Cyber Security and Resilience Bill

The Cyber Security and Resilience Bill is the UK Government's proposed legislation to update and extend the Network and Information Systems (NIS) Regulations 2018, broadening mandatory cyber-incident reporting and security obligations to cover a wider range of critical national infrastructure sectors, managed service providers, and digital supply-chain entities. The Bill's headline measure is a 24-hour initial-notification requirement for reportable cyber incidents, intended to close the gap between breach discovery and public or regulator awareness. The Bill was at Commons Report Stage from 2 March 2026 at the time of writing and has not yet received Royal Assent.

The Trellix breach provides Parliament with a direct current-quarter example of what the 24-hour notification clause targets. Trellix disclosed a 17 April 2026 intrusion on 8 May 2026, a 21-day self-disclosure gap, and RansomHouse subsequently posted internal screenshots on approximately 11 May, a further 24 days after initial access. The total gap from initial access to public extortion pressure was 45 days, against the Bill's proposed 24-hour initial-notification clock. The South Staffordshire Water case compounds the picture: a 2022 ransomware breach ran undetected for 20 months before the ICO enforcement action on 12 May 2026.

A critical feature of the Bill's regulatory context is that the ICO is already applying enforceable cyber-security obligations under the Data Protection Act 2018 and UK GDPR Article 32 against the very sectors (water utilities, critical suppliers) the CS&R Bill targets, without waiting for Royal Assent. NCSC guidance now carries de facto enforceable weight via the ICO's interpretation of existing statutes, making the CS&R Bill's statutory regime an increment rather than a transformation of the live regulatory baseline.