Summary
- The Cyber Security and Resilience Bill was last updated on Parliament’s tracker on 1 July 2026.
- The bill amends the NIS Regulations 2018 and concerns systems used for essential activities.
- The Lords stage brings renewed scrutiny of scope, regulatory powers, supplier duties, and implementation capacity.
The UK’s Cyber Security and Resilience Bill has moved into the House of Lords, opening a further scrutiny phase for the government’s reform of NIS-style cyber regulation.
The Parliamentary bills tracker shows the Cyber Security and Resilience (Network and Information Systems) Bill as a government bill that originated in the Commons and is now in the Lords. It was last updated on 1 July 2026.
The bill’s long title says it makes provision, including amendments to the Network and Information Systems Regulations 2018, about the security and resilience of network and information systems used or relied on in connection with essential activities. The current Lords version is HL Bill 32, brought from the Commons on 17 June 2026.
The bill is sponsored by the Department for Science, Innovation and Technology. Its passage through the Lords will test how the proposed regime handles scope, regulator powers, incident reporting, supplier accountability, and implementation detail before the final parliamentary stages.
The policy direction reflects how digital dependency has changed since the 2018 NIS Regulations were introduced. Essential services now rely on managed service providers, software suppliers, datacentres, cloud platforms, remote support tools, outsourced operations, and complex third-party technology chains. Disruption in those supporting layers can affect public services and regulated sectors even where the immediate incident occurs outside a traditional operator.
Stronger reporting duties and wider regulatory scope can improve national visibility of cyber incidents and dependencies. The challenge is execution. Organisations need clear thresholds, usable reporting routes, and guidance that distinguishes material incidents from noise. Regulators need enough capacity and technical authority to interpret reports, supervise providers, and avoid creating paperwork that fails to improve resilience.
Supplier coverage will remain one of the most important areas. Critical services increasingly depend on technology businesses that may not have been regulated in the same way as operators of essential services. Bringing those dependencies into view can strengthen resilience, but accountability has to remain clear. Operators, suppliers, regulators, and customers all need to understand who is responsible for controls, notifications, recovery, and evidence.
The UK reforms will also sit beside NIS2 implementation across the EU and DORA in financial services. Organisations operating in both the UK and Europe will need to manage overlapping regimes covering incident reporting, supplier assurance, resilience testing, governance, and critical dependencies.
The Lords stage should clarify where ministers expect the balance to sit between flexibility and enforceability. The bill’s value will depend on whether it produces usable resilience duties, credible supervision, and better visibility of the technology dependencies underpinning essential activities.





