
Cyber Security and Resilience Bill
Cyber Security and Resilience Bill
Last refreshed: 14 July 2026 · Appears in 1 active topic
Will the 24-hour notification clock be law before the next Trellix-scale disclosure gap occurs?
Timeline for Cyber Security and Resilience Bill
UK cyber bill hits Lords with £17m cap
Cybersecurity: Threats and DefencesMentioned in: NCSC counts 200+ UK infrastructure hits
Cybersecurity: Threats and DefencesPassed report stage and third reading in the Commons on 10 June, advancing to the Lords
Cybersecurity: Threats and Defences: UK cyber bill drops payment regimeMentioned in: ICO fines South Staffs Water £963,900
Cybersecurity: Threats and DefencesMentioned in: RansomHouse posts Trellix internal screenshots as extortion leverage
Cybersecurity: Threats and DefencesWhat does the UK Cyber Security and Resilience Bill require companies to do?
When does the UK Cyber Security and Resilience Bill become law?
Why does the Trellix breach matter for the UK's new cyber law?
Background
The Cyber Security and Resilience Bill is the UK Government's legislation to update and extend the Network and Information Systems (NIS) Regulations 2018, broadening mandatory cyber-incident reporting and security obligations to cover a wider range of critical national infrastructure sectors, managed service providers, and digital supply-chain entities. Its headline measure is a 24-hour initial-notification requirement for reportable cyber incidents, intended to close the gap between breach discovery and public or regulator awareness. Oversight sits with DSIT and Ofcom, extending the existing NIS Regulations enforcement structure rather than creating a new regulator.
The Bill passed its Commons report stage and third reading on 10 June 2026 and reached the House of Lords second reading on 14 July 2026, carrying a fine ceiling of £17m or 4% of global turnover. It has not yet received Royal Assent.
At its Lords second reading on 14 July, the Bill brought managed service providers and data centres into critical-infrastructure scope for the first time and added a new near-miss reporting duty, alongside the £17m/4%-of-turnover fine ceiling. Peers remain divided over whether retail and manufacturing should be brought into scope, and over how much of the regime's detail is Left to secondary legislation rather than fixed in the Bill's text.
The Trellix breach gives Parliament a direct current-quarter example of what the 24-hour notification clause targets: Trellix disclosed a 17 April 2026 intrusion on 8 May, a 21-day self-disclosure gap, before RansomHouse posted internal screenshots around 11 May, 24 days after initial access. The South Staffordshire Water case compounds the picture, a 2022 ransomware breach that ran undetected for 20 months before a £963,900 ICO fine on 12 May 2026 under the existing Data Protection Act 2018 and UK GDPR Article 32, obligations the ICO is already enforcing against the same CNI sectors the Bill targets without waiting for Royal Assent.