The Cyber Security and Resilience Bill had its House of Lords second reading on Tuesday 14 July, carrying a fine ceiling of £17m or 4% of global turnover 1. Peers debated bringing managed service providers (MSPs), the outsourced IT firms that run systems for other companies, and data centres into critical-infrastructure scope for the first time. A new near-miss reporting duty would require organisations to flag incidents contained before they caused harm.
The bill cleared its Commons third reading on 10 June without a ransomware-payment regime , and the Lords stage reopened the scope question. Contention centres on whether retail and manufacturing should fall inside the regime, and on how much is left to secondary legislation rather than settled in the bill itself. Peers pressed on the delegated-powers point, a recurring Lords objection to framework bills.
MSPs selling into UK critical sectors would carry statutory cyber obligations in their own right, rather than only through client contracts. That reshapes supply-chain due diligence and the questions buyers must put to their outsourced providers. The £17m ceiling gives those duties financial weight no voluntary pledge carried.
