7 Jan 2026
|
Announcement
Department for Science, Innovation and Technology
linked
Cyber Security and Resilience (Network and Information Systems) Bill
Summary
What this is
A Government Bill introduced on 12 November 2025 to strengthen the security and resilience of UK network and information systems, principally by amending the Network and Information Systems Regulations 2018 to expand scope (managed service providers, data centres, critical suppliers), tighten incident reporting, and add national-security direction powers.
Why it matters
The 2018 NIS Regulations were judged in successive post-implementation reviews to need updating, and high-profile attacks (Synnovis ransomware on NHS pathology, Electoral Commission, MoD personnel data via a third-party supplier) have exposed gaps in scope and reporting that the Bill is designed to close.
Current status
The Bill cleared Public Bill Committee on 24 February 2026, was reprinted as Bill 385 as amended in committee, and is at Report Stage in the Commons; an amendment paper for 30 April 2026 lists multiple Liberal Democrat, Conservative and Labour new clauses (SME support service, foreign-power registers, last-resort AI/data-centre shutdown powers, electoral infrastructure as essential services).
What changed recently
- 30 Apr 2026 — Report Stage amendment paper published with 16 new clauses covering SME cyber support, foreign-state risk registers, digital sovereignty strategies, board oversight duties and AI/data-centre shutdown powers. →
- 25 Feb 2026 — Bill reprinted as Bill 385 as amended in Public Bill Committee, with a Keeling schedule showing the amended NIS Regulations 2018 published in January. →
- 3 Feb 2026 — Public Bill Committee began oral evidence and clause-by-clause scrutiny, with 40+ written evidence submissions from operators (National Grid, National Gas), platforms (Microsoft, Cloudflare, Infoblox), trade bodies (techUK, ISPA, UK Finance, ABI) and civil society (Liberty / Privacy International, Open Rights Group, CyberUp). →
- 14 Jan 2026 — Ofgem published v3.0 of its NIS Guidance for downstream gas and electricity Operators of Essential Services in Great Britain, updating sectoral compliance expectations ahead of the Bill. →
- 6 Jan 2026 — Second Reading in the Commons, opened by the Minister for Digital Government and Data, Ian Murray. →
Key documents
Framework
-
Cyber Security and Resilience (NIS) Bill — Bill 329 as introduced
The Bill as introduced on 12 November 2025, amending the NIS Regulations 2018 to expand scope and tighten reporting and enforcement.
-
Cyber Security and Resilience (NIS) Bill — Bill 385 as amended in committee
The Bill as reprinted after Public Bill Committee, incorporating Government and Opposition amendments agreed in February 2026.
-
Delegated Powers Memorandum
DSIT memorandum on the delegated powers conferred by the Bill, relevant to the breadth of NIS-regime regulation-making authority.
-
Second Reading debate, 6 January 2026
Hansard record of Second Reading, Ian Murray (Minister for Digital Government and Data) opening, with cross-party engagement on scope, ransomware and SMEs.
-
National Cyber Security Strategy 2016 to 2021
The strategic framework under which the NIS Regulations 2018 were originally made; the policy hinterland against which the CSR Bill is set.
Operationalising
-
Explanatory Notes — Bill 329 EN 2024-26
Department for Science, Innovation and Technology (DSIT) explanatory notes setting out clause-by-clause effect on the NIS regime.
-
Cyber Security and Resilience Bill: policy statement (April 2025)
Pre-introduction policy statement setting out confirmed and proposed measures, including managed service providers, data centres, supply-chain duties and reformed incident reporting.
-
CSR Bill factsheets (March 2026)
DSIT-published factsheets on individual parts of the Bill for practitioner audiences.
Implementation
-
Keeling schedules: NIS Regulations 2018 (22 January 2026)
Track-changed version of the NIS Regulations 2018 showing the cumulative effect of the Bill's amendments.
-
Ofgem NIS Guidance for Downstream Gas and Electricity OES v3.0 (January 2026)
Sector-specific compliance guidance issued by Ofgem (joint competent authority with Department for Energy Security and Net Zero (DESNZ)) updated alongside the Bill's progress.
-
DESNZ Policy Guidance on NIS implementation for the energy sector (September 2023)
Statutory policy guidance from DESNZ as competent authority for the energy sector, setting out current NIS obligations for operators of essential services.
-
NIS Regulations 2018 — guide for the health sector in England
Health-sector compliance guide for designated operators of essential services in England.
Scrutiny
-
RPC opinion on the CSR Bill impact assessment
Regulatory Policy Committee's published opinion of DSIT's impact assessment, the independent regulatory scrutiny baseline for the Bill.
-
Commons Library Briefing CBP-10442 — CSR (NIS) Bill 2024-26
Library briefing summarising the Bill's purpose, the existing NIS regime and key policy debates ahead of Second Reading.
-
Report Stage Amendment Paper, 30 April 2026
Notices of amendments at Report Stage including new clauses on SME support, foreign-state risk registers, digital sovereignty, board oversight, regular testing and AI/data-centre last-resort powers.
-
Public Bill Committee — All proceedings up to 24 February 2026
Consolidated record of Committee proceedings, including amendments agreed and rejected.
Evidence
-
DSIT Impact Assessment for the CSR Bill
Impact assessment quantifying expected costs and benefits, also scrutinised by the Regulatory Policy Committee (CSRB34).
-
Government response to the 2022 call for views on improving UK cyber resilience
Formal response to the January–April 2022 consultation on amending the NIS Regulations 2018, confirming the direction of travel that became the CSR Bill.
-
Protecting and enhancing the security and resilience of UK data infrastructure (consultation closed Dec 2023)
DSIT consultation on regulating data centres, the policy basis for the Bill's data centre scope.
Review
-
Review of the Network and Information Systems Regulations (2020)
First DCMS post-implementation review of NIS 2018, concluding the regime was driving security action but flagging the need for evolution — the analytical foundation for subsequent reform.
-
Second Post-Implementation Review of the NIS Regulations 2018 (July 2022)
Second statutory PIR by DCMS, providing the evidence base for the legislative changes ultimately taken forward in the CSR Bill.
-
National Cyber Security Strategy 2016-2021: progress so far (November 2020)
Government progress assessment against the 2016 strategy, informing the design of the 2022 National Cyber Strategy and subsequent legislative reform.
Other
-
Network and Information Systems (EU Exit) (Amendment) Regulations 2021 (SI 2021/1461)
EU-exit corrections to the NIS regime: re-set incident reporting thresholds for digital service providers from EU-wide criteria to UK guidance and updated the Information Commissioner-facing duties.
Consultations
-
Protecting and enhancing the security and resilience of UK data infrastructure
Data centres are explicitly brought into scope of the CSR Bill; this consultation is the policy basis for that measure.
-
Government response to the call for views on proposals to improve the UK's cyber resilience
The Bill operationalises the direction confirmed in this response (expanded scope, MSPs, supply chain, incident reporting).
-
Government response to the call for views on proposed legislation amending the Network and Information Systems Regulations 2018
Direct precursor consultation leading to SI 2020/1245 and informing the CSR Bill design.
-
Implementation of the Network and Information Systems Regulations in the energy sector: amendments to guidance
Implementation-layer consultation aligning energy-sector guidance with the evolving NIS regime.
Stakeholders
Sponsoring department 1
-
Department for Science, Innovation and Technology
→ src
Lead committee 2
Witnesses & evidence-givers 12
Regulator / delivery programme 4
Political commitments
-
commitment Ministerial statement
Cyber Security and Resilience Bill policy statement (April 2025)
Why linked: Pre-introduction policy statement by the Labour Government setting out the legislative measures that became the CSR Bill.
-
commitment Ministerial statement
Written Ministerial Statement on Cyber Security and Resilience (12 November 2025)
In June 2024, Synnovis, a supplier of pathology services to the NHS, was the victim of a ransomware attack.
Why linked: WMS introducing the Bill and framing it as a response to the Synnovis ransomware attack on NHS pathology services.
Open questions & gaps
Pending in the lifecycle
- Report Stage and Third Reading in the Commons following the 30 April 2026 amendment paper.
- Lords stages — not yet commenced; First Reading in the Lords is the next procedural step after Commons completion.
- Secondary legislation to implement the Bill (regulations on managed service providers, data centres, critical suppliers, reporting thresholds and national-security directions).
Beyond the corpus
- MISSING Government response to Report Stage opposition new clauses —
- MISSING Updated Impact Assessment for the Bill as amended in committee —
- MISSING Computer Misuse Act 1990 reform package —
Confidence gaps
- The interaction between the Bill's national-security direction power and the existing National Security and Investment Act 2021 regime is not fully resolved in the retrieved documents.
- The treatment of devolved competent authorities (Scotland, Wales, Northern Ireland) under the expanded scope is not visible in the events list and may need to be confirmed from the Bill text.
Full timeline
136
13 Nov 2025
|
Announcement
Department for Science, Innovation and Technology
linked
direct
Cyber Security and Resilience
Why linked: 13 November 2025 Lords Written Ministerial Statement (HLWS1054) repeating the Commons statement on Cyber Security and Resilience.
UIN: HLWS1054 I am repeating the following Written Ministerial Statement made today in the other place by my Honourable Friend, the Parliamentary Under-Secretary of State (Minister for AI and Online Safety), Kanishka Narayan MP.In June 2024, Synnovis, a supplier of …
12 Nov 2025
|
Announcement
Department for Science, Innovation and Technology
linked
direct
Cyber Security and Resilience
Why linked: 12 November 2025 Written Ministerial Statement (HCWS1046) framing the Bill against the Synnovis ransomware attack.
UIN: HCWS1046 In June 2024, Synnovis, a supplier of pathology services to the NHS, was the victim of a ransomware attack. Computer systems were hacked, private patient data was stolen, and IT systems were rendered useless. This resulted in disruption …
1 Apr 2025
|
Announcement
Department for Science, Innovation and Technology
linked
direct
Cyber Security and Resilience Policy Statement
Why linked: April 2025 Commons Written Ministerial Statement (HCWS572) on the Cyber Security and Resilience policy statement.
UIN: HCWS572 Today the Government has published a policy statement on proposed legislative measures to bolster the UK’s cyber security and resilience.Our digital economy and essential services are increasingly being attacked by cyber criminals and state actors, threat...
1 Apr 2025
|
Announcement
Department for Science, Innovation and Technology
linked
direct
Cyber Security and Resilience Policy Statement
Why linked: April 2025 Lords Written Ministerial Statement (HLWS570) on the Cyber Security and Resilience policy statement.
UIN: HLWS570 I am repeating the following Written Ministerial Statement made today in the other place by my Honourable Friend, the Parliamentary Under-Secretary of State for AI and Digital Government, Feryal Clark MP.Today the Government has published a policy stateme...
4 Jul 2022
|
Announcement
Department for Digital, Culture, Media & Sport
linked
direct
Second Post-Implementation Review of the Network and Information Systems Regulations 2018
Why linked: Lords Written Ministerial Statement repeating the Commons WMS on the Second Post-Implementation Review.
UIN: HLWS168 I am repeating the following Written Ministerial Statement made today in the other place by my Honourable Friend, the Minister for Media, Data, and Digital Infrastructure, Julia Lopez MP:Today I am publishing the statutory post-implementation review of th...
4 Jul 2022
|
Announcement
Department for Digital, Culture, Media & Sport
linked
direct
Second Post-Implementation Review of the Network and Information Systems Regulations 2018
Why linked: Commons Written Ministerial Statement publishing the Second Post-Implementation Review of the NIS Regulations 2018.
UIN: HCWS173 Today I am publishing the statutory post-implementation review of the Network and Information Systems Regulations 2018 on the Government’s website. This is the second review of the Regulations since their implementation.The Regulations came into force in ...
Analyst briefing
Executive summary
The Cyber Security and Resilience (Network and Information Systems) Bill, sponsored by the Department for Science, Innovation and Technology (DSIT) and introduced on 12 November 2025 1, is the long-trailed legislative upgrade to the Network and Information Systems Regulations 2018 (SI 2018/506). It amends the 2018 Regulations to expand scope to managed service providers, data centres and critical suppliers, tightens incident reporting and confers new national-security direction powers on the Secretary of State 23. The Bill cleared Public Bill Committee on 24 February 2026 45, with substantial written evidence from operators, platforms, trade bodies and civil society. It is now at Report Stage in the Commons; the 30 April 2026 amendment paper 6 surfaces 16 cross-party new clauses ranging from SME cyber support and foreign-power risk registers to last-resort powers over AI systems and data centres. Royal Assent in 2026 is plausible; substantive implementation will fall to follow-on secondary legislation.
Current state
The Bill is at Report Stage in the Commons. It was introduced on 12 November 2025 with a full supporting pack — Explanatory Notes 1, Impact Assessment 2 and Delegated Powers Memorandum 3. Second Reading was on 6 January 2026, opened by Minister for Digital Government and Data Ian Murray 4. Public Bill Committee sat between 3 and 24 February 2026, taking oral evidence and processing 40+ written submissions from National Grid 5, Microsoft 6, Cloudflare 7, techUK 8, UK Finance 9, CrowdStrike 10, the Regulatory Policy Committee 11 and civil society including Liberty and Privacy International 12, Open Rights Group 13 and the CyberUp Campaign 14. The Bill was reprinted as Bill 385 as amended in committee 15, and a Keeling schedule showing the cumulative amendments to the NIS Regulations 2018 was published in January 16. Sectoral implementation continues in parallel: Ofgem updated its NIS Guidance for Downstream Gas and Electricity Operators of Essential Services to v3.0 in January 2026 17, building on DESNZ's September 2023 statutory guidance 18. The Programme Order of 6 January 2026 19 times Report Stage and Third Reading on the same day, meaning the Lords stages are the next major political variable.
Recent developments
Three developments dominate the last quarter. First, the Report Stage amendment paper of 30 April 2026 1 crystallises the political pressure points: a Liberal Democrat package led by Victoria Collins, Freddie van Mierlo and David Chadwick (NC2 SME cyber support; NC4 critical manufacturing and food retail; NC5 local authorities; NC8 electoral infrastructure; NC9 political parties; NC10 board oversight; NC11 regular testing; NC13 digital sovereignty strategy); a Conservative package from Dr Ben Spencer (NC14 register of foreign powers; NC15 annual foreign-power risk review); a cross-party Alex Sobel-led NC12 conferring last-resort powers on the Secretary of State to direct shutdown of data centres or AI systems in defined AI security or operational emergencies; and Sir Iain Duncan Smith's Amendment 3 carving out information sharing with jurisdictions where the right to a fair trial cannot be guaranteed. Second, the Public Bill Committee record 2 shows the Government holding the line on the structure of the Bill but processing a wide range of clarifying amendments. Third, Ofgem's v3.0 NIS Guidance update 3 confirms that sectoral competent authorities are not waiting for Royal Assent before tightening operational expectations on OES.
What to watch
Four forward-look threads. (1) The Government's response at Report Stage to the foreign-state risk packages — NC3 (review of high-risk bodies), NC14 (foreign-power register) and NC15 (annual review) 1 — given the overlap with the existing National Security and Investment Act 2021 regime; how Ministers calibrate the Part 4 direction power against that framework will shape national-security advice to in-scope sectors. (2) NC12 on AI/data-centre last-resort shutdown powers 1 is the most novel proposition on the paper and sits at the intersection of the CSR Bill and the still-developing UK approach to AI safety; a Government response one way or the other will be a signal for AI-regulation watchers as much as cyber-regulation specialists. (3) The Computer Misuse Act 1990 reform question, repeatedly raised by the Science, Innovation and Technology Committee Legacy Report and by the CyberUp Campaign (CSRB18) 2, and surfaced again at Report Stage as NC6 — whether the Government commits to reform alongside the CSR Bill, or continues to treat the two regimes separately. (4) The downstream secondary-legislation pipeline — sectoral thresholds for data centres, MSPs and critical suppliers under the regulation-making powers documented in the Delegated Powers Memorandum 3 — will determine the practical bite of the regime for affected firms. Practitioners advising data centre operators, cloud and managed service providers, and critical-supplier categories should be tracking the SI pipeline as closely as the Bill text.
Risks and uncertainties
The Liberty / Privacy International 1 and Open Rights Group 2 evidence flags the contested civil-liberties surface of the expanded direction powers and information-sharing regime; the Regulatory Policy Committee's written evidence (CSRB34) 3 is the independent regulatory-burden scrutiny baseline. Inferred from corpus gap: the retrieved corpus is heavy on Public Bill Committee mechanics and the Report Stage amendment paper but thin on the Government's substantive published response to the new clauses, on any updated impact assessment for the Bill as amended in committee, and on the Lords briefing pack — none of which appear in the events list at the time of build. Inferred from corpus gap: the Government Response to the 2023 data infrastructure consultation 4 is not retrieved, despite data centres being a central new scope category. Inferred from corpus gap: the Bill's interaction with devolved competence is not visible in the retrieved metadata.
Doctrinal frame
The UK NIS regime sits in three layers. At the base is the Network and Information Systems Regulations 2018 (SI 2018/506), which transposed the EU NIS Directive and created two regulatee classes — operators of essential services in named sectors (energy, transport, water, health, digital infrastructure) and relevant digital service providers — with sectoral competent authorities (Ofgem and the Department for Energy Security and Net Zero (DESNZ) for energy, the Information Commissioner for DSPs, and others) enforcing duties of risk management and incident notification.
The second layer is the post-Brexit and pre-Bill amendment chain: SI 2018/629, SI 2019/653, SI 2020/1245 and SI 2021/1461. Of these, SI 2021/1461 is the most analytically significant within the events list — it replaced EU-wide impact thresholds with Information Commissioner guidance for DSPs and substituted UK-only application for the operative articles of Commission Implementing Regulation (EU) 2018/151. The two statutory post-implementation reviews (2020 1 and 2022) are the evidentiary backbone for the reform direction.
The third layer — and the subject of this thread — is the Cyber Security and Resilience (Network and Information Systems) Bill. The Bill is structured as a hybrid: it amends the 2018 Regulations in place (Keeling schedule 2) and creates new freestanding powers, notably Part 4 directions for national-security purposes. It expands scope to capture managed service providers, data centres and critical suppliers, hardens incident reporting thresholds and supply-chain duties, and confers regulation-making powers on the Secretary of State documented in the Delegated Powers Memorandum 3.
What the Bill does NOT do, on the face of the retrieved documents, is consolidate the NIS regime into a single primary statute, reform the Computer Misuse Act 1990 (a recurring SIT Committee and CyberUp ask), or itself prescribe the new sector thresholds — those will sit in secondary legislation made under the Bill once enacted. The Report Stage amendment paper 4 shows where the political pressure points are: SME support, foreign-state risk, board accountability, digital sovereignty and AI/data-centre emergency powers.
The operational regime is therefore expected to remain a layered one — primary CSR Act + amended NIS Regulations + sectoral competent authority guidance (Ofgem v3.0 5; DESNZ September 2023 6; health-sector guide 7) — with the National Cyber Security Centre acting as the cross-sector technical authority.
Statutory basis
-
Network and Information Systems Regulations 2018 (SI 2018/506)
Sets out the core duties on operators of essential services and relevant digital service providers — risk management, incident notification and competent authority enforcement — and is the instrument the CSR Bill principally amends.
Cyber Security and Resilience (Network and Information Systems) Bill … -
Network and Information Systems (EU Exit) (Amendment) Regulations 2021 (SI 2021/1461)
Removes EU-derived thresholds in the NIS regime: requires DSPs to have regard to Information Commissioner guidance rather than EU-defined criteria, and aligns Commission Implementing Regulation (EU) 2018/151 with UK-only application.
The Network and Information Systems (EU Exit) (Amendment) Regulations… -
Cyber Security and Resilience (NIS) Bill — clause 8 (relevant digital service providers)
Amends the risk-management duties on relevant digital service providers; Amendment 1 at Report Stage seeks to add fraud as a specified risk category.
Cyber Security and Resilience (Network and Information Systems) Bill … -
Cyber Security and Resilience (NIS) Bill — clause 18 (information sharing)
Provides for sharing of information between NIS enforcement authorities and equivalents in other jurisdictions; Amendment 3 at Report Stage would carve out countries where the right to a fair trial cannot be guaranteed.
Cyber Security and Resilience (Network and Information Systems) Bill … -
Cyber Security and Resilience (NIS) Bill — Part 4 (Directions for national security purposes)
Creates Secretary of State powers to direct relevant bodies in the interests of national security; NC3, NC14 and NC15 at Report Stage seek to layer foreign-state ownership reviews and a foreign-power register on top of these powers.
Cyber Security and Resilience (Network and Information Systems) Bill …
Cross-cutting regimes engaged
- UK GDPR / Data Protection Act 2018 Incident notification under NIS frequently overlaps with personal-data breach notification to the Information Commissioner; the 2021 SI explicitly anchors DSP risk-management guidance to the Information Commissioner.
- Computer Misuse Act 1990 Repeatedly raised by the Science, Innovation and Technology Committee, CyberUp and Report Stage NC6 as the necessary companion reform to give security researchers a statutory public-interest defence — the corpus signals strong pressure to legislate alongside the CSR Bill but no current Government commitment to do so.
- National Security and Investment Act 2021 The Bill's Part 4 national-security directions and the Report Stage foreign-power register proposals (NC14/NC15) overlap with the NSI Act's regime for screening foreign ownership of critical infrastructure — a sequencing and consistency question for practitioners advising in-scope sectors.
- Online Safety Act 2023 The CSR Bill's scope (digital infrastructure, MSPs, data centres) sits alongside the Online Safety Act regime for some of the same entities (e.g. cloud providers, large platforms); the Online Safety Act Network submitted written evidence (CSRB26) on the interaction.
Key concepts
Operator of essential service (OES)
An entity meeting threshold requirements in a specified sub-sector (energy, transport, water, health, digital infrastructure) under Schedule 2 of the NIS Regulations 2018.
Relevant digital service provider (RDSP)
Defined in regulation 12 of the NIS Regulations 2018; the SI 2021/1461 amendment requires RDSPs to have regard to Information Commissioner guidance on risk management.
Critical supplier
A new category introduced in the CSR Bill bringing key third-party suppliers to OES and RDSPs into the regulatory perimeter, referenced in multiple Report Stage new clauses.
Direction for national security purposes (Part 4)
Power for the Secretary of State to direct relevant bodies on cyber security matters in the interests of national security, as referenced in NC3, NC14 and NC15 of the Report Stage amendment paper.
Forward look calendar
-
Commons Report Stage and Third Reading following the 30 April 2026 amendment paper; in particular which of NC2 (SME support), NC10 (board oversight), NC12 (AI/data-centre shutdown), NC14 (foreign-power register) and Amendment 3 (fair-trial bar on information sharing) the Government accepts, opposes or counters with its own clauses.
-
Bill carry-over to the Lords for First Reading after Commons completion; programme motion of 6 January 2026 means Report Stage and Third Reading occur on the same day.
-
Draft regulations under the Bill's regulation-making powers (sector thresholds for data centres, MSPs and critical suppliers; designation of new competent authorities) — flagged in the Delegated Powers Memorandum.
-
Statutory post-implementation review cycle: the Liberal Democrat Amendment 2 seeks to shorten the reporting cycle in Clause 40 from five to three years — outcome will set the next review window.
Stakeholder positions
Department for Science, Innovation and Technology
DSIT positions the Bill as necessary modernisation of the NIS regime in response to high-impact incidents (notably Synnovis), expanding scope to managed service providers, data centres and critical suppliers and giving Ministers direction powers for national security purposes.Nov 2025Nov 2025Nov 2025
Ian Murray
As Minister for Digital Government and Data, opened Second Reading on 6 January 2026 framing the Bill as essential to protect critical services and digital economy resilience.Jan 2026
Victoria Collins
Leads a Liberal Democrat amendment package urging an explicit fraud-risk reference for DSPs, an SME cyber support service, a foreign-state risk review, an extension of essential-service scope into critical manufacturing and food retail, and a UK Digital Sovereignty Strategy.Apr 2026
Freddie van Mierlo
Co-sponsors the Liberal Democrat amendment package and is the named mover of Amendment 2 reducing the statutory reporting cycle in Clause 40 from five years to three.Apr 2026
David Chadwick
Liberal Democrat Public Bill Committee member; co-sponsor of new clauses requiring resourcing consultation with regulators, regulating electoral infrastructure and political parties as essential services, board oversight duties and periodic testing.Apr 2026
Alex Sobel
Leads cross-party NC12 to confer last-resort powers on the Secretary of State to direct shutdown of data centres or AI systems in defined AI security or operational emergencies, with parliamentary reporting and High Court review.Apr 2026
Sir Iain Duncan Smith
Cross-party sponsor of Amendment 3 preventing NIS information-sharing with jurisdictions where the right to a fair trial cannot be guaranteed, with an annual ministerial reporting duty.Apr 2026
Dr Ben Spencer
Conservative sponsor of NC14 (statutory register of foreign powers posing risks to UK critical NIS, including state-affiliated groups) and NC15 (annual cyber-risk review of foreign powers reported to Parliament and the Intelligence and Security Committee).Apr 2026
Siân Berry
Green sponsor of NC16 requiring a Digital Sovereignty Strategy with an explicit assessment of open-source software, open standards and UK developer capacity in critical NIS.Apr 2026
National Grid
As an OES in the energy sector, engages on workability of expanded duties and supply-chain reach in critical infrastructure operations.Feb 2026
Microsoft
As a major affected digital/cloud provider, submitted written evidence on the design of expanded scope (MSPs, data centres) and incident reporting.Feb 2026
techUK
Submitted supplementary written evidence representing the technology trade body's collective view on scope, burden and implementation timelines.Feb 2026
Regulatory Policy Committee
Provides independent scrutiny of DSIT's impact assessment for the Bill (CSRB34 and RPC published opinion), the regulatory-burden baseline that practitioners will rely on.Feb 2026
Engaged, but no published position in the corpus
- Liz Kendall —
- Public Bill Committee on the CSR (NIS) Bill —
- National Cyber Security Centre —
- Ofgem —
- Department for Energy Security and Net Zero —
- Information Commissioner —
- National Gas —
- Cloudflare —
- UK Finance —
- Association of British Insurers —
- British Insurance Brokers' Association —
- Internet Services Providers' Association —
- VIRTUS Data Centres —
- CrowdStrike —
- NCC Group —