CommonsReport stage

Cyber Security and Resilience (Network and Information Systems) Bill

A Bill to Make provision, including provision amending the Network and Information Systems Regulations 2018, about the security and resilience of network and information systems used or relied on in connection with the carrying on of essential activities.

Originating House

House of Commons

Sponsor

Liz KendallLabour (Co-op)

Parliament last updated

26 March 2026

In Plain English

AI-generated

May contain errors — check source documents for definitive information.

The Cyber Security and Resilience Bill aims to strengthen the UK’s protection of essential services by widening the rules from the 2018 NIS Regulations to cover more organisations (like managed service providers, large data centres and cloud providers) and by setting out duties to secure networks, report incidents, and cooperate with regulators. It also contemplates reforms to related law and regulator powers, and creates new governance and information-sharing provisions. The bill is in Report Stage in the Commons, after detailed Committee scrutiny, with Labour amendments largely accepted to tighten information sharing and regulator arrangements, while several opposition and cross‑bench proposals for stronger governance or single reporting channels have been rejected so far.

Key Points

- Scope expanded: extends NIS duties to MSPs, large data centres, cloud providers and other critical suppliers, plus heightened focus on supply chains and essential services.
- Incident reporting and information sharing: strengthens incident reporting framework and aims to improve information sharing between regulators and industry; Labour amendments to enable sharing with listed bodies were agreed to, while some proposals for a single, central reporting channel were not adopted.
- Regulator structure: Labour amendments to designate Ofcom as the sole regulator for the data infrastructure subsector were agreed, removing a joint regulator arrangement that existed in draft form.
- Governance and oversight: several Liberal Democrat amendments pushed for board-level oversight and periodic testing of security, but these broader governance/testing provisions were defeated at this stage; other ideas sought more resources and scrutiny of regulatory capacity.
- Alignment and standards: amendments sought clearer alignment with international standards (e.g., NIS2, ISO) and defined boundaries for cloud services; some refinements to cloud definitions and direction rules were agreed.
- Proposals on sensitive topics: attempts to require a single incident channel, a state-actor risk register, annual progress reports, and reporting on foreign interference were defeated, while related information-sharing and regulatory clarity measures were accepted in part.
- Measures on SMEs and insurance: debates continued on SME support and the role of cyber insurance, with industry bodies pressing for proportionate duties and practical guidance; some provisions to ease burden while expanding resilience were pursued but not all were adopted.

Progress

The bill is currently at Report Stage in the Commons. It has moved beyond Committee scrutiny, with several Labour-proposed amendments accepted to strengthen information sharing and regulator structure, while many Conservative and Liberal Democrat tactics to impose new reporting channels or broader oversight were not adopted. The bill will continue through Parliament for further consideration and potential passage.

Who is affected?

- Managed Service Providers (MSPs) and data centre operators- Cloud service providers and other digital infrastructure firms- Organisations designated as critical suppliers or operating in essential services and their supply chains- Small and medium-sized enterprises (SMEs) affected by resilience duties and reporting requirements- Regulators (notably Ofcom) and government departments implementing cyber resilience rules- Cyber security professionals, researchers and industry bodies involved in resilience and incident response- Insurers and the cyber insurance market, which interact with resilience duties and reporting regimes

Generated 21 February 2026

Bill Stages

1st readingCommons

12 Nov 2025

2nd readingCommons

6 Jan 2026

Programme motionCommons

6 Jan 2026

Money resolutionCommons

6 Jan 2026

Ways and Means resolutionCommons

6 Jan 2026

Carry-over motionCommons

6 Jan 2026

Committee stageCommons

3 Feb 2026, 5 Feb 2026, 10 Feb 2026, 24 Feb 2026, 26 Feb 2026

Report stageCommons

3rd readingCommons

1st readingLords

2nd readingLords

Committee stageLords

Report stageLords

3rd readingLords

Royal Assent

Amendments (113)

66 no decision14 agreed12 defeated10 not called7 not moved4 withdrawn

Showing agreed, defeated, and withdrawn amendments.

Updates & Documents

News (1)

Cyber Security and Resilience (Network and Information Systems) Bill

12 Nov 2025

This is a public bill presented to Parliament by the Government.

The Bill was introduced to the House of Commons and given its First Reading on Wednesday 12 November 2025. This stage is formal and takes place without any debate.

What happens next?

MPs will next consider the Bill at Second Reading on Tuesday 6 January 2026.