallel with new regulatory measures, the government has indicated an intention to update the Computer Misuse Act 1990, recognising that existing legal frameworks have not kept pace with technological developments.

The reform agenda aims to modernise the UK’s legal toolkit for tackling cyber threats. This will include providing law enforcement with updated powers and capabilities, including the creation of a Cyber Crime Risk Order; and “unlock[ing] the power of cyber security professionals to better enable them to secure computer systems“.

Digital ID and facial recognition

Along with its cybersecurity initiatives, the King’s Speech confirms the introduction of a Digital Access to Services Bill to enable a voluntary digital identity system. The Bill will establish the legal framework for the Government to develop and operate digital ID, with its use for digital right to work checks identified as a key initial application. The Government will also establish, through the Police Reform Bill, a new legal framework to underpin the use of facial recognition and similar technologies by law enforcement authorities.

What’s missing?

Notably, the King’s speech did not reference a dedicated AI Bill. While several proposals incorporate AI-related elements—such as the Regulating for Growth Bill, which introduces cross-economy “sandboxing” powers to allow businesses to test new products and technologies, including AI, in controlled environments—the Government has opted to embed AI within sector-specific reforms, rather than through standalone legislation.

Conclusion

The cyber aspects of the King’s Speech 2026 demonstrate the Government’s response to increasing geopolitical instability and rapidly evolving technological risks. It is evident that the burden and application of cyber regulation will only increase, making it more critical than ever that businesses operating in both the UK and beyond continue to focus on enhancing their cyber controls, underpinned by robust cybersecurity governance and equally robust controls on supply chains. Organisations will need to navigate this landscape carefully, ensuring that cybersecurity is not treated as a compliance exercise alone, but as a strategic priority underpinning operational resilience.