The Cyber Security and Resilience Billexplained - UK 2026 guide
What it means, who it affects, and how to stay compliant - in plain English.
What is the Cyber Security and Resilience Bill?
The Cyber Security and Resilience Bill (Bill 329) is the UK's response to the evolving digital threat landscape. Introduced to Parliament on 12 November 2025, it cleared all its House of Commons stages and is now before the House of Lords (HL Bill 32, since 17 June 2026), with Royal Assent expected in late 2026. It updates the 2018 NIS Regulations to secure critical national infrastructure and digital supply chains.
Crucially, it expands regulatory scope to include Managed Service Providers (MSPs) and Data Centres, designating them as critical infrastructure. It mandates 24-hour incident reporting, introduces "near miss" reporting duties, and empowers regulators (ICO, Ofcom) to levy fines up to £17 million or 4% of global turnover.
The Bill at a glance
Key metrics, thresholds and status for compliance leaders.
Bill Status
House of Lords (HL Bill 32)
UK Parliament
Maximum Penalty
£17M or 4% turnover
Section 21
Incident Reporting
24h initial / 72h full
Section 15 · Regulation 11
Data Centre Threshold
1 MW (general)
Schedule 2
Enterprise Data Centre
10 MW IT load
Schedule 2
Royal Assent
Expected late 2026
Then phased commencement
What is the Cyber Security and Resilience Bill?
The Cyber Security and Resilience (Network and Information Systems) Bill was introduced to Parliament on 12th November 2025 as Bill 329. It cleared all its House of Commons stages and was passed to the House of Lords on 17 June 2026 (now HL Bill 32), where it is progressing towards Royal Assent. It is the UK's most comprehensive update to cyber legislation in over a decade, significantly expanding the scope of the existing NIS Regulations 2018 to include managed service providers, cloud platforms, data centres, and critical suppliers.
Mandatory incident reporting
Initial notification within 24 hours and a full report within 72 hours, copied to the CSIRT.
Stronger regulatory oversight
New information-gathering, inspection and enforcement powers for regulators, with significant penalties.
Tougher compliance standards
Proactive risk management across your organisation and supply chain, aligned to the NCSC CAF.
Under Part 2, organisations delivering essential or digital services must proactively manage cyber risk, including across their supply chains. The Bill introduces mandatory incident reporting within 24 hours (Section 15), with full reports due within 72 hours. Failing to comply may result in penalties of up to £17,000,000 or 4% of global turnover (Section 21), with the most serious national security breaches attracting up to £17,000,000 or 10% of turnover plus daily penalties of up to £100,000 (Section 49).
Part 4 grants the Secretary of State new powers to issue national security directions, while Part 3 establishes strategic priorities and codes of practice. Now is the time to assess your readiness - the Cyber Security and Resilience Bill (CSRB) will reshape how UK organisations approach resilience, compliance, and security.
Is your organisation in scope?
The Cyber Security and Resilience Bill significantly expands the range of organisations required to comply. These sectors are now directly in scope.
Managed Service Providers (MSPs)
Provide ongoing IT management, support, or monitoring? You're now regulated - register within 3 months and meet security duties. Micro and small enterprises are exempt.
Learn moreCloud Service Providers
Cloud computing, online marketplaces, and search engines are 'relevant digital services'. Register, implement security measures, and report incidents within 24-72 hours.
Learn moreData Centres
Data centres at 1MW+ (or 10MW+ enterprise-only) are now essential services. Register within 3 months, report incidents, and notify customers of breaches.
Learn morePublic Services
Local authorities, councils, and government departments delivering essential services are directly in scope - even where they generate commercial income.
Learn moreNHS Organisations
Hospitals and NHS trusts are critical infrastructure. Implement comprehensive security measures, report incidents within 24-72 hours, and notify patients of data breaches.
Learn moreCritical Suppliers
Suppliers whose failure would disrupt national infrastructure can be designated as critical suppliers - even small businesses - and face the same regulatory duties.
Learn moreKey Changes
The Cyber Security and Resilience Bill introduces several major reforms to the UK's cybersecurity landscape. Here's what you need to know:
Bringing More Organisations Into the Frame
Part 2, Chapter 1 of the Bill significantly expands who must comply with cyber regulations. Section 9 brings Managed Service Providers (MSPs) into scope as 'Relevant Managed Service Providers' (RMSPs), subject to security duties under Section 10. Section 4 designates data centres as essential services with thresholds of 1MW (general) or 10MW (enterprise-only). Section 6 brings large load controllers (300MW+) into scope. Section 12 allows designation of critical suppliers. These changes close major gaps in the UK's cyber defence chain, bringing hundreds of previously unregulated entities under oversight.
Need help preparing?
Our compliance team can guide you through the new requirements
Talk to our compliance teamBringing More Organisations Into the Frame
Part 2, Chapter 1 of the Bill significantly expands who must comply with cyber regulations. Section 9 brings Managed Service Providers (MSPs) into scope as 'Relevant Managed Service Providers' (RMSPs), subject to security duties under Section 10. Section 4 designates data centres as essential services with thresholds of 1MW (general) or 10MW (enterprise-only). Section 6 brings large load controllers (300MW+) into scope. Section 12 allows designation of critical suppliers. These changes close major gaps in the UK's cyber defence chain, bringing hundreds of previously unregulated entities under oversight.
Need help preparing for these changes?
Our compliance team can guide you through the new requirements
What it takes to stay secure - and within the law
With 5 Parts and 61 sections, the Cyber Security and Resilience Bill is a fundamental shift in how organisations govern, secure, and audit their digital infrastructure.
24 / 72-hour incident reporting
Section 15 mandates initial notification within 24 hours and a full report within 72 hours - to the competent authority and the CSIRT. Customer notification follows 'as soon as reasonably practicable' (Section 16).
Registration & information duties
Sections 13-14 require registration within 3 months of becoming regulated - company details, directors, and contacts. Updates within 7 days; non-UK entities must nominate a UK representative.
Supply chain & critical suppliers
Section 12 allows designation of critical suppliers, and Section 30(3) enables requirements on 'activity-critical supplies'. You must actively manage cyber risk across your supply chain.
Regulatory inspections & requests
Section 20 grants powers to require information and documents. Schedule 1 strengthens inspection powers - on-site inspections, document examination, and system testing.
Financial penalties up to £17M
Section 21 sets maximum penalties of £17,000,000 or 4% of global turnover for serious failures (£10,000,000 or 2% for standard failures). Section 49 adds daily penalties of up to £100,000.
Are you ready for the Cyber Security and Resilience Bill?
Most organisations will need to overhaul their cyber policies, documentation, and infrastructure to comply.
- Demonstrate secure, mapped supply chains
- Respond to incidents in real time
- Produce regulator reports within 24/72 hours
- Pass on-site inspections and audits
How Precursor Security can help
Tailored solutions that keep your organisation compliant with the Cyber Security and Resilience Bill while strengthening your overall security posture.
Managed SOC / MDR
Mandatory Reporting Response
Our SOC workflows are engineered to meet Section 15 mandates - the triage and forensics you need for the regulator within the strict 24-hour statutory window.
Learn morePenetration Testing
Attack Vector Validation
Don't just scan - validate. Our ethical hackers test against 'state of the art' vectors to ensure you meet the specific security duties in Regulation 14B.
Learn moreThe "Section 15" insurance
Incident Response Retainer
Buyers fear the deadline. Our retainer guarantees regulatory notification assistance - we handle the forensics required for your 72-hour full report.
Learn moreLatest Insights
Stay updated with the latest developments, compliance guidance, and expert analysis on the Cyber Security and Resilience Bill.
UK Cyber Resilience Pledge: 60 Firms Commit Ahead of CSRB
Technology Secretary Liz Kendall formally launched the Cyber Resilience Pledge at Number 10 Downing Street on 7 July 2026, with 60+ signatories including M&S, Nationwide, Vodafone and NCC Group. Here is what the three commitments mean for organisations preparing for CSRB compliance.
The UK Cyber Resilience Pledge: What It Means for CSRB Compliance
The UK government launched its Cyber Resilience Pledge at No. 10 on 7 July 2026, with 60+ founding signatories including M&S, Capita, Microsoft UK and Vodafone. Here is what the Pledge's three commitments reveal about the CSRB's direction of travel - and what it means for organisations both in and out of scope.
UK Cyber Breaches Survey 2026: The CSRB Compliance Gap
DSIT's Cyber Security Breaches Survey 2025/2026 found that only 40% of breached UK businesses reported externally, and only 25% have a formal incident response plan. Here is what those numbers mean for organisations that will be subject to the CSRB's mandatory 24/72-hour reporting regime.
CSRB Lords Second Reading Scheduled for 14 July 2026
The House of Lords has scheduled its Second Reading of HL Bill 32 for 14 July 2026, accompanied by a new Lords Library briefing. Here is what the Lords debate will cover, which issues are likely to be raised, and what the timetable means for organisations preparing for compliance.
Five Eyes AI Warning and the CSRB: What Boards Must Know
On 17 June 2026 the NCSC CEO told RUSI that 75% of UK critical infrastructure attacks are state-linked. Five days later the Five Eyes agencies warned AI is compressing cyber threat timelines to months. Here is what both signals mean for organisations in scope of the Cyber Security and Resilience Bill now before the Lords.
Cyber Security and Resilience Bill Clears the Commons: Where It Stands in 2026
The Cyber Security and Resilience Bill has passed all of its House of Commons stages and moved to the House of Lords (now HL Bill 32). Here's the up-to-date timeline, what changed during its passage - including Ofcom becoming the sole data centre regulator - and what organisations should do before Royal Assent, expected in late 2026.
Stay Informed About Cyber Security and Resilience Bill Updates
Be the first to hear about updates on the Cyber Security and Resilience Bill. Get notified about compliance requirements, key changes, and important announcements.
Implementation Timeline
Key milestones in the Cyber Security Resilience Bill's journey from announcement to enforcement.
17 July 2024
Cyber Security and Resilience Bill announced in the King's Speech
The Government commits to strengthening UK cyber security through new legislation during the State Opening of Parliament.
17 July 2024
Cyber Security and Resilience Bill announced in the King's Speech
The Government commits to strengthening UK cyber security through new legislation during the State Opening of Parliament.
1 April 2025
Cyber Security and Resilience Bill Policy Statement published
Government outlines planned measures and legislative intent, including MSPs, data centres, and reporting mandates.
1 April 2025
Cyber Security and Resilience Bill Policy Statement published
Government outlines planned measures and legislative intent, including MSPs, data centres, and reporting mandates.
12 November 2025
Introduced to the Commons (Bill 329)
The Cyber Security and Resilience (Network and Information Systems) Bill receives its First Reading in the House of Commons as Bill 329.
12 November 2025
Introduced to the Commons (Bill 329)
The Cyber Security and Resilience (Network and Information Systems) Bill receives its First Reading in the House of Commons as Bill 329.
Jan - Feb 2026
Second Reading & Committee Stage
Second Reading on 6 January 2026, followed by Committee Stage from 3 February. The Bill is amended in committee and reprinted (Bill 385) on 25 February 2026.
Jan - Feb 2026
Second Reading & Committee Stage
Second Reading on 6 January 2026, followed by Committee Stage from 3 February. The Bill is amended in committee and reprinted (Bill 385) on 25 February 2026.
16 June 2026
Passed by the House of Commons
After being carried over into the 2026-27 session, the Bill completes Report Stage and Third Reading in the Commons and passes to the House of Lords.
16 June 2026
Passed by the House of Commons
After being carried over into the 2026-27 session, the Bill completes Report Stage and Third Reading in the Commons and passes to the House of Lords.
17 June 2026
Introduced to the House of Lords (HL Bill 32)
The Bill is brought from the Commons and receives its First Reading in the Lords as HL Bill 32.
17 June 2026
Introduced to the House of Lords (HL Bill 32)
The Bill is brought from the Commons and receives its First Reading in the Lords as HL Bill 32.
14 July 2026
Lords Second Reading (scheduled)
The House of Lords debates the general principles of HL Bill 32 at Second Reading. The Lords Library has published briefing LLN-2026-0032 to accompany the debate.
14 July 2026
Lords Second Reading (scheduled)
The House of Lords debates the general principles of HL Bill 32 at Second Reading. The Lords Library has published briefing LLN-2026-0032 to accompany the debate.
Expected late 2026
Royal Assent & Commencement
Once the Lords stages conclude and Royal Assent is granted, provisions come into force as set out in the Bill - some immediately, others by regulation. Organisations should prepare now.
Expected late 2026
Royal Assent & Commencement
Once the Lords stages conclude and Royal Assent is granted, provisions come into force as set out in the Bill - some immediately, others by regulation. Organisations should prepare now.
17 July 2024
Cyber Security and Resilience Bill announced in the King's Speech
The Government commits to strengthening UK cyber security through new legislation during the State Opening of Parliament.
17 July 2024
Cyber Security and Resilience Bill announced in the King's Speech
The Government commits to strengthening UK cyber security through new legislation during the State Opening of Parliament.
1 April 2025
Cyber Security and Resilience Bill Policy Statement published
Government outlines planned measures and legislative intent, including MSPs, data centres, and reporting mandates.
1 April 2025
Cyber Security and Resilience Bill Policy Statement published
Government outlines planned measures and legislative intent, including MSPs, data centres, and reporting mandates.
12 November 2025
Introduced to the Commons (Bill 329)
The Cyber Security and Resilience (Network and Information Systems) Bill receives its First Reading in the House of Commons as Bill 329.
12 November 2025
Introduced to the Commons (Bill 329)
The Cyber Security and Resilience (Network and Information Systems) Bill receives its First Reading in the House of Commons as Bill 329.
Jan - Feb 2026
Second Reading & Committee Stage
Second Reading on 6 January 2026, followed by Committee Stage from 3 February. The Bill is amended in committee and reprinted (Bill 385) on 25 February 2026.
Jan - Feb 2026
Second Reading & Committee Stage
Second Reading on 6 January 2026, followed by Committee Stage from 3 February. The Bill is amended in committee and reprinted (Bill 385) on 25 February 2026.
16 June 2026
Passed by the House of Commons
After being carried over into the 2026-27 session, the Bill completes Report Stage and Third Reading in the Commons and passes to the House of Lords.
16 June 2026
Passed by the House of Commons
After being carried over into the 2026-27 session, the Bill completes Report Stage and Third Reading in the Commons and passes to the House of Lords.
17 June 2026
Introduced to the House of Lords (HL Bill 32)
The Bill is brought from the Commons and receives its First Reading in the Lords as HL Bill 32.
17 June 2026
Introduced to the House of Lords (HL Bill 32)
The Bill is brought from the Commons and receives its First Reading in the Lords as HL Bill 32.
14 July 2026
Lords Second Reading (scheduled)
The House of Lords debates the general principles of HL Bill 32 at Second Reading. The Lords Library has published briefing LLN-2026-0032 to accompany the debate.
14 July 2026
Lords Second Reading (scheduled)
The House of Lords debates the general principles of HL Bill 32 at Second Reading. The Lords Library has published briefing LLN-2026-0032 to accompany the debate.
Expected late 2026
Royal Assent & Commencement
Once the Lords stages conclude and Royal Assent is granted, provisions come into force as set out in the Bill - some immediately, others by regulation. Organisations should prepare now.
Expected late 2026
Royal Assent & Commencement
Once the Lords stages conclude and Royal Assent is granted, provisions come into force as set out in the Bill - some immediately, others by regulation. Organisations should prepare now.
Ready to Secure Your Future?
Book a free consultation with our Cyber Security and Resilience Bill experts and discover how we can help your organisation achieve compliance while strengthening your cyber resilience.
What You'll Get
Personalised Cyber Security and Resilience Bill Assessment
Understand exactly how the Cyber Security and Resilience Bill affects your organisation
Compliance Roadmap
Clear next steps to achieve and maintain compliance
Expert Guidance
Direct access to our cybersecurity compliance specialists