On the 6th January, the Cyber Security and Resilience Bill underwent its second reading in the House of Commons. The Bill is now set to be passed through the House of Commons, with the expectation of Royal Assent in mid-2026.
The legislation represents the most significant effort to date in modernising the UK’s cyber framework by expanding the scope of regulated services, strengthening reporting requirements, and providing regulators with enhanced tools to enforce compliance. The legislation further develops the UK’s NIS regime, bringing it closer in line with the EU’s NIS2 directive.
The legislation aims to establish new definitions for relevant digital service providers (including online marketplaces, search engines and cloud computing services), and incidents (to include events capable of affecting network and information systems, even where no data has been compromised)
The Bill will mandate 24-hour initial incidence reporting, with a full report required after 72 hours, as well as widening the range of organisations subject to cybersecurity standards, introducing data centres, as essential services under joint oversight from Ofcom and the Secretary of State for DSIT.
Following its second reading, the Bill will enter committee stage, where a detailed clause-by-clause examination will take place. During this process, Parliament will look to agree more complete definitions of which entities are in scope, what the exact penalty regimes may be for non-compliance, and specify more detailed security and resilience requirements.