Summary
- The Cyber Security and Resilience Bill is scheduled for report stage and third reading on 10 June 2026.
- The bill would amend the UK’s NIS Regulations and expand coverage to data centres, large load controllers, managed service providers, and critical suppliers.
- Its practical effect will depend on enforcement capacity, sector consistency, and how supplier obligations are applied.
The Cyber Security and Resilience Bill is moving towards its next House of Commons stage, with report stage and third reading scheduled for 10 June 2026.
A House of Commons Library briefing says the bill would update the UK’s cyber security legislation for critical national infrastructure, mainly by amending the Network and Information Systems Regulations 2018. The bill extends across the UK and, if passed, is expected to become law in 2026.
The Commons Library briefing says the bill was introduced to the House of Commons on 12 November 2025, had second reading on 6 January 2026, and completed committee stage between 3 and 24 February 2026.
The measures would broaden the scope of the existing NIS regime. The briefing says the bill would bring data centres, large load controllers, managed service providers, and suppliers critical to a regulated organisation’s ability to provide an essential service into scope. It would also strengthen regulators’ ability to recover costs, share information, impose higher fines, and require more cyber incident reporting.
The supplier provisions may become one of the bill’s most consequential elements. Modern essential services depend on outsourced technology, managed providers, cloud platforms, software vendors, specialist support contractors, and remote maintenance arrangements. Cyber incidents increasingly move through those dependencies rather than attacking a regulated operator directly.
The UK’s current NIS Regulations cover sectors such as energy, transport, health, drinking water, digital infrastructure, and certain digital services. Reform has been building for several years as government has sought to reflect changing risk, wider dependence on digital services, and the need for more consistent regulatory oversight.
Data centres are a central addition. They underpin cloud services, public-sector systems, financial platforms, enterprise workloads, and digital infrastructure across the economy. Their security and resilience are no longer facilities issues at the edge of technology management; outages, intrusion, and dependency concentration can affect service continuity well beyond one provider.
Managed service providers raise a different set of challenges. They often hold privileged access into multiple customer environments, which makes them attractive targets for attackers seeking scale. Bringing them closer to statutory oversight could improve assurance, but the market is varied. It includes large providers, niche specialists, outsourced IT operators, and organisations whose services sit somewhere between consultancy, administration, and operational control.
The bill also retains the UK’s sectoral regulatory model rather than creating a single cyber regulator. That preserves sector expertise, but consistency remains a live issue. Regulators differ in cyber capability, enforcement culture, funding, and familiarity with fast-moving technical risk. Stronger powers will only change behaviour if competent authorities can use them effectively.
Incident reporting will be another practical test. Broader reporting can improve national visibility, but poorly calibrated obligations can generate noise, duplicate submissions, and uncertainty during live incidents. Reporting thresholds, timing, regulator feedback, and the practical use of submitted data will determine whether the regime improves supervision or simply adds administrative load.
The bill should be read as a resilience and accountability measure rather than a compliance update. It will shape who is regulated, what suppliers must evidence, how incidents are reported, and how the state intervenes where cyber failure threatens essential services. Parliament will settle the text; the operational burden will arrive through implementation, supervision, and the first serious incidents handled under the new regime.
