Cyber Security and Resilience Bill
Summary
What this is
A Government Bill that rewrites the UK's network and information systems (NIS) regime by amending the Network and Information Systems Regulations 2018, expanding the scope to managed service providers and critical suppliers, modernising incident reporting, and providing new powers including national-security directions. The Bill was introduced on 12 November 2025 and is at report stage, with the King's Speech 2026 confirming it as a Government legislative priority.
Why it matters
It is the UK's first substantive overhaul of cyber-resilience law since the 2018 NIS Regulations and follows ransomware attacks on Synnovis/NHS pathology services and on three London councils, which the Government has framed as evidence of regulatory gaps. The Bill carries powers to bring managed service providers, data centres and critical suppliers within scope and creates a more interventionist enforcement and direction regime.
Current status
The Bill completed Public Bill Committee on 25 February 2026 (Bill 385 as amended), is at Commons report stage with amendment papers issued through late April 2026, and was re-announced in the King's Speech on 13 May 2026.
What changed recently
- 13 May 2026 — King's Speech 2026 confirms the Cyber Security and Resilience Bill as a Government priority and signals continued passage. →
- 30 Apr 2026 — Report-stage Amendment Paper tabling new clauses on SME cyber support, board-level oversight, regular testing, AI 'last-resort' shutdown powers for data centres, foreign-power registers and a Digital Sovereignty Strategy. →
- 25 Feb 2026 — Bill reprinted as Bill 385 after Public Bill Committee amendments. →
- 28 Jan 2026 — NCSC publishes guidance urging CNI leaders to act now on severe cyber threat, sharpening the operational backdrop to the Bill. →
- 6 Jan 2026 — Bill receives Second Reading in the Commons, with the Business and Trade Committee's economic-security report cited as a relevant document. →
Key documents
Framework
-
Cyber Security and Resilience (NIS) Bill — Bill 329 as introduced (12 Nov 2025)
The Bill as first read, making provision (including provision amending the NIS Regulations 2018) about the security and resilience of network and information systems.
-
Bill 385 — as amended in Public Bill Committee (25 Feb 2026)
Post-committee print of the Bill, reflecting Government and opposition amendments accepted across seven sittings between 3-24 February 2026.
-
Cyber Security and Resilience — WMS, Lords (13 Nov 2025)
Baroness Lloyd of Effra repeats the Commons WMS setting out the rationale for the Bill, including the Synnovis ransomware attack on NHS pathology services.
-
Cyber Security and Resilience — WMS, Commons (12 Nov 2025)
Kanishka Narayan's introduction-day WMS framing the Bill around the June 2024 Synnovis attack and broader CNI ransomware exposure.
-
King's Speech 2026 — Cyber Security and Resilience Bill
King's Speech background briefing notes confirming the Bill as a Government priority to update resilience duties and protect essential and digital services.
Operationalising
-
Explanatory Notes to Bill 329
DSIT's clause-by-clause explanation of the Bill as introduced.
-
Delegated Powers Memorandum (DSIT)
Memorandum to Parliament setting out and justifying every delegated power in the Bill — central to scrutiny of the very large secondary-legislation surface area.
-
Cyber Security and Resilience Bill factsheets (6 Mar 2026)
Departmental factsheets accompanying the Bill's progress, covering scope expansion (MSPs, critical suppliers), incident reporting, regulator powers and supply-chain duties.
-
Cyber Security and Resilience Bill policy statement (1 Apr 2025)
Pre-introduction statement setting out confirmed and proposed measures, including bringing managed service providers and critical suppliers within scope and updating incident-reporting thresholds.
-
Keeling schedule for the NIS Regulations 2018 (22 Jan 2026)
Keeling schedule showing the NIS Regulations 2018 marked up to reflect the Bill's proposed amendments — the practitioner's preferred reading of the new regime.
Implementation
-
NCSC — Preparing for severe cyber threat: why leaders must act now (Jan 2026)
NCSC's CNI-facing guidance issued during Commons committee stage, urging board-level action on resilience.
-
NCSC Cyber Assessment Framework (CAF)
The NCSC's primary technical-control framework for essential-service operators, which sits underneath the NIS Regulations and will continue to do so post-Bill.
-
Ofgem/DESNZ NIS Guidance for Downstream Gas and Electricity OES v3.0 (Jan 2026)
Sector-specific NIS compliance guidance issued by the joint competent authority for downstream gas and electricity operators.
-
DESNZ NIS implementation guidance for the energy sector (Oct 2023)
High-level policy principles for compliance by energy-sector OES — operational scaffolding that the Bill will modify rather than replace.
-
DHSC NIS guide for the health sector in England (Sep 2023)
Sector guide for health OES — the regime the Synnovis attack tested in practice.
-
Enforcement Management Model: transport sector (Mar 2024)
DfT guidance on enforcement options under NIS 2018 for transport OES.
Scrutiny
-
RPC opinion: green-rated (17 Nov 2025)
Regulatory Policy Committee's green-rated opinion on the impact assessment.
-
Report-stage Amendment Paper as at 30 April 2026
Notices of amendments including Lib Dem and Conservative new clauses on board oversight, regular testing, SME support, electoral and local-government inclusion, foreign-power registers and Sobel et al. 'last-resort' AI shutdown powers.
-
Commons Library CBP-10442 — Cyber Security and Resilience Bill 2024-26 (17 Dec 2025)
Commons Library briefing paper providing the principal independent narrative scrutiny of the Bill ahead of Second Reading.
-
POSTnote POST-PN-0753 — Cyber resilience of UK digital infrastructure (Sep 2025)
Parliamentary Office of Science and Technology briefing setting out the technical landscape the Bill seeks to address.
-
Joint Committee on National Security Strategy — 'A hostage to fortune: ransomware and UK national security' (Dec 2023)
Joint Committee first report identifying ransomware as a Tier-1 risk to UK national security — a key reference cited by Government in framing the Bill.
Evidence
-
Impact Assessment for the Bill
DSIT's impact assessment accompanying introduction; subsequently green-rated by the Regulatory Policy Committee.
-
Government response to call for views on UK cyber resilience (Nov 2022)
Formal response to the 2022 public consultation on proposed NIS amendments — the principal evidence base for the Bill's scope-expansion choices.
-
Protecting and enhancing the security and resilience of UK data infrastructure (closed Dec 2023)
DSIT consultation on bringing data infrastructure (including data centres) within regulation — directly relevant to data-centre measures in the Bill.
Review
-
Second Post-Implementation Review of the NIS Regulations 2018 (Jul 2022)
Statutory PIR assessing effectiveness of the 2018 regime and identifying gaps that inform the Bill's design.
Other
-
Network and Information Systems (EU Exit) (Amendment) Regulations 2021 (SI 2021/1461)
Retained-EU-law correction that, among other things, deleted EU-population reporting thresholds in Implementing Regulation 2018/151 and substituted ICO guidance — the Bill is the next major step in this reform chain.
-
Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (SI 2020/1245)
Earlier amendment regulations to the 2018 framework, the direct precursor in the reform chain to which the Bill responds.
Consultations
-
Protecting and enhancing the security and resilience of UK data infrastructure
Underpins the Bill's data-centre measures and the inclusion of data infrastructure within the NIS perimeter.
-
Government response to the call for views on proposals to improve the UK's cyber resilience
Principal evidence base for the Bill's scope-expansion proposals (managed service providers, critical suppliers, supply-chain duties).
-
Government response to the call for views on amending the Security of Network and Information Systems Regulations
Earlier consultation in the same reform chain leading from 2018 NIS Regulations to the present Bill.
-
Call for views on amending the NIS regulations 2018
First DCMS consultation in the post-2018 reform sequence; the proposals it tested are recognisably the spine of the present Bill.
-
Government response to the call for views on proposed legislation amending the Network and Information Systems Regulations 2018
Direct precursor to SI 2020/1245 and to the Bill's expanded MSP/digital perimeter.
Stakeholders
Sponsoring department 2
Sponsoring minister 5
Shadow minister 4
Lead committee 3
Witnesses & evidence-givers 12
Regulator / delivery programme 4
Commentator 12
Political commitments
-
commitment King's Speech announcement
Cyber Security and Resilience Bill confirmed in King's Speech 2026
The King's Speech 2026 cyber bill to strengthen the UK's defences against cyber threats, update resilience duties, and protect essential and digital services.
Why linked: Names the Bill as a Government priority during its parliamentary passage.
-
commitment Ministerial statement
Cyber Security and Resilience Policy Statement (1 Apr 2025)
Today the Government has published a policy statement on proposed legislative measures to bolster the UK's cyber security and resilience.
Why linked: Pre-introduction commitment by Government setting out the Bill's measures.
-
commitment Ministerial statement
Introduction-day WMS on Synnovis and the Bill (12 Nov 2025)
In June 2024, Synnovis, a supplier of pathology services to the NHS, was the victim of a ransomware attack.
Why linked: Frames the Bill as a direct legislative response to the Synnovis attack on NHS pathology services.
Open questions & gaps
Pending in the lifecycle
- Report stage and Third Reading in the Commons — the most recent Amendment Paper is dated 30 April 2026 with a substantial cross-party new-clause programme yet to be resolved.
- Lords stages, where civil-liberties amendments on information-sharing (amendment 3) and the breadth of delegated powers will likely be the principal pressure points.
- Consequential secondary legislation amending the NIS Regulations 2018, including the contents of any Keeling-schedule changes once the Bill is enacted.
Beyond the corpus
- FOUND Terminally Ill Adults (End of Life) Bill — Select Committee report: 52nd Report of the Delegated Powers and Regulatory …
- MISSING A Lords Library briefing on the Bill —
- MISSING Joint Committee on Human Rights report —
- MISSING An impact-assessment update covering report-stage changes —
Confidence gaps
- Exact commencement and transitional architecture is not yet visible from the corpus — secondary legislation will determine when MSP, critical-supplier and data-centre obligations bite.
- Interaction between the Bill's national-security direction power and the proposed Tackling State Threats Bill/National Security Bill announced in the King's Speech 2026 is not detailed in the available materials.
- Treatment of the Computer Misuse Act 1990 reform — flagged in evidence (CyberUp) and in NC6 — is being addressed in the parallel National Security Bill announced in the King's Speech, not on the face of this Bill.
Full timeline
1762026
To ask the Secretary of State for Science, Innovation and Technology, what recent assessment she has made of the adequacy of the UK's preparedness for AI-enabled cyber threats.
Why linked: Written parliamentary question on UK preparedness for AI-enabled cyber threats (April 2026); topical scrutiny question on emerging cyber threats within the scope of the Bill's resilience framework
To ask the Secretary of State for Science, Innovation and Technology, what recent assessment she has made of the adequacy of the UK's preparedness for AI-enabled cyber threats.
To ask the Minister for the Cabinet Office, what steps he is taking to ensure that organisations critical to national security and critical national infrastructure have secure and resilient digital processes and platforms.
Why linked: Written question on critical national infrastructure cyber security and resilience—directly on-topic PQ addressing CII protection duties
To ask the Minister for the Cabinet Office, what steps he is taking to ensure that organisations critical to national security and critical national infrastructure have secure and resilient digital processes and platforms.
To ask the Secretary of State for Science, Innovation and Technology, what assessment he has made of the adequacy of the Cyber Security and Resilience Bill's incident reporting criteria for capturing novel failure modes arising from autonomous or adaptive
Why linked: March 2026 PQ on the adequacy of the Bill's incident reporting criteria — directly on Bill design.
To ask the Secretary of State for Science, Innovation and Technology, what assessment he has made of the adequacy of the Cyber Security and Resilience Bill's incident reporting criteria for capturing novel failure modes arising from autonomous or adaptive
To ask the Secretary of State for Science, Innovation and Technology, with reference to the Cyber Security and Resilience Bill (Network and Information Systems) Bill, a) what estimate she had made of the shortage of the cybersecurity skills which will be
Why linked: March 2026 PQ on cost and impact estimates relating to the CSR Bill.
To ask the Secretary of State for Science, Innovation and Technology, with reference to the Cyber Security and Resilience Bill (Network and Information Systems) Bill, a) what estimate she had made of the shortage of the cybersecurity skills which will …
To ask the Secretary of State for Science, Innovation and Technology, what discussions she has had with ministerial colleagues from a) the Home Office, b) HM Treasury and c) the Department for Science, Innovation and Technology on coordinated action to ta
Why linked: March 2026 PQ on cross-departmental coordination on the Bill (Home Office, HMT, DSIT).
To ask the Secretary of State for Science, Innovation and Technology, what discussions she has had with ministerial colleagues from a) the Home Office, b) HM Treasury and c) the Department for Science, Innovation and Technology on coordinated action to …
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by National Grid (CSRB40)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Microsoft (CSRB39)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Cloudflare (CSRB38)
Cyber Security and Resilience (Network and Information Systems) Bill — Supplementary written evidence submitted by techUK (CSRB37)
Cyber Security and Resilience (Network and Information Systems) Bill — Further written evidence submitted by iProov (CSRB35)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by the Regulatory Policy Committee (RPC) (CSRB34)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Capita (CSRB33)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by the UK Cyber Security Council (CSRB32)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by VIRTUS Data Centres (CSRB31)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by CrowdStrike (CSRB30)
Cyber Security and Resilience (Network and Information Systems) Bill — Supplementary written evidence submitted by the NCC Group (CSRB29)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by the British Insurance Brokers' Association (BIBA) (CSRB28)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Shoosmiths LLP (CSRB27)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by the Online Safety Act Network (CSRB26)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Rob Wright, Chief Commercial Officer, Hexiosec, Ambassador for Software Security for DSIT (CSRB25)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Dr Aine MacDermott, Liverpool John Moores University (CSRB24)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by The ABI (CSRB23)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by the Internet Services Providers' Association (ISPA) (CSRB22)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by BCS, The Chartered Institute for IT (CSRB21)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by National Gas (CSRB20)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Infoblox (CSRB19)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by the CyberUp Campaign (CSRB18)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by iProov (CSRB17)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Liberty and Privacy International (CSRB16)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by the Cybersecurity Business Network (CSRB15)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by UK Finance (CSRB14)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Philip Virgo (CSRB13)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Zurich UK (CSRB12)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Doctors Lam and Seifert (CSRB11)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by ISC2 (CSRB10)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by PauseAI UK (CSRB09)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by the Institution of Engineering and Technology (IET) (CSRB08)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Richard Holland (CSRB07)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by the UK Cyber Security Council (UK CSC) (CSRB06)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by ISACA (CSRB05)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Open Rights Group (CSRB04)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Fortaegis (CSRB03)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Rik Ferguson (CSRB02)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Rob Newby (on the Retail sector) (CSRB01B)
Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Rob Newby (on the Energy sector) (CSRB01A)
2025
Correspondence from Minister for AI and Online Safety, re: Introduction of the Cyber Security and Resilience (Network And Information Systems) Bill, 12 November 2025
Why linked: Correspondence from the Minister for AI and Online Safety on the introduction of the CSR Bill.
Direction: unknown
Correspondence from Parliamentary Under-Secretary of State for AI and Digital Government, in relation to the Cyber Security and Resilience Bill, dated 1 April 2025
Why linked: April 2025 correspondence from the Parliamentary Under-Secretary on the Bill, immediately following the policy statement.
Direction: unknown
To ask the Secretary of State for Science, Innovation and Technology, whether he plans to include provisions within the Cyber Security and Resilience Bill on requiring regulated organisations to adopt cybersecurity to help tackle AI-enabled threats.
Why linked: March 2025 PQ on whether the Bill will include provisions on requiring regulated organisations to adopt specific measures — directly on Bill scope.
To ask the Secretary of State for Science, Innovation and Technology, whether he plans to include provisions within the Cyber Security and Resilience Bill on requiring regulated organisations to adopt cybersecurity to help tackle AI-enabled threats.
To ask the Secretary of State for Science, Innovation and Technology, whether the Cyber Security and Resilience Bill will ensure that data centres are (a) secure and (b) resilient.
Why linked: March 2025 PQ on whether the Bill will ensure data centres are secure and resilient — directly on Bill scope.
To ask the Secretary of State for Science, Innovation and Technology, whether the Cyber Security and Resilience Bill will ensure that data centres are (a) secure and (b) resilient.
To ask the Secretary of State for Science, Innovation and Technology, what steps his Department is taking to ensure that the public sector is adequately protected under the forthcoming Cyber Security and Resilience Bill, and whether he plans to extend reg
Why linked: March 2025 PQ on the public sector's protection under the forthcoming CSR Bill.
To ask the Secretary of State for Science, Innovation and Technology, what steps his Department is taking to ensure that the public sector is adequately protected under the forthcoming Cyber Security and Resilience Bill, and whether he plans to extend …
2024
Should our successor Committee wish to examine the cyber security and resilience of the UK’s critical national infrastructure, we recommend it considers: • Following up how the Government is monitoring the emerging threats from nation states, state-sponsored actors, and criminal organisations on the UK’s critical national infrastructure. This should include the threat from pre- positioning; • considering how the Government is protecting and strengthening critical national infrastructure suppl...
Why linked: Cited by workspace synthesis
Should our successor Committee wish to examine the cyber security and resilience of the UK’s critical national infrastructure, we recommend it considers: • Following up how the Government is monitoring the emerging threats from nation states, state-sponsored actors, and criminal …
To ask His Majesty's Government what plans they have to publish draft legislation incorporating proposed reforms to the Network and Information Systems Regulations 2018.
Why linked: March 2024 PQ on plans to publish draft legislation incorporating proposed NIS reforms — directly on the lead-up to the Bill.
To ask His Majesty's Government what plans they have to publish draft legislation incorporating proposed reforms to the Network and Information Systems Regulations 2018.
2023
Correspondence from Sarah Munby, Permanent Under-Secretary of State, Department for Science, Innovation and Technology, re Building Digital UK, dated 23 November 2023
Why linked: DSIT correspondence on Building Digital UK may contain digital resilience infrastructure policy relevant to modernising cyber security framework
Direction: unknown
Loading new-since list…
Loading External Lens…
Analyst briefing
Executive summary
The Cyber Security and Resilience (Network and Information Systems) Bill is the UK's first substantive overhaul of cyber-resilience law since the 2018 NIS Regulations. Introduced by the Department for Science, Innovation and Technology (DSIT) on 12 November 2025 1, it operates principally by amending the Network and Information Systems Regulations 2018 (SI 2018/506) 2 to bring managed service providers (MSPs) and 'critical suppliers' inside the regulated perimeter, modernise incident reporting, broaden enforcement, and create national-security direction powers in Part 4. The Government's framing is anchored to the June 2024 Synnovis ransomware attack on NHS pathology services and to ransomware as a Tier-1 national-security risk per the Joint Committee on the National Security Strategy's December 2023 report 'A hostage to fortune' 34. The Bill completed Public Bill Committee on 25 February 2026 as Bill 385 5 and was re-confirmed as a legislative priority in the King's Speech 2026 6.
Current state
The Bill sits at Commons report stage. The introduction-version Bill 329 1 was accompanied by an Explanatory Notes 2, a Delegated Powers Memorandum 3 and an Impact Assessment 4 that the Regulatory Policy Committee subsequently green-rated on 17 November 2025 5. Second Reading on 6 January 2026 6 proceeded with the Business and Trade Committee's economic-security report tagged as a relevant document 7. The Public Bill Committee took oral evidence on 3-5 February and reported Bill 385 (as amended) on 25 February 2026 8910, following a substantial written-evidence programme spanning hyperscalers (Microsoft CSRB39 11, Cloudflare CSRB38 12), CNI operators (National Grid CSRB40 13, National Gas CSRB20 14), data-centre operators (VIRTUS CSRB31 15), trade bodies (techUK CSRB37 16, UK Finance CSRB14 17, ABI CSRB23 18) and civil-society interveners (Liberty/Privacy International CSRB16 19, Open Rights Group CSRB04 20). The 22 January 2026 Keeling schedule 21 is the practitioner-readable mark-up of how the NIS Regulations 2018 will read post-Bill. Implementation scaffolding — the National Cyber Security Centre's Cyber Assessment Framework (CAF) 22, Ofgem/DESNZ's NIS Guidance v3.0 for downstream gas and electricity OES 23, DESNZ statutory policy guidance for the energy sector 24, DHSC's NHS-sector guide 25, and the DfT Enforcement Management Model 26 — continues to operate beneath the statutory layer the Bill will reshape.
Recent developments
Six developments dominate the last 120 days. First, the King's Speech on 13 May 2026 confirmed the Bill as a Government priority 1. Second, the report-stage Amendment Paper as at 30 April 2026 2 tabled a notably wide cross-party new-clause programme: Liberal Democrat NC2-NC11 (SME cyber-support service, foreign-state-ownership review, sectoral additions for critical manufacturing/food retail/local authorities, a Computer Misuse Act 1990 review, regulator-resourcing consultation, electoral infrastructure and political parties as OES, board oversight and regular testing); Conservative NC14-NC15 (statutory register of foreign powers under Part 4 and an annual GCHQ-confirmed cyber-risk review reported to Parliament with classified material referred to the ISC); Alex Sobel's cross-party NC12 creating 'last-resort' powers to direct shutdown of data centres or AI systems in an 'AI security or operational emergency'; Siân Berry's NC16 requiring a Digital Sovereignty Strategy with open-source focus; and Sir Iain Duncan Smith's amendment 3 inserting a fair-trial exemption to international information-sharing under reg 6/6A. Third, on 28 January 2026 the NCSC issued CNI-facing guidance urging immediate board-level action on severe cyber threat 3. Fourth, Ofgem published NIS Guidance v3.0 for downstream gas and electricity OES on 14 January 2026 4. Fifth, the Public Bill Committee took oral evidence from a deep witness slate including the UK Cyber Security Council and the Regulatory Policy Committee (CSRB34) 56. Sixth, the Commons Library briefing CBP-10442 (17 December 2025) 7 and POSTnote POST-PN-0753 (10 September 2025) 8 provide the independent narrative scrutiny base.
What to watch
Four threads matter over the next six months. (1) Report stage and Third Reading: the disposition of NC12 (Sobel et al. — AI/data-centre 'last-resort' shutdown powers) and amendment 3 (Duncan Smith — fair-trial exemption to information sharing) are the most consequential cross-party tests 1. Both reach beyond the Bill's original perimeter — NC12 into AI-emergency powers and biannual reporting on autonomous-AI cyber-attack capability and 'superintelligent AI'; amendment 3 into the Article 6 ECHR architecture of cross-border NIS-enforcement information flows. (2) Computer Misuse Act 1990 reform: NC6 (Collins) would have required a review on the face of the Bill; the King's Speech 2026 routes this work instead into the National Security Bill, which will create a Cyber Crime Risk Order and update CMA 1990 powers. Practitioners should treat the two Bills as one regulatory programme, not two. (3) Lords scrutiny: against DSIT's Delegated Powers Memorandum 2, the Delegated Powers and Regulatory Reform Committee report and any Joint Committee on Human Rights report will frame Lords amendments, particularly on Part 4 national-security directions. (4) Secondary legislation: the Bill's perimeter expansion to MSPs, critical suppliers and (in commencement terms) data-centre operators will be operationalised through SIs amending the NIS Regulations 2018; the 22 January 2026 Keeling schedule 3 is the best available preview of the resulting statutory text. Watch also the parallel Tackling State Threats Bill, which sits next to Part 4 in the state-threat architecture.
Risks and uncertainties
The principal regime-internal risk is the very large delegated-powers surface area identified in DSIT's Memorandum 1: much of the substantive 'critical supplier' and MSP perimeter will be set in secondary legislation, meaning the Bill text on its face under-states the operational regime. The principal civil-liberties risk is concentrated in directions and information-sharing powers, on which Liberty and Privacy International's joint evidence (CSRB16) 2, Open Rights Group's evidence (CSRB04) 3 and amendment 3 4 are aligned. The principal cohesion risk is the dispersal of cyber-policy reform across three Bills in the King's Speech 2026 (Cyber Security and Resilience 5, National Security Bill including CMA 1990 reform, Tackling State Threats Bill ) — practitioners must read them together. Inferred from corpus gap: no Lords Library briefing, no DPRRC report and no JCHR report on this Bill have yet been retrieved into the corpus, so Lords-stage opposition framing is not yet visible in this build.
Scope notes
This workspace covers the Cyber Security and Resilience (NIS) Bill 2024-26 and its NIS Regulations 2018 substrate. Adjacent material announced at King's Speech 2026 — the National Security Bill (creating a Cyber Crime Risk Order and updating Computer Misuse Act 1990 powers) and the Tackling State Threats Bill (a proscription-type designation power for foreign-state proxies) — is named where it interacts with this Bill (for example as the actual vehicle for the CMA 1990 reform that NC6 would otherwise have required), but those Bills are not the subject of this thread and should be read on their own threads.
Primary legislation
Bills and Acts this regime substantively depends on. Links go to the bill's own thread on this site (where available) and to bills.parliament.uk.
-
Cyber Security and Resilience (Network and Information Systems) Bill Enabling Act bills.parliament.uk →
The Bill itself — primary legislative vehicle, currently at Commons report stage, amending the Network and Information Systems Regulations 2018 (SI 2018/506) and creating new powers including Part 4 national-security directions.
-
Provided the s.8(1)/(5) and Sch 7 para 21 powers under which SI 2021/1461 amended retained EU law (Commission Implementing Regulation 2018/151) to remove EU-population reporting thresholds and substitute ICO guidance — the most recent prior amendment in the NIS reform chain on which the present Bill builds.
-
National Security Bill (King's Speech 2026) Related framework
Announced at King's Speech 2026 as the vehicle for updating the Computer Misuse Act 1990, creating a Cyber Crime Risk Order and reforming the cyber landscape — work that NC6 (Collins) at report stage of the CSR Bill would otherwise have required by review; practitioners should treat the two Bills together.
-
Tackling State Threats Bill (King's Speech 2026) Related framework
Announced at King's Speech 2026 as a new proscription-type power for state entities and their proxies, sitting adjacent to Part 4 national-security direction powers in the CSR Bill and to NC14/NC15 (Spencer) on a register of foreign powers and an annual GCHQ-confirmed cyber-risk review.
Legal & Policy Framework
The UK NIS regime is built in three doctrinal layers. The bottom layer is the Network and Information Systems Regulations 2018 (SI 2018/506) 1, which transposes Directive (EU) 2016/1148 and operates the regime: it designates competent authorities (DESNZ and Ofgem for energy, the Department for Transport for transport, NHS England and DHSC for health, the Drinking Water Inspectorate for water, Ofcom for digital infrastructure, and the ICO for relevant digital service providers), identifies thresholds for who is an OES or RDSP, and imposes security duties and incident-reporting obligations enforced through information notices, inspections and penalties. The middle layer is the amendment history that has progressively diverged the UK regime from the EU original. SI 2020/1245 2 made post-transition adjustments and inserted reg 8A on nomination of UK representatives by overseas OES. SI 2021/1461 3 used s.8 European Union (Withdrawal) Act 2018 to strip EU-population reporting thresholds out of Commission Implementing Regulation 2018/151 (omitting Article 4 entirely), to substitute 'United Kingdom, European and internationally accepted standards' for the EU-only formulation in Article 2(5), and to require RDSPs in reg 12(7)(b) to have regard to ICO guidance instead of EU-level material — pushing the substantive content of DSP obligations into ICO guidance rather than retained EU rules. The top layer — and the subject of this thread — is the Cyber Security and Resilience (NIS) Bill 45, whose long title makes clear that its principal mechanism is amendment of the 2018 Regulations rather than wholesale replacement. The Keeling schedule 6 is the practitioner-readable artefact showing the cumulative result. Government's policy statement (April 2025) and Bill factsheets (March 2026) indicate the substantive moves: bringing managed service providers and 'critical suppliers' inside the regime, modernising the incident-reporting trigger, broadening enforcement, and creating national-security direction powers in Part 4. Sitting alongside the statutory layer is a substantial non-statutory implementation stack that the Bill does not displace: the NCSC's Cyber Assessment Framework (CAF) 7 as the de facto technical-control vocabulary for OES; DESNZ statutory policy guidance for the energy sector 89; Ofgem's downstream gas and electricity NIS guidance v3.0 10; DHSC's health-sector guide 11; and the DfT enforcement management model for transport 12. The 2018 PIR 13 and the 2022 government response to the cyber-resilience consultation 14 are the formal evidence chain into the Bill's design.
Finally, the regime intersects with adjacent legislative tracks named in the King's Speech 2026: the National Security Bill [531828] is expected to update the Computer Misuse Act 1990 and create a Cyber Crime Risk Order — work that report-stage NC6 (Collins) would otherwise have required by review on the face of this Bill — while the Tackling State Threats Bill [531827] sits alongside Part 4's national-security direction power. Practitioners should read the three Bills together rather than as discrete regimes.
Statutory basis
-
Network and Information Systems Regulations 2018 (SI 2018/506)
Establishes the UK's NIS regime: identifies operators of essential services (OES) across energy, transport, health, drinking water and digital infrastructure, designates competent authorities, and imposes security duties and incident-reporting obligations. The Bill amends this instrument as its primary operating layer.
The NIS Regulations 2018 -
Commission Implementing Regulation (EU) 2018/151 (retained EU law), Article 2(5) and Article 3(3)
Sets the detailed criteria digital service providers must take into account when managing security risks and determining whether an incident has substantial impact. Article 4 (EU-population threshold) was omitted on EU exit and the remaining articles were UK-ified.
The Network and Information Systems (EU Exit) (Amendment) Regulations… -
NIS Regulations 2018, regulation 12 (relevant digital service providers)
Imposes the digital-service-provider duties and risk-management criteria, including (since 2021) the obligation to have regard to ICO guidance.
The Network and Information Systems (EU Exit) (Amendment) Regulations… -
Cyber Security and Resilience (NIS) Bill 2024-26
Makes provision (including provision amending the NIS Regulations 2018) about the security and resilience of network and information systems, expanding scope to managed service providers and critical suppliers, modernising incident reporting, strengthening enforcement and providing national-security direction powers.
Cyber Security and Resilience (Network and Information Systems) Bill …
Cross-cutting regimes engaged
- UK GDPR / Data Protection Act 2018 The ICO is competent authority for RDSPs under reg 12, and reg 12(7)(b) now requires RDSPs to have regard to ICO guidance — meaning incident reporting and risk-management standards under NIS are operationally entangled with the data-protection regime even though the substantive obligations differ.
- Investigatory Powers Act 2016 / National Security Act 2023 Part 4 direction powers and information-sharing provisions raise the same fair-trial and proportionality questions that NC14/15 (foreign-powers register and review) and amendment 3 (Duncan Smith — fair-trial exemption to information-sharing) seek to manage; civil-society evidence from Liberty/Privacy International is in this register.
- Procurement Act 2023 The Bill's 'critical supplier' designation and supply-chain duties will interact with public-procurement assurance and exclusion grounds where regulated entities procure managed services.
- Human Rights Act 1998 / ECHR Article 6 Amendment 3 at report stage explicitly invokes the right to a fair trial in limiting cross-border information sharing — a direct HRA/Article 6 hook on the Bill's enforcement architecture.
Key concepts
Operator of an essential service (OES)
An entity providing an essential service whose disruption would have significant disruptive effects, identified under the NIS Regulations 2018 against thresholds in Schedule 2.
Relevant digital service provider (RDSP)
A digital service provider within scope under regulation 12 of the NIS Regulations 2018, supervised by the ICO and required to have regard to ICO guidance on risk-management.
Managed service provider (MSP)
A third-party provider that manages information-technology services and infrastructure for clients — proposed for inclusion within the regime by the Bill.
Critical supplier
A new category created by the Bill to capture suppliers whose disruption would have material impact on an OES, MSP or RDSP.
National-security direction (Part 4)
Power for the Secretary of State to issue directions in the interests of national security to regulated entities.
Forward look calendar
-
Commons report stage and Third Reading — disposition of the report-stage new-clause programme (NC2-NC16, amendments 1-3) including the AI/data-centre 'last-resort' powers (NC12) and the fair-trial information-sharing exemption (amendment 3).
-
Lords stages — likely focal points are delegated-powers scrutiny (against DSIT's Memorandum), Part 4 national-security direction powers, and civil-liberties amendments on information-sharing and directions.
-
Royal Assent — implied by the King's Speech 2026 confirmation of the Bill as a Government priority during this session.
-
Commencement and consequential SIs to operationalise the Bill's amendments to the NIS Regulations 2018 — including MSP, critical-supplier and data-centre perimeter rules; the Keeling schedule [28621] is the practitioner's preview of where these will bite.
Stakeholder positions
Department for Science, Innovation and Technology
DSIT frames the Bill as a necessary response to ransomware attacks on UK critical services (notably Synnovis/NHS pathology in June 2024) and proposes to expand scope to managed service providers and critical suppliers, modernise incident reporting, and provide national-security direction powers. The policy statement (April 2025) and Bill factsheets (March 2026) set out the substantive measures.Nov 2025Apr 2025Mar 2026Nov 2025
Tension with Liberty, Privacy International, Open Rights Group
Liz Kendall
As Secretary of State, sponsors the Bill in line with the DSIT policy statement and King's Speech 2026 commitment; substantive ministerial positioning has been led by junior ministers (Narayan, Clark) and the Lords pair (Vallance, Lloyd).Nov 2025May 2026
Kanishka Narayan
Framed the Bill at introduction as a direct response to the Synnovis ransomware attack on NHS pathology services and the broader CNI cyber-threat picture, and acted as the lead Government minister through Public Bill Committee.Nov 2025Feb 2026
Feryal Clark
Announced the pre-introduction policy statement on 1 April 2025, positioning the Bill as 'bolstering the UK's cyber security and resilience' alongside parallel growth measures.Apr 2025Apr 2025
Dr Ben Spencer
On the national-security dimension: tabled NC14 (statutory register of foreign powers presenting a risk to UK critical NIS) and NC15 (annual GCHQ-confirmed review of state-actor cyber risk reported to Parliament with classified material referred to the ISC) — pressing for a more codified state-threat architecture inside the Bill.Apr 2026
Victoria Collins
On scope and supportive infrastructure: led a substantial Liberal Democrat new-clause programme covering an SME cyber-support service (NC2), a foreign-state-ownership review of regulated bodies (NC3), inclusion of critical manufacturing, food production and retail (NC4), local authorities (NC5), a CMA 1990 review (NC6), board oversight (NC10), regular testing (NC11) and a Digital Sovereignty Strategy on foreign-tech reliance (NC13), and tabled amendment 1 inserting fraud into RDSP risk-identification duties.Apr 2026
David Chadwick
On regulatory capacity and electoral integrity: co-led Lib Dem new clauses on resourcing of regulators and regulated persons (NC7), designation of electoral infrastructure as an essential service (NC8) and political parties as providing essential services (NC9), alongside board oversight (NC10) and regular testing (NC11).Apr 2026
Freddie van Mierlo
On post-enactment scrutiny: tabled amendment 2 cutting the statutory review interval in clause 40 from five years to three years, alongside co-sponsoring the broader Liberal Democrat new-clause cluster.Apr 2026
Alex Sobel
On AI/data-centre intersection: led NC12 creating 'last-resort' powers for the Secretary of State to direct the shutdown of data centres or AI systems used or deployed by them in an 'AI security or operational emergency', with associated parliamentary reporting, High Court relief and biannual ministerial reports on adversarial uses, autonomous-AI cyber-attack capability and 'superintelligent AI'.Apr 2026
Sir Iain Duncan Smith
On information-sharing safeguards: led cross-party amendment 3 inserting a fair-trial exemption preventing NIS enforcement authorities sharing information overseas where the Secretary of State determines the receiving jurisdiction cannot guarantee the right to a fair trial, with subject-matter-expert and civil-society consultation.Apr 2026
Siân Berry
On digital sovereignty: tabled NC16 requiring a Digital Sovereignty Strategy with explicit assessment of open-source software, open standards and open architectures, options to diversify open-source suppliers and reduce strategic dependencies, and legislative/regulatory/procurement measures to support digital sovereignty.Apr 2026
Regulatory Policy Committee
On regulatory analysis quality: issued a green-rated opinion on DSIT's impact assessment, validating the Department's quantification of compliance costs and benefits as fit for purpose, and submitted further written evidence (CSRB34) to the Public Bill Committee.Nov 2025Feb 2026
Joint Committee on the National Security Strategy
On the framing case: its December 2023 report 'A hostage to fortune' established ransomware as a Tier-1 national-security threat — a key independent reference the Government has used to justify the Bill.Dec 2023
National Cyber Security Centre
On operational backdrop: published January 2026 guidance to CNI leaders warning of severe cyber threat and urging immediate board-level action, sharpening the operational case for the Bill while underscoring NCSC's continuing role through the CAF.Jan 2026Aug 2025
Ofgem
On energy-sector implementation: issued NIS Guidance v3.0 for downstream gas and electricity OES in January 2026 (jointly with DESNZ as competent authority), confirming that sector-specific compliance guidance continues to operate alongside the Bill.Jan 2026
Information Commissioner's Office
On DSP supervision: continues as competent authority for relevant digital service providers under reg 12 NIS 2018, with reg 12(7)(b) (since SI 2021/1461) anchoring the duty on RDSPs to have regard to ICO guidance — a regulatory hook the Bill leaves in place and that NC2 / amendment 1 (fraud) and related Lib Dem proposals would broaden.Dec 2021
Liberty
On civil liberties: jointly with Privacy International (CSRB16) raised concerns about the breadth of directions and information-sharing powers and their rights implications — positioning that aligns with amendment 3's fair-trial exemption.Feb 2026Apr 2026
Tension with Department for Science, Innovation and Technology
Privacy International
On civil liberties: co-author of CSRB16 with Liberty, raising privacy and proportionality concerns about the Bill's enforcement and disclosure architecture.Feb 2026
Tension with Department for Science, Innovation and Technology
Open Rights Group
On digital rights: submitted written evidence (CSRB04) raising digital-rights concerns about the Bill's design.Feb 2026
Tension with Department for Science, Innovation and Technology
techUK
On industry implementation: submitted supplementary written evidence (CSRB37), engaging substantively with the Bill's expanded scope (MSPs, critical suppliers) — positioned as the principal trade-association voice on the regulated-entity side.Feb 2026
Microsoft
On managed-service / DSP perimeter: submitted CSRB39 — a major hyperscaler perspective on how the Bill should treat managed service providers and digital service providers.Feb 2026
Cloudflare
On internet-infrastructure perspective: submitted CSRB38 on the Bill's treatment of digital infrastructure providers.Feb 2026
National Grid
On CNI operator perspective: submitted CSRB40 from the position of a major electricity-transmission OES.Feb 2026
National Gas
On gas-sector implementation: submitted CSRB20 from a gas-transmission OES perspective on the Bill's resilience duties.Feb 2026
UK Cyber Security Council
On workforce capacity: submitted CSRB06 and CSRB32 raising cyber-workforce sufficiency issues — relevant to the skills-shortage angle pressed by PQ 120158 [57258] and to NC7's regulator-resourcing consultation requirement.Feb 2026Feb 2026Apr 2026Mar 2026
UK Finance
On financial-services interface: submitted CSRB14 representing the banking trade-body view on how the Bill interacts with existing FS resilience regimes.Feb 2026
Association of British Insurers
On insurance-market implications: submitted CSRB23 on how the Bill affects the cyber-insurance landscape and underwriting.Feb 2026
Cyber Security and Resilience Bill Public Bill Committee
On procedural disposition: reported the Bill as amended (Bill 385) on 25 February 2026, having taken oral and written evidence across seven sittings and accepted Government amendments.Feb 2026Feb 2026
Business and Trade Committee
On the economic-security framing: its 11th Report 'Toward a new doctrine for economic security' (HC 835) was tagged as a relevant document at Second Reading, supporting a stronger economic-security lens on the Bill.Jan 2026
Engaged, but no published position in the corpus
- Department for Energy Security and Net Zero —
- Baroness Lloyd of Effra —
- Lord Vallance of Balham —
- Alison Griffiths —
- Lincoln Jopp —
- Bradley Thomas —
- Helen Maguire —
- Chris Vince —
- Emily Darlington —
- Dave Robertson —
- Andrew Cooper —
- Sarah Russell —
- Capita —
- CrowdStrike —
- NCC Group —
- British Insurance Brokers' Association —