Threads / Cyber Security and Resilience Bill View full timeline →

Cyber Security and Resilience Bill

Lifecycle: Implementation Business and Trade Committee · Department for Energy Security and Net Zero · Department for Science, Innovation and Technology · Information Commissioner's Office · National Cyber Security Centre · Ofgem · Regulatory Policy Committee Last regenerated 1 month, 3 weeks ago · 15 new events since

Summary

What this is

A Government Bill that rewrites the UK's network and information systems (NIS) regime by amending the Network and Information Systems Regulations 2018, expanding the scope to managed service providers and critical suppliers, modernising incident reporting, and providing new powers including national-security directions. The Bill was introduced on 12 November 2025 and is at report stage, with the King's Speech 2026 confirming it as a Government legislative priority.

Why it matters

It is the UK's first substantive overhaul of cyber-resilience law since the 2018 NIS Regulations and follows ransomware attacks on Synnovis/NHS pathology services and on three London councils, which the Government has framed as evidence of regulatory gaps. The Bill carries powers to bring managed service providers, data centres and critical suppliers within scope and creates a more interventionist enforcement and direction regime.

Current status

The Bill completed Public Bill Committee on 25 February 2026 (Bill 385 as amended), is at Commons report stage with amendment papers issued through late April 2026, and was re-announced in the King's Speech on 13 May 2026.

What changed recently

  • 13 May 2026 — King's Speech 2026 confirms the Cyber Security and Resilience Bill as a Government priority and signals continued passage.
  • 30 Apr 2026 — Report-stage Amendment Paper tabling new clauses on SME cyber support, board-level oversight, regular testing, AI 'last-resort' shutdown powers for data centres, foreign-power registers and a Digital Sovereignty Strategy.
  • 25 Feb 2026 — Bill reprinted as Bill 385 after Public Bill Committee amendments.
  • 28 Jan 2026 — NCSC publishes guidance urging CNI leaders to act now on severe cyber threat, sharpening the operational backdrop to the Bill.
  • 6 Jan 2026 — Bill receives Second Reading in the Commons, with the Business and Trade Committee's economic-security report cited as a relevant document.

Key documents

Framework

Operationalising

Implementation

Scrutiny

Evidence

Review

Other

Consultations

Stakeholders

Sponsoring department 2

  • Department for Science, Innovation and Technology → src
    Bill sponsor; published impact assessment, Delegated Powers Memorandum, policy statement (Apr 2025) and Bill factsheets (Mar 2026).
  • Department for Energy Security and Net Zero → src
    Competent authority for energy-sector OES; issued statutory NIS policy guidance (Sep 2023) which continues to operate under the Bill.

Sponsoring minister 5

  • Liz Kendall → src
    Labour Commons sponsor of the Bill as Secretary of State for Science, Innovation and Technology.
  • Kanishka Narayan → src
    Then Parliamentary Under-Secretary of State (Minister for AI and Online Safety); issued the introduction-day WMS (HCWS1046, 12 Nov 2025) framing the Bill around the Synnovis ransomware attack, and led for the Government through Public Bill Committee (current status unknown — treat as historical).
  • Baroness Lloyd of Effra → src
    Then Minister for Digital Economy; repeated the introduction WMS in the Lords on 13 Nov 2025 (HLWS1054) (current status unknown — treat as historical).
  • Feryal Clark → src
    Then Parliamentary Under-Secretary of State for AI and Digital Government; issued the 1 Apr 2025 Commons WMS announcing the pre-introduction policy statement (HCWS572) (current status unknown — treat as historical).
  • Lord Vallance of Balham → src
    Then Minister of State for Science, Research and Innovation; repeated the policy-statement WMS in the Lords on 1 Apr 2025 (HLWS570) (current status unknown — treat as historical).

Shadow minister 4

  • Dr Ben Spencer → src
    Conservative MP (Runnymede and Weybridge); principal opposition voice across all seven committee sittings; tabled NC14 (register of foreign powers under Part 4) and NC15 (review of cyber-security risk posed by foreign powers) at report stage.
  • Alison Griffiths → src
    Conservative MP (Bognor Regis and Littlehampton); active throughout the Public Bill Committee on scope and enforcement questions.
  • Lincoln Jopp → src
    Conservative MP (Spelthorne); spoke across all seven committee sittings.
  • Bradley Thomas → src
    Conservative MP (Bromsgrove); contributed to committee debates on supply-chain and critical-supplier scope.

Lead committee 3

  • Cyber Security and Resilience Bill Public Bill Committee → src
    Chairs Emma Lewell, Esther McVey, Dr Andrew Murrison and Graham Stringer; took oral evidence (3-5 Feb 2026) and considered amendments through 24 Feb 2026.
  • Business and Trade Committee → src
    Its 11th Report 'Toward a new doctrine for economic security' (HC 835) was cited as a relevant document at Second Reading on 6 Jan 2026.
  • Joint Committee on the National Security Strategy → src
    Its Dec 2023 report 'A hostage to fortune: ransomware and UK national security' is a key independent reference for the Bill's framing.

Witnesses & evidence-givers 12

  • techUK → src
    Submitted supplementary written evidence (CSRB37) to the Public Bill Committee.
  • Microsoft → src
    Submitted written evidence (CSRB39) on the Bill's treatment of digital service providers and managed service providers.
  • Cloudflare → src
    Submitted written evidence (CSRB38) to the Public Bill Committee.
  • National Grid → src
    Submitted written evidence (CSRB40) from a CNI operator perspective.
  • National Gas → src
    Submitted written evidence (CSRB20) on energy-sector resilience duties.
  • Capita → src
    Submitted written evidence (CSRB33) — relevant in light of large-scale outsourcing and managed-service exposure.
  • CrowdStrike → src
    Submitted written evidence (CSRB30) on incident-response and threat-intelligence aspects.
  • NCC Group → src
    Submitted supplementary written evidence (CSRB29) on technical assurance.
  • UK Cyber Security Council → src
    Submitted two pieces of written evidence (CSRB06 and CSRB32) on cyber-workforce capacity.
  • UK Finance → src
    Submitted written evidence (CSRB14) on financial-sector resilience interactions.
  • Association of British Insurers → src
    Submitted written evidence (CSRB23) on insurance-market implications.
  • British Insurance Brokers' Association → src
    Submitted written evidence (CSRB28) on insurance broking and cyber insurance penetration.

Regulator / delivery programme 4

  • National Cyber Security Centre → src
    Maintains the Cyber Assessment Framework (CAF) and issued January 2026 CNI-facing guidance urging leaders to act on severe cyber threat.
  • Information Commissioner's Office → src
    Competent authority for relevant digital service providers under reg 12 NIS 2018; reg 12(7)(b) was amended in 2021 to require RDSPs to have regard to ICO guidance.
  • Ofgem → src
    Joint competent authority with DESNZ for downstream gas and electricity OES; issued NIS Guidance v3.0 in January 2026.
  • Regulatory Policy Committee → src
    Issued a green-rated opinion on the Bill's impact assessment (17 Nov 2025) and submitted written evidence (CSRB34) to committee.

Commentator 12

  • Victoria Collins → src
    Liberal Democrat MP; lead signatory on a cluster of report-stage new clauses including NC2 (SME cyber-support service), NC4 (critical manufacturing and retail), NC5 (local authorities as OES), NC6 (CMA 1990 review), NC10 (board oversight) and NC13 (Digital Sovereignty Strategy on foreign-tech relian
  • David Chadwick → src
    Liberal Democrat MP (Brecon, Radnor and Cwm Tawe); co-signatory on Lib Dem report-stage new clauses on resourcing of regulators (NC7), electoral infrastructure as OES (NC8), political parties as OES (NC9), board oversight (NC10) and regular testing (NC11); active across all seven committee sittings.
  • Freddie van Mierlo → src
    Liberal Democrat MP (Henley and Thame); co-signatory on the Lib Dem new-clause cluster and tabled amendment to clause 40 increasing review frequency from five-yearly to three-yearly.
  • Helen Maguire → src
    Liberal Democrat MP; co-signatory on NC2-NC5 new clauses on SME support, foreign-state ownership review, critical manufacturing/retail and local authorities.
  • Alex Sobel → src
    Labour (Co-op) MP; lead signatory on NC12 'last-resort' powers for data centres and AI models — the most novel report-stage clause, co-signed by Conservative and Lib Dem MPs.
  • Sir Iain Duncan Smith → src
    Conservative MP; lead signatory on cross-party amendment 3 inserting a fair-trial exemption to limit information-sharing with overseas authorities in jurisdictions where the right to a fair trial cannot be guaranteed.
  • Siân Berry → src
    Green Party MP; tabled NC16 requiring a Digital Sovereignty Strategy with explicit focus on open-source software, open standards and supply-chain dependency.
  • Chris Vince → src
    Labour/Co-op MP (Harlow); the most active Labour backbencher across all seven Public Bill Committee sittings.
  • Emily Darlington → src
    Labour MP (Milton Keynes Central); active across six Public Bill Committee sittings and a co-signatory on amendment 3 (fair-trial exemption).
  • Dave Robertson → src
    Labour MP (Lichfield); spoke in five Public Bill Committee sittings.
  • Andrew Cooper → src
    Labour MP (Mid Cheshire); spoke in four Public Bill Committee sittings including the first and second oral-evidence sessions.
  • Sarah Russell → src
    Labour MP (Congleton); spoke in four Public Bill Committee sittings.

Civil society 3

  • Liberty → src
    Civil-liberties NGO; co-author with Privacy International of CSRB16 raising rights concerns on directions and information-sharing.
  • Privacy International → src
    Co-author with Liberty of CSRB16 raising rights concerns on directions and information-sharing.
  • Open Rights Group → src
    Digital-rights NGO; submitted CSRB04 on civil-liberties implications of the Bill.

Political commitments

  • commitment King's Speech announcement Labour · 2026 · King's Speech announces Cyber Security and Resilience Bill

    Cyber Security and Resilience Bill confirmed in King's Speech 2026

    The King's Speech 2026 cyber bill to strengthen the UK's defences against cyber threats, update resilience duties, and protect essential and digital services.

    Why linked: Names the Bill as a Government priority during its parliamentary passage.

  • commitment Ministerial statement Labour · 2025 · Cyber Security and Resilience Policy Statement

    Cyber Security and Resilience Policy Statement (1 Apr 2025)

    Today the Government has published a policy statement on proposed legislative measures to bolster the UK's cyber security and resilience.

    Why linked: Pre-introduction commitment by Government setting out the Bill's measures.

  • commitment Ministerial statement Labour · 2025 · Cyber Security and Resilience

    Introduction-day WMS on Synnovis and the Bill (12 Nov 2025)

    In June 2024, Synnovis, a supplier of pathology services to the NHS, was the victim of a ransomware attack.

    Why linked: Frames the Bill as a direct legislative response to the Synnovis attack on NHS pathology services.

Open questions & gaps

Pending in the lifecycle

  • Report stage and Third Reading in the Commons — the most recent Amendment Paper is dated 30 April 2026 with a substantial cross-party new-clause programme yet to be resolved.
  • Lords stages, where civil-liberties amendments on information-sharing (amendment 3) and the breadth of delegated powers will likely be the principal pressure points.
  • Consequential secondary legislation amending the NIS Regulations 2018, including the contents of any Keeling-schedule changes once the Bill is enacted.

Beyond the corpus

  • FOUND Terminally Ill Adults (End of Life) Bill — Select Committee report: 52nd Report of the Delegated Powers and Regulatory … · for gap: Delegated Powers and Regulatory Reform Committee report · 14 Apr 2026
  • MISSING A Lords Library briefing on the Bill — Standard for a Government Bill of this scale once it reaches the Lords; not yet present in the events list.
  • MISSING Joint Committee on Human Rights report — Civil-society evidence from Liberty/Privacy International/Open Rights Group signals rights-engagement that typically draws JCHR scrutiny.
  • MISSING An impact-assessment update covering report-stage changes — The RPC's green rating was on the introduction-version IA; material report-stage changes (e.g. board oversight, regular testing, foreign-power register) may require refreshed assessment.

Confidence gaps

  • Exact commencement and transitional architecture is not yet visible from the corpus — secondary legislation will determine when MSP, critical-supplier and data-centre obligations bite.
  • Interaction between the Bill's national-security direction power and the proposed Tackling State Threats Bill/National Security Bill announced in the King's Speech 2026 is not detailed in the available materials.
  • Treatment of the Computer Misuse Act 1990 reform — flagged in evidence (CyberUp) and in NC6 — is being addressed in the parallel National Security Bill announced in the King's Speech, not on the face of this Bill.