Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

UK cyber bill hits Lords with £17m cap

2 min read
08:46UTC

The Cyber Security and Resilience Bill had its Lords second reading on 14 July, carrying a £17m fine ceiling and pulling MSPs and data centres into critical-infrastructure scope.

TechnologyDeveloping
Key takeaway

The UK cyber bill gives outsourced IT providers statutory duties backed by a £17m fine ceiling.

The Cyber Security and Resilience Bill had its House of Lords second reading on Tuesday 14 July, carrying a fine ceiling of £17m or 4% of global turnover 1. Peers debated bringing managed service providers (MSPs), the outsourced IT firms that run systems for other companies, and data centres into critical-infrastructure scope for the first time. A new near-miss reporting duty would require organisations to flag incidents contained before they caused harm.

The bill cleared its Commons third reading on 10 June without a ransomware-payment regime , and the Lords stage reopened the scope question. Contention centres on whether retail and manufacturing should fall inside the regime, and on how much is left to secondary legislation rather than settled in the bill itself. Peers pressed on the delegated-powers point, a recurring Lords objection to framework bills.

MSPs selling into UK critical sectors would carry statutory cyber obligations in their own right, rather than only through client contracts. That reshapes supply-chain due diligence and the questions buyers must put to their outsourced providers. The £17m ceiling gives those duties financial weight no voluntary pledge carried.

Deep Analysis

In plain English

This is a UK law working its way through Parliament that would tighten cyber-security rules for organisations judged critical to the country, like power, water and telecoms. It had its second reading, a debate stage, in the House of Lords on 14 July. The bill would bring managed service providers, companies that run IT systems for other businesses, and data centres under these tougher rules for the first time. Firms that break the rules could be fined up to £17m or 4% of their global turnover, whichever is higher, and would have to report near-miss security incidents alongside successful breaches.

Deep Analysis
Root Causes

The bill's Lords stage follows its Commons report stage and third reading on 10 June , where the consulted ransomware-payment ban for CNI operators was already dropped from the published text.

MSPs currently sit entirely outside the UK's 2018 NIS Regulations, so an attacker compromising one MSP's remote-access tooling can reach every downstream CNI client without tripping any of those clients' own reporting duties, which is the specific gap the near-miss duty is designed to close.

First Reported In

Update #10 · One operator worked both ransomware brands

UK Parliament· 14 Jul 2026
Read original
Causes and effects
This Event
UK cyber bill hits Lords with £17m cap
Managed service providers selling into UK critical sectors would carry statutory cyber duties in their own right, reshaping supply-chain due diligence.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.