Threads / Cyber Security and Resilience (Network and Information Syst… View full timeline →

Cyber Security and Resilience (Network and Information Systems) Bill

Lifecycle: Implementation Department for Energy Security and Net Zero · Department for Science, Innovation and Technology · Information Commissioner's Office · National Cyber Security Centre · Ofgem · Regulatory Policy Committee Last regenerated 5 hours ago

Summary

What this is

A Government Bill introduced on 12 November 2025 to strengthen the security and resilience of UK network and information systems, principally by amending the Network and Information Systems Regulations 2018 to expand scope (managed service providers, data centres, critical suppliers), tighten incident reporting, and add national-security direction powers.

Why it matters

The 2018 NIS Regulations were judged in successive post-implementation reviews to need updating, and high-profile attacks (Synnovis ransomware on NHS pathology, Electoral Commission, MoD personnel data via a third-party supplier) have exposed gaps in scope and reporting that the Bill is designed to close.

Current status

The Bill cleared Public Bill Committee on 24 February 2026, was reprinted as Bill 385 as amended in committee, and is at Report Stage in the Commons; an amendment paper for 30 April 2026 lists multiple Liberal Democrat, Conservative and Labour new clauses (SME support service, foreign-power registers, last-resort AI/data-centre shutdown powers, electoral infrastructure as essential services).

What changed recently

  • 30 Apr 2026 — Report Stage amendment paper published with 16 new clauses covering SME cyber support, foreign-state risk registers, digital sovereignty strategies, board oversight duties and AI/data-centre shutdown powers.
  • 25 Feb 2026 — Bill reprinted as Bill 385 as amended in Public Bill Committee, with a Keeling schedule showing the amended NIS Regulations 2018 published in January.
  • 3 Feb 2026 — Public Bill Committee began oral evidence and clause-by-clause scrutiny, with 40+ written evidence submissions from operators (National Grid, National Gas), platforms (Microsoft, Cloudflare, Infoblox), trade bodies (techUK, ISPA, UK Finance, ABI) and civil society (Liberty / Privacy International, Open Rights Group, CyberUp).
  • 14 Jan 2026 — Ofgem published v3.0 of its NIS Guidance for downstream gas and electricity Operators of Essential Services in Great Britain, updating sectoral compliance expectations ahead of the Bill.
  • 6 Jan 2026 — Second Reading in the Commons, opened by the Minister for Digital Government and Data, Ian Murray.

Key documents

Framework

Operationalising

Implementation

Scrutiny

Evidence

Review

Other

Consultations

Stakeholders

Grouped by role with evidence. Long groups scroll inside their column.

Sponsoring department 1

  • Department for Science, Innovation and Technology → src
    Sponsoring department; published the Bill, Explanatory Notes, Impact Assessment and Delegated Powers Memorandum on 12 November 2025 and the policy statement in April 2025.

Sponsoring minister 2

  • Liz Kendall
    Secretary of State for Science, Innovation and Technology and named sponsor of the Bill on the Parliament Bills API.
  • Ian Murray → src
    Minister for Digital Government and Data; moved Second Reading on 6 January 2026 and the lead Commons voice on the Bill.

Lead committee 2

  • Public Bill Committee on the CSR (NIS) Bill → src
    Took oral and written evidence and conducted clause-by-clause scrutiny between 3-24 February 2026, chaired in rotation by Emma Lewell, Esther McVey, Dr Andrew Murrison and Graham Stringer.
  • Regulatory Policy Committee → src
    Published an opinion on DSIT's impact assessment for the Bill and submitted written evidence (CSRB34) to the Public Bill Committee.

Witnesses & evidence-givers 12

  • National Grid → src
    Submitted written evidence (CSRB40) as an operator of essential services in the energy sector.
  • National Gas → src
    Submitted written evidence (CSRB20) as a gas-transmission operator of essential services.
  • Microsoft → src
    Submitted written evidence (CSRB39) as a major digital/cloud service provider affected by expanded scope.
  • Cloudflare → src
    Submitted written evidence (CSRB38) on digital infrastructure obligations.
  • techUK → src
    Submitted supplementary written evidence (CSRB37) representing the technology trade body view on scope and burden.
  • UK Finance → src
    Submitted written evidence (CSRB14) on incident reporting interactions with financial-services regulation.
  • Association of British Insurers → src
    Submitted written evidence (CSRB23) on the implications for cyber-insurance markets.
  • British Insurance Brokers' Association → src
    Submitted written evidence (CSRB28) on broker-distribution effects of expanded duties.
  • Internet Services Providers' Association → src
    Submitted written evidence (CSRB22) on impact on ISPs and digital infrastructure operators.
  • VIRTUS Data Centres → src
    Submitted written evidence (CSRB31) on the new data-centre scope.
  • CrowdStrike → src
    Submitted written evidence (CSRB30) on incident detection and supply-chain risk.
  • NCC Group → src
    Submitted supplementary written evidence (CSRB29) on technical assurance and pen-testing.

Regulator / delivery programme 4

  • National Cyber Security Centre → src
    Technical authority for NIS implementation; named in the November 2025 WMS on the Synnovis ransomware attack as the lead body informing the Bill's measures.
  • Ofgem → src
    Joint competent authority (with DESNZ) for the downstream gas and electricity sector; published NIS Guidance v3.0 in January 2026 alongside the Bill.
  • Department for Energy Security and Net Zero → src
    Competent authority for the energy sector; issued statutory NIS policy guidance in September 2023 underpinning sectoral compliance.
  • Information Commissioner → src
    Competent authority for relevant digital service providers; the 2021 SI explicitly redirected DSP risk-management criteria to ICO guidance.

Commentator 7

  • Victoria Collins → src
    Liberal Democrats — lead Liberal Democrat amendments author at Report Stage, tabling new clauses on SME cyber support, foreign-power review, critical manufacturing/retail, Computer Misuse Act review and a Digital Sovereignty Strategy.
  • David Chadwick → src
    Liberal Democrats, Brecon, Radnor and Cwm Tawe — co-sponsor of Report Stage new clauses on resourcing consultation, electoral infrastructure, political parties and board oversight; sat on the Public Bill Committee.
  • Freddie van Mierlo → src
    Liberal Democrats — co-sponsor of Liberal Democrat amendments at Report Stage, including the proposal to shorten reporting cycles from five to three years (Amendment 2).
  • Alex Sobel → src
    Labour — lead sponsor of cross-party new clause NC12 creating last-resort powers for the Secretary of State to direct shutdown of data centres or AI systems in an AI security or operational emergency.
  • Sir Iain Duncan Smith → src
    Conservative — lead sponsor of Amendment 3 inserting a right-to-fair-trial bar on cross-border information sharing under the NIS enforcement powers.
  • Dr Ben Spencer → src
    Conservative — sponsor of NC14 (register of foreign powers presenting risks to UK critical NIS) and NC15 (annual review of foreign-power cyber risk) at Report Stage.
  • Siân Berry → src
    Green Party — sponsor of NC16 requiring a Digital Sovereignty Strategy with explicit treatment of open-source software, open standards and UK developer capacity.

Political commitments

What parties and ministers have promised — manifesto pledges, King's Speech announcements, ministerial statements. Each card shows what was said, by whom, and when, with a link to the original source.

  • commitment Ministerial statement Labour · 2025 · Cyber Security and Resilience Bill: policy statement

    Cyber Security and Resilience Bill policy statement (April 2025)

    Why linked: Pre-introduction policy statement by the Labour Government setting out the legislative measures that became the CSR Bill.

    Source: Cyber Security and Resilience Bill: policy statement · Original ↗
  • commitment Ministerial statement Labour · 2025 · Cyber Security and Resilience

    Written Ministerial Statement on Cyber Security and Resilience (12 November 2025)

    In June 2024, Synnovis, a supplier of pathology services to the NHS, was the victim of a ransomware attack.

    Why linked: WMS introducing the Bill and framing it as a response to the Synnovis ransomware attack on NHS pathology services.

    Source: Cyber Security and Resilience · Original ↗

Open questions & gaps

Known gaps in the evidence base and what's still pending.

Pending in the lifecycle

  • Report Stage and Third Reading in the Commons following the 30 April 2026 amendment paper.
  • Lords stages — not yet commenced; First Reading in the Lords is the next procedural step after Commons completion.
  • Secondary legislation to implement the Bill (regulations on managed service providers, data centres, critical suppliers, reporting thresholds and national-security directions).

Beyond the corpus

  • MISSING Government response to Report Stage opposition new clauses — The 30 April 2026 amendment paper contains 16 substantive new clauses; the Government's published response is not yet in the corpus.
  • MISSING Updated Impact Assessment for the Bill as amended in committee — Standard practice for material amendments; not yet retrieved in the corpus.
  • MISSING Computer Misuse Act 1990 reform package — Repeatedly raised by SIT Committee, CyberUp and Report Stage NC6 but the Government's separate consultation outcome is not in the corpus.

Confidence gaps

  • The interaction between the Bill's national-security direction power and the existing National Security and Investment Act 2021 regime is not fully resolved in the retrieved documents.
  • The treatment of devolved competent authorities (Scotland, Wales, Northern Ireland) under the expanded scope is not visible in the events list and may need to be confirmed from the Bill text.