Join Our Mailing List

Be the first to hear about updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Stay informed about compliance requirements, key changes, and important announcements.

UK Cyber Security Legislation

What is the Cyber Security and Resilience Bill?

The UK's biggest update to cyber security legislation in over a decade. Learn what it means, who it affects, and how to prepare your organisation.

What is the Cyber Security and Resilience Bill?

The Cyber Security and Resilience (Network and Information Systems) Bill (Bill 329) was introduced to Parliament on 12th November 2025. As of June 2026 it has passed all of its House of Commons stages and is now before the House of Lords (HL Bill 32), with Royal Assent expected in late 2026. This legislation marks the UK's most comprehensive update to cyber legislation in over a decade, significantly expanding the scope of existing NIS Regulations 2018. The Bill is structured in 5 Parts with 61 sections and 2 Schedules, creating comprehensive regulatory frameworks for managed service providers, cloud platforms, data centres, and critical suppliers.

Part 2 amends the NIS Regulations to bring new entities into scope. Part 3 grants the Secretary of State powers to set strategic priorities and make regulations. Part 4 introduces national security directions. Organisations delivering essential or digital services must proactively manage cyber risk throughout their supply chains. Failing to comply may result in financial penalties of up to £17,000,000 or 4% of global turnover (Section 21), rising to £17,000,000 or 10% of turnover for the most serious national security breaches, plus daily penalties of up to £100,000 for continuing violations (Section 49).

Where the Bill stands today

Current stage

House of Lords - HL Bill 32 (1st reading 17 June 2026)

Lords 2nd reading

Scheduled 14 July 2026

Royal Assent

Expected late 2026

Full implementation

Phased to ~2028 via secondary legislation

The Bill cleared all House of Commons stages (Second Reading 6 January 2026; Committee 3-24 February; Report and Third Reading 16 June 2026, passed without division) and now sits with the House of Lords. A key committee change made Ofcom the sole regulator for data centres. Royal Assent is expected in late 2026, but most substantive duties will commence later through secondary legislation following the Government's 2026 implementation consultation, with full effect not expected until around 2028.

Expanded Scope (Part 2)

Section 9: MSPs as RMSPs. Section 4: Data centres (1MW/10MW thresholds). Section 6: Load controllers (300MW+). Section 12: Critical suppliers.

Strategic Priorities (Part 3)

Section 25: Statement of Strategic Priorities. Section 36: Codes of Practice. Section 29: Regulations on security and resilience.

Incident Reporting (Section 15)

24-hour initial notification, 72-hour full report. Section 16: Customer notification required. Must copy CSIRT.

Supply Chain Security (Section 12)

Regulation 14H: Critical supplier designation. Section 30: Activity-critical supply requirements.

Enforcement (Part 2, Chapter 3)

Section 21: Penalties up to £17M or 4% turnover. Section 20: Information gathering. Schedule 1: Inspection powers.

National Security (Part 4)

Section 43: Directions to regulated persons. Section 49: Penalties up to £100K/day. Section 47: Inspection powers.

Why is the Cyber Security and Resilience Bill Being Introduced?

Digital Dependency & Rising Threats

The UK's digital economy has grown exponentially, but so has our vulnerability to cyber attacks. Recent high-profile incidents targeting critical infrastructure have exposed gaps in our current regulatory framework.

The Cyber Security and Resilience Bill addresses these challenges by extending regulatory oversight to previously unregulated sectors and strengthening requirements for existing ones.

£8.1bn
Annual cost of cybercrime to UK businesses
39%
of UK businesses experienced cyber attacks in 2023

Key Drivers for the Cyber Security and Resilience Bill

  • Increasing sophistication of cyber threats
  • Growth in critical digital services and dependencies
  • Regulatory gaps in current NIS legislation
  • Need for stronger supply chain security

Who Does the Cyber Security and Resilience Bill Apply To?

Part 2, Chapter 1 of Bill 329 significantly expands the scope of cybersecurity regulation beyond traditional critical infrastructure. Section 9 brings MSPs into scope, Section 4 designates data centres, Section 6 covers load controllers, and Section 12 enables critical supplier designation.

Managed Service Providers

Section 9: RMSPs - ongoing IT management services. Must register within 3 months (Section 14).

Cloud Service Providers

Section 7: RDSPs providing cloud computing services. Excludes managed services.

Data Centres

Section 4: Essential services. Thresholds: 1MW (general) or 10MW (enterprise-only).

Public Services

Government departments and local authorities.

NHS Organizations

Healthcare trusts and affiliated entities.

Critical Suppliers

Section 12: Can be designated if failure impacts national infrastructure. Includes SMEs.

Bill Structure

Bill 329 is organized into 5 Parts with 61 sections and 2 Schedules, creating a comprehensive regulatory framework.

Part 1

Introduction

Sections 1-2: Definitions and overview of the Act

  • • Section 1: Meaning of "NIS Regulations"
  • • Section 2: Overview of Act structure
Part 2

The NIS Regulations

Sections 3-23: Amendments to NIS Regulations 2018

  • • Chapter 1: Regulated persons (Sections 3-12)
  • • Chapter 2: Information & reporting (Sections 13-16)
  • • Chapter 3: Other amendments (Sections 17-23)
Part 3

Security & Resilience Functions

Sections 24-42: Secretary of State powers

  • • Chapter 2: Strategic priorities (Sections 25-28)
  • • Chapter 3: Regulations (Sections 29-35)
  • • Chapter 4: Code of practice (Sections 36-39)
Part 4

National Security Directions

Sections 43-58: Emergency powers

  • • Section 43: Directions to regulated persons
  • • Section 49: Penalties up to £100K/day
  • • Section 47: Inspection powers
Part 5

General

Sections 59-61: Extent, commencement, short title

  • • Section 60: Phased commencement
  • • Section 61: Short title - Act 2026
Schedules

Enforcement & Amendments

2 Schedules with detailed provisions

  • • Schedule 1: Enforcement and appeals
  • • Schedule 2: Minor and consequential amendments

Key Changes

The Cyber Security and Resilience Bill introduces several major reforms to the UK's cybersecurity landscape. Here's what you need to know:

Bringing More Organisations Into the Frame

Part 2, Chapter 1 of the Bill significantly expands who must comply with cyber regulations. Section 9 brings Managed Service Providers (MSPs) into scope as 'Relevant Managed Service Providers' (RMSPs), subject to security duties under Section 10. Section 4 designates data centres as essential services with thresholds of 1MW (general) or 10MW (enterprise-only). Section 6 brings large load controllers (300MW+) into scope. Section 12 allows designation of critical suppliers. These changes close major gaps in the UK's cyber defence chain, bringing hundreds of previously unregulated entities under oversight.

Need help preparing?

Our compliance team can guide you through the new requirements

Talk to our compliance team