Join Our Mailing List

Be the first to hear about updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Stay informed about compliance requirements, key changes, and important announcements.

URGENT: The Cyber Security and Resilience Bill is here. Are you ready for the 24-hour reporting deadline?

Bill 329: Now in Parliament

Cyber Security and Resilience Bill (CSRB) - UK 2026 Guide

What it means. Who it affects. How to stay compliant.

Book Compliance CallTake Assessment

What is the Cyber Security and Resilience Bill?

The Cyber Security and Resilience Bill (Bill 329) is the UK's response to the evolving digital threat landscape. Introduced to Parliament on 12 November 2025, it updates the 2018 NIS Regulations to secure critical national infrastructure and digital supply chains.

Crucially, it expands regulatory scope to include Managed Service Providers (MSPs) and Data Centres, designating them as critical infrastructure. It mandates 24-hour incident reporting, introduces "near miss" reporting duties, and empowers regulators (ICO, Ofcom) to levy fines up to £17 million or 4% of global turnover.

Legislative Dashboard

Key metrics and thresholds for compliance leaders.

MetricValue / RequirementLegislative Source
Bill StatusCommittee StageParliament.uk
Maximum Penalty£17 Million or 4% TurnoverClause 33
Incident Reporting24 Hours (Initial) / 72 Hours (Full)Regulation 11
Data Centre Threshold (Ent)10 MW IT LoadPolicy Paper
Data Centre Threshold (Colo)1 MW IT LoadPolicy Paper

Last Updated: January 2026

What is the Cyber Security and Resilience Bill?

The Cyber Security and Resilience (Network and Information Systems) Bill (CSRB) was introduced to Parliament on 12th November 2025 as Bill 329. This legislation marks the UK's most comprehensive update to cyber legislation in over a decade, significantly expanding the scope of existing NIS Regulations 2018 to include managed service providers (MSPs), cloud platforms, data centres, and critical suppliers. The Bill is structured in 5 Parts with 61 sections, creating new regulatory frameworks and enforcement powers.

Mandatory incident reporting

Stronger regulatory oversight

Tougher compliance standards

Under Part 2 of the Bill, organisations delivering essential or digital services will be expected to proactively manage cyber risk, including throughout their supply chains. The Bill introduces mandatory incident reporting within 24 hours (Section 15), with full reports due within 72 hours. Failing to comply may result in financial penalties of up to £17,000,000 or 10% of global turnover(Section 21), plus daily penalties of up to £100,000 for continuing violations (Section 49).

Part 4 grants the Secretary of State new powers to issue national security directions to regulated entities, while Part 3 establishes strategic priorities and codes of practice. Now is the time to assess your readiness. CSRB will reshape how UK businesses approach resilience, compliance, and security - and inaction is no longer an option.

Who's Affected

CSRB significantly expands the scope of organisations required to comply with cybersecurity regulations. Is your organisation on this list?

Managed Service Providers (MSPs)

If you provide ongoing IT management, support, or monitoring services, you're now regulated. Must register within 3 months and comply with security duties. Small businesses (micro/small enterprises) are exempt.

Learn more

Cloud Service Providers

Cloud computing, online marketplaces, and search engines are now 'relevant digital services' under CSRB. Must register, implement security measures, and report incidents within 24-72 hours.

Learn more

Data Centres

Data centres with 1MW+ capacity (or 10MW+ for enterprise-only) are now essential services. Must register within 3 months, report incidents, and notify customers of security breaches.

Learn more

Public Services

Local authorities, councils, and government departments providing essential services are directly in scope. Enhanced cybersecurity and resilience requirements apply, even if you generate commercial income.

Learn more

NHS Organisations

Hospitals and NHS trusts are critical infrastructure providers. Must implement comprehensive security measures, report incidents within 24-72 hours, and notify patients of data breaches.

Learn more

Critical Suppliers

Suppliers to regulated organisations can be designated as 'critical suppliers' if your failure would disrupt national infrastructure. Even small businesses can be designated and face the same regulatory duties.

Learn more
Learn More About Affected Organisations

Key Changes

CSRB introduces several major reforms to the UK's cybersecurity landscape. Here's what you need to know:

Bringing More Organisations Into the Frame

Part 2, Chapter 1 of the Bill significantly expands who must comply with cyber regulations. Section 9 brings Managed Service Providers (MSPs) into scope as 'Relevant Managed Service Providers' (RMSPs), subject to security duties under Section 10. Section 4 designates data centres as essential services with thresholds of 1MW (general) or 10MW (enterprise-only). Section 6 brings large load controllers (300MW+) into scope. Section 12 allows designation of critical suppliers. These changes close major gaps in the UK's cyber defence chain, bringing hundreds of previously unregulated entities under oversight.

Need help preparing?

Our compliance team can guide you through the new requirements

Talk to our compliance team

Compliance Challenges

What It Takes to Stay Secure - and Within the Law

The Cyber Security and Resilience (Network and Information Systems) Bill (Bill 329) introduces ambitious new standards for digital resilience across the UK. With 5 Parts and 61 sections, the legislation creates comprehensive regulatory frameworks covering incident reporting (Part 2, Chapter 2), enforcement powers (Part 2, Chapter 3), strategic priorities (Part 3, Chapter 2), and national security directions (Part 4). Compliance isn't just ticking a box - it's a fundamental shift in how organisations govern, secure, and audit their digital infrastructure. Meeting these standards will demand clear governance, technical maturity, and operational discipline.

Key Requirements

24/72 Hour Incident Reporting

Section 15 mandates initial notification within 24 hours and full report within 72 hours of becoming aware of an incident. Must notify both the competent authority and CSIRT. Customer notification required 'as soon as reasonably practicable' (Section 16).

Registration & Information Duties

Section 13-14 require registration within 3 months of becoming regulated. Must provide company details, directors, and contact information. Updates must be notified within 7 days. Non-UK entities must nominate UK representative.

Supply Chain & Critical Suppliers

Section 12 allows designation of critical suppliers. Section 30(3) enables requirements on 'activity-critical supplies'. Organisations must actively manage cyber risks throughout supply chains.

Regulatory Inspections & Information Requests

Section 20 grants powers to require information/documents. Schedule 1 strengthens inspection powers (Regulation 16) allowing on-site inspections, document examination, and system testing. Must cooperate and pay reasonable costs.

Financial Penalties Up to £17M

Section 21 sets maximum penalties: £17,000,000 or 10% of global turnover for serious failures; £10,000,000 or 2% for standard failures. Section 49 allows daily penalties: £100,000/day for national security violations, £50,000/day for information/inspection failures.

Compliance Challenges Dashboard

Ready for CSRB?

Many organisations will need to overhaul their cyber policies, documentation, and infrastructure to comply. Can you demonstrate secure supply chains, respond to threats in real-time, and pass regulatory scrutiny?

Get a Readiness Assessment →
Precursor Security Logo

How Precursor Security Can Help

Our tailored solutions ensure your organisation stays compliant with the Cyber Security and Resilience Bill while strengthening your overall security posture.

Mandatory Reporting Response (Section 15)

Managed SOC / MDR

Our SOC workflows are engineered to meet Section 15 mandates. We provide the triage and forensics you need for the Regulator within the strict 24-hour statutory window.

Learn More

Attack Vector Validation (Reg 14B)

Penetration Testing

Don't just scan—validate. Our ethical hackers test against 'state of the art' vectors to ensure you meet the specific security duties outlined in Regulation 14B.

Learn More

The 'Section 15' Insurance

Incident Response Retainer

Technical buyers fear the deadline. Our retainer guarantees 'Regulatory Notification Assistance'—we handle the forensics required for your 72-hour full report.

Learn More
Talk to Our Experts

Latest Insights

Stay updated with the latest developments, compliance guidance, and expert analysis on the Cyber Security and Resilience Bill.

The Cyber Security and Resilience Bill 2026: A Definitive Analysis

A definitive analysis of the Cyber Security and Resilience Bill (Bill 329) following its Jan 6, 2026 Second Reading. Covers the expanded scope for MSPs, 24-hour reporting, and strategic compliance.

Precursor Security Team
14 Jan 2026
9 min read

The Cyber Security and Resilience Bill: January 2026 Update & Strategic Analysis

Bill 329 passed its Second Reading on Jan 6, 2026. This legal update analyzes the new 24-hour reporting mandate, 'RMSP' designation, and the public vs. private sector split.

Precursor Security Team
13 Jan 2026
8 min read

Cyber Security and Resilience Bill Introduced to Parliament: Key Changes and What to Expect

The Cyber Security and Resilience (Network and Information Systems) Bill was formally introduced to Parliament on 12th November 2025. Here's what organisations need to know about the key changes, expanded scope, and what to expect as the Bill progresses through the legislative process.

Precursor Security
13 Nov 2025
21 min read

What is the UK Cyber Security and Resilience Bill (CSRB) and Why Should You Care?

The UK Cyber Security and Resilience Bill (CSRB) is the biggest shake-up of UK cyber legislation in years - expanding scope, tightening reporting rules, and making resilience a legal obligation for organisations.

Precursor Security
29 Aug 2025
15 min read
View All Articles

Stay Informed About CSRB Updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Get notified about compliance requirements, key changes, and important announcements.

We respect your privacy. Unsubscribe at any time.

Implementation Timeline

Key milestones in the Cyber Security Resilience Bill's journey from announcement to enforcement.

17 July 2024

CSRB announced during the State Opening of Parliament

The Labour government commits to strengthening UK cyber security through new legislation in the King's Speech.

1 April 2025

CSRB Policy Statement published

Government outlines planned measures and legislative intent, including MSPs, data centres, and reporting mandates.

12 November 2025

Bill 329 Introduced to Parliament

The Cyber Security and Resilience (Network and Information Systems) Bill is formally introduced as Bill 329. The Bill contains 5 Parts, 61 sections, and 2 Schedules.

2025-2026

Parliamentary Process

The Bill proceeds through First Reading, Committee Stage, Report Stage, and Third Reading in both Houses of Parliament.

Late 2025 / 2026

Royal Assent & Commencement

Once Royal Assent is granted, provisions come into force as specified in Section 60. Some provisions are immediate, others require regulations. Organisations must begin complying with new requirements.

Free CSRB Consultation

Ready to Secure Your Future?

Book a free consultation with our CSRB experts and discover how we can help your organisation achieve compliance while strengthening your cyber resilience.

What You'll Get

Personalised CSRB Assessment

Understand exactly how CSRB affects your organisation

Compliance Roadmap

Clear next steps to achieve and maintain compliance

Expert Guidance

Direct access to our cybersecurity compliance specialists