Decoding the world of cybersecurity

Cyber resilience Bill advances in Lords

The UK Cyber Security and Resilience Bill has reached Lords second reading, extending debate around essential services, suppliers, reporting, and resilience.

Cyber resilience Bill advances in Lords
Summary
  • The Cyber Security and Resilience Bill is active in the House of Lords.
  • The Bill amends the UK NIS framework for network and information systems supporting essential activities.
  • It sits alongside wider pressure on datacentres, managed services, critical suppliers, and incident reporting.

UK Parliament has moved the Cyber Security and Resilience (Network and Information Systems) Bill through Lords second reading, keeping one of the UK’s most substantial cyber policy reforms in active legislative progress.

The Bill’s long title says it makes provision, including amendments to the Network and Information Systems Regulations 2018, about the security and resilience of network and information systems used or relied on in connection with essential activities. The current version is listed as HL Bill 32, brought from the Commons on 17 June 2026, with Lords second reading taking place on 14 July.

The Bill page provides the current parliamentary status, while the stages page shows the measure moving through the Lords after Commons third reading in June. The legislative process is not complete, and amendments may still alter its final shape, but the direction is already visible: the UK is moving to update its NIS-based cyber resilience framework for a more dependent, outsourced, and infrastructure-heavy digital economy.

The existing NIS regime was built around operators of essential services and relevant digital service providers. Since then, the risk environment has shifted. Managed service providers, cloud platforms, datacentres, software suppliers, and specialist technology dependencies now sit inside the operational continuity of government, finance, healthcare, energy, transport, and other essential services. Incidents at suppliers can become sector events even when the directly regulated operator did not originate the failure.

The Bill belongs to the same policy family as NIS2 in the EU, DORA in financial services, the Cyber Resilience Act for product security, and the UK’s critical third-party regime for finance. The common feature is a move away from narrow perimeter thinking. Regulators are increasingly asking whether organisations understand the systems, suppliers, dependencies, and recovery paths that support essential activity.

Preparation will need to begin before final obligations arrive. Legislative passage can create a false sense of distance, but compliance readiness depends on work that takes time: mapping network and information systems, identifying critical suppliers, testing incident reporting procedures, documenting resilience measures, and ensuring contracts allow timely information sharing during incidents.

The Bill also affects accountability. Where a critical service depends on a managed service provider, datacentre operator, software vendor, or outsourced platform, responsibility cannot be left to technical teams negotiating under pressure during an incident. Governance needs to be defined before failure, including who declares an incident, who reports to regulators, who can demand evidence from suppliers, and how recovery priorities are agreed when several customers are affected at once.

The Lords stage will determine the next political and legal shape of the reforms, including any amendments on scope, testing, digital sovereignty, suppliers, or reporting. Even before final passage, the Bill confirms that UK cyber policy is moving further into operational resilience, with continuity of essential services, supplier accountability, and recovery capability sitting alongside prevention.

×