Skip to content
You can now search across every topic, entity and event.What's new
Cyber Security and Resilience Bill
LegislationGB

Cyber Security and Resilience Bill

Cyber Security and Resilience Bill

Last refreshed: 14 July 2026 · Appears in 1 active topic

Key Question

Will the 24-hour notification clock be law before the next Trellix-scale disclosure gap occurs?

Timeline for Cyber Security and Resilience Bill

#1014 Jul

UK cyber bill hits Lords with £17m cap

Cybersecurity: Threats and Defences
#817 Jun
#710 Jun

Passed report stage and third reading in the Commons on 10 June, advancing to the Lords

Cybersecurity: Threats and Defences: UK cyber bill drops payment regime
#412 May

Mentioned in: ICO fines South Staffs Water £963,900

Cybersecurity: Threats and Defences
View full timeline →
Common Questions
What does the UK Cyber Security and Resilience Bill require companies to do?
The Bill proposes a 24-hour initial-notification requirement for reportable cyber incidents and extends mandatory cyber-security obligations from the NIS Regulations 2018 to more sectors, including managed service providers and data centres.
When does the UK Cyber Security and Resilience Bill become law?
The Bill passed its Commons report stage and third reading on 10 June 2026 and reached the House of Lords second reading on 14 July 2026. It has not yet received Royal Assent.Source: event
Why does the Trellix breach matter for the UK's new cyber law?
Trellix took 21 days to disclose a breach that occurred on 17 April 2026. The Cyber Security and Resilience Bill's 24-hour notification clause is designed to prevent exactly that gap.

Background

The Cyber Security and Resilience Bill is the UK Government's legislation to update and extend the Network and Information Systems (NIS) Regulations 2018, broadening mandatory cyber-incident reporting and security obligations to cover a wider range of critical national infrastructure sectors, managed service providers, and digital supply-chain entities. Its headline measure is a 24-hour initial-notification requirement for reportable cyber incidents, intended to close the gap between breach discovery and public or regulator awareness. Oversight sits with DSIT and Ofcom, extending the existing NIS Regulations enforcement structure rather than creating a new regulator.

The Bill passed its Commons report stage and third reading on 10 June 2026 and reached the House of Lords second reading on 14 July 2026, carrying a fine ceiling of £17m or 4% of global turnover. It has not yet received Royal Assent.

At its Lords second reading on 14 July, the Bill brought managed service providers and data centres into critical-infrastructure scope for the first time and added a new near-miss reporting duty, alongside the £17m/4%-of-turnover fine ceiling. Peers remain divided over whether retail and manufacturing should be brought into scope, and over how much of the regime's detail is Left to secondary legislation rather than fixed in the Bill's text.

The Trellix breach gives Parliament a direct current-quarter example of what the 24-hour notification clause targets: Trellix disclosed a 17 April 2026 intrusion on 8 May, a 21-day self-disclosure gap, before RansomHouse posted internal screenshots around 11 May, 24 days after initial access. The South Staffordshire Water case compounds the picture, a 2022 ransomware breach that ran undetected for 20 months before a £963,900 ICO fine on 12 May 2026 under the existing Data Protection Act 2018 and UK GDPR Article 32, obligations the ICO is already enforcing against the same CNI sectors the Bill targets without waiting for Royal Assent.

More questions
Does the UK already have cyber laws that apply to water companies?
Yes. The ICO fined South Staffordshire Water £963,900 in May 2026 under the existing Data Protection Act 2018 and UK GDPR Article 32. The CS&R Bill will ADD further obligations, but current statute already provides enforceable baseline security requirements for CNI operators.Source: ICO
What is the fine for breaching the UK Cyber Security and Resilience Bill?
The Bill carries a fine ceiling of £17m or 4% of global turnover, set out at the House of Lords second reading on 14 July 2026.Source: event
Does the UK Cyber Security and Resilience Bill cover data centres?
Yes. At the Lords second reading on 14 July 2026, managed service providers and data centres were brought into critical-infrastructure scope for the first time, alongside a new near-miss reporting duty.Source: event
Source Material