Join Our Mailing List

Be the first to hear about updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Stay informed about compliance requirements, key changes, and important announcements.

Bill update - now in the House of Lords (HL Bill 32)

The Cyber Security and Resilience Billexplained - UK 2026 guide

What it means, who it affects, and how to stay compliant - in plain English.

Executive summary

What is the Cyber Security and Resilience Bill?

The Cyber Security and Resilience Bill (Bill 329) is the UK's response to the evolving digital threat landscape. Introduced to Parliament on 12 November 2025, it cleared all its House of Commons stages and is now before the House of Lords (HL Bill 32, since 17 June 2026), with Royal Assent expected in late 2026. It updates the 2018 NIS Regulations to secure critical national infrastructure and digital supply chains.

Crucially, it expands regulatory scope to include Managed Service Providers (MSPs) and Data Centres, designating them as critical infrastructure. It mandates 24-hour incident reporting, introduces "near miss" reporting duties, and empowers regulators (ICO, Ofcom) to levy fines up to £17 million or 4% of global turnover.

Legislative dashboard

The Bill at a glance

Key metrics, thresholds and status for compliance leaders.

Bill Status

House of Lords (HL Bill 32)

UK Parliament

Maximum Penalty

£17M or 4% turnover

Section 21

Incident Reporting

24h initial / 72h full

Section 15 · Regulation 11

Data Centre Threshold

1 MW (general)

Schedule 2

Enterprise Data Centre

10 MW IT load

Schedule 2

Royal Assent

Expected late 2026

Then phased commencement

Overview

What is the Cyber Security and Resilience Bill?

The Cyber Security and Resilience (Network and Information Systems) Bill was introduced to Parliament on 12th November 2025 as Bill 329. It cleared all its House of Commons stages and was passed to the House of Lords on 17 June 2026 (now HL Bill 32), where it is progressing towards Royal Assent. It is the UK's most comprehensive update to cyber legislation in over a decade, significantly expanding the scope of the existing NIS Regulations 2018 to include managed service providers, cloud platforms, data centres, and critical suppliers.

Mandatory incident reporting

Initial notification within 24 hours and a full report within 72 hours, copied to the CSIRT.

Stronger regulatory oversight

New information-gathering, inspection and enforcement powers for regulators, with significant penalties.

Tougher compliance standards

Proactive risk management across your organisation and supply chain, aligned to the NCSC CAF.

Under Part 2, organisations delivering essential or digital services must proactively manage cyber risk, including across their supply chains. The Bill introduces mandatory incident reporting within 24 hours (Section 15), with full reports due within 72 hours. Failing to comply may result in penalties of up to £17,000,000 or 4% of global turnover (Section 21), with the most serious national security breaches attracting up to £17,000,000 or 10% of turnover plus daily penalties of up to £100,000 (Section 49).

Part 4 grants the Secretary of State new powers to issue national security directions, while Part 3 establishes strategic priorities and codes of practice. Now is the time to assess your readiness - the Cyber Security and Resilience Bill (CSRB) will reshape how UK organisations approach resilience, compliance, and security.

Key Changes

The Cyber Security and Resilience Bill introduces several major reforms to the UK's cybersecurity landscape. Here's what you need to know:

Bringing More Organisations Into the Frame

Part 2, Chapter 1 of the Bill significantly expands who must comply with cyber regulations. Section 9 brings Managed Service Providers (MSPs) into scope as 'Relevant Managed Service Providers' (RMSPs), subject to security duties under Section 10. Section 4 designates data centres as essential services with thresholds of 1MW (general) or 10MW (enterprise-only). Section 6 brings large load controllers (300MW+) into scope. Section 12 allows designation of critical suppliers. These changes close major gaps in the UK's cyber defence chain, bringing hundreds of previously unregulated entities under oversight.

Need help preparing?

Our compliance team can guide you through the new requirements

Talk to our compliance team
Compliance challenges

What it takes to stay secure - and within the law

With 5 Parts and 61 sections, the Cyber Security and Resilience Bill is a fundamental shift in how organisations govern, secure, and audit their digital infrastructure.

24 / 72-hour incident reporting

Section 15 mandates initial notification within 24 hours and a full report within 72 hours - to the competent authority and the CSIRT. Customer notification follows 'as soon as reasonably practicable' (Section 16).

Registration & information duties

Sections 13-14 require registration within 3 months of becoming regulated - company details, directors, and contacts. Updates within 7 days; non-UK entities must nominate a UK representative.

Supply chain & critical suppliers

Section 12 allows designation of critical suppliers, and Section 30(3) enables requirements on 'activity-critical supplies'. You must actively manage cyber risk across your supply chain.

Regulatory inspections & requests

Section 20 grants powers to require information and documents. Schedule 1 strengthens inspection powers - on-site inspections, document examination, and system testing.

Financial penalties up to £17M

Section 21 sets maximum penalties of £17,000,000 or 4% of global turnover for serious failures (£10,000,000 or 2% for standard failures). Section 49 adds daily penalties of up to £100,000.

Are you ready for the Cyber Security and Resilience Bill?

Most organisations will need to overhaul their cyber policies, documentation, and infrastructure to comply.

  • Demonstrate secure, mapped supply chains
  • Respond to incidents in real time
  • Produce regulator reports within 24/72 hours
  • Pass on-site inspections and audits
Get a readiness assessment
Precursor Security
How we help

How Precursor Security can help

Tailored solutions that keep your organisation compliant with the Cyber Security and Resilience Bill while strengthening your overall security posture.

Managed SOC / MDR

Mandatory Reporting Response

Our SOC workflows are engineered to meet Section 15 mandates - the triage and forensics you need for the regulator within the strict 24-hour statutory window.

Learn more

Penetration Testing

Attack Vector Validation

Don't just scan - validate. Our ethical hackers test against 'state of the art' vectors to ensure you meet the specific security duties in Regulation 14B.

Learn more

The "Section 15" insurance

Incident Response Retainer

Buyers fear the deadline. Our retainer guarantees regulatory notification assistance - we handle the forensics required for your 72-hour full report.

Learn more

Latest Insights

Stay updated with the latest developments, compliance guidance, and expert analysis on the Cyber Security and Resilience Bill.

UK Cyber Resilience Pledge: 60 Firms Commit Ahead of CSRB

Technology Secretary Liz Kendall formally launched the Cyber Resilience Pledge at Number 10 Downing Street on 7 July 2026, with 60+ signatories including M&S, Nationwide, Vodafone and NCC Group. Here is what the three commitments mean for organisations preparing for CSRB compliance.

Precursor Security
9 Jul 2026
6 min read

The UK Cyber Resilience Pledge: What It Means for CSRB Compliance

The UK government launched its Cyber Resilience Pledge at No. 10 on 7 July 2026, with 60+ founding signatories including M&S, Capita, Microsoft UK and Vodafone. Here is what the Pledge's three commitments reveal about the CSRB's direction of travel - and what it means for organisations both in and out of scope.

Precursor Security
8 Jul 2026
6 min read

UK Cyber Breaches Survey 2026: The CSRB Compliance Gap

DSIT's Cyber Security Breaches Survey 2025/2026 found that only 40% of breached UK businesses reported externally, and only 25% have a formal incident response plan. Here is what those numbers mean for organisations that will be subject to the CSRB's mandatory 24/72-hour reporting regime.

Precursor Security
3 Jul 2026
6 min read

CSRB Lords Second Reading Scheduled for 14 July 2026

The House of Lords has scheduled its Second Reading of HL Bill 32 for 14 July 2026, accompanied by a new Lords Library briefing. Here is what the Lords debate will cover, which issues are likely to be raised, and what the timetable means for organisations preparing for compliance.

Precursor Security
26 Jun 2026
6 min read

Five Eyes AI Warning and the CSRB: What Boards Must Know

On 17 June 2026 the NCSC CEO told RUSI that 75% of UK critical infrastructure attacks are state-linked. Five days later the Five Eyes agencies warned AI is compressing cyber threat timelines to months. Here is what both signals mean for organisations in scope of the Cyber Security and Resilience Bill now before the Lords.

Precursor Security
23 Jun 2026
7 min read

Cyber Security and Resilience Bill Clears the Commons: Where It Stands in 2026

The Cyber Security and Resilience Bill has passed all of its House of Commons stages and moved to the House of Lords (now HL Bill 32). Here's the up-to-date timeline, what changed during its passage - including Ofcom becoming the sole data centre regulator - and what organisations should do before Royal Assent, expected in late 2026.

Precursor Security
21 Jun 2026
8 min read

Stay Informed About Cyber Security and Resilience Bill Updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Get notified about compliance requirements, key changes, and important announcements.

We respect your privacy. Unsubscribe at any time.

Implementation Timeline

Key milestones in the Cyber Security Resilience Bill's journey from announcement to enforcement.

17 July 2024

Cyber Security and Resilience Bill announced in the King's Speech

The Government commits to strengthening UK cyber security through new legislation during the State Opening of Parliament.

1 April 2025

Cyber Security and Resilience Bill Policy Statement published

Government outlines planned measures and legislative intent, including MSPs, data centres, and reporting mandates.

12 November 2025

Introduced to the Commons (Bill 329)

The Cyber Security and Resilience (Network and Information Systems) Bill receives its First Reading in the House of Commons as Bill 329.

Jan - Feb 2026

Second Reading & Committee Stage

Second Reading on 6 January 2026, followed by Committee Stage from 3 February. The Bill is amended in committee and reprinted (Bill 385) on 25 February 2026.

16 June 2026

Passed by the House of Commons

After being carried over into the 2026-27 session, the Bill completes Report Stage and Third Reading in the Commons and passes to the House of Lords.

17 June 2026

Introduced to the House of Lords (HL Bill 32)

The Bill is brought from the Commons and receives its First Reading in the Lords as HL Bill 32.

14 July 2026

Lords Second Reading (scheduled)

The House of Lords debates the general principles of HL Bill 32 at Second Reading. The Lords Library has published briefing LLN-2026-0032 to accompany the debate.

Expected late 2026

Royal Assent & Commencement

Once the Lords stages conclude and Royal Assent is granted, provisions come into force as set out in the Bill - some immediately, others by regulation. Organisations should prepare now.

Free Cyber Security and Resilience Bill Consultation

Ready to Secure Your Future?

Book a free consultation with our Cyber Security and Resilience Bill experts and discover how we can help your organisation achieve compliance while strengthening your cyber resilience.

What You'll Get

Personalised Cyber Security and Resilience Bill Assessment

Understand exactly how the Cyber Security and Resilience Bill affects your organisation

Compliance Roadmap

Clear next steps to achieve and maintain compliance

Expert Guidance

Direct access to our cybersecurity compliance specialists