On 10 June 2026, the Cyber Security and Resilience (Network and Information Systems) Bill passed its report stage and third reading in the House of Commons and moved to the House of Lords. It is the most substantial overhaul of UK cyber security regulation since the Network and Information Systems (NIS) Regulations 2018, and it arrives at a moment when the threat picture leaves little room for argument about whether updating the framework was necessary. The question worth asking as the Lords take the bill is whether it is calibrated correctly — and whether the institutions responsible for enforcing it are actually prepared to do so.
Why the Pressure to Act Was Real
Any serious analysis of the bill has to start by acknowledging that the case for it is strong. The NCSC dealt with 204 nationally significant cyber incidents in the twelve months to August 2025 — more than double the 89 recorded in the prior year, averaging four per week. Eighteen of those were classified as "highly significant," with potential for serious impact on essential services. Roughly 43% of UK businesses experienced a cyber-attack in the past year. The estimated annual cost sits at £14.7 billion — approximately 0.5% of GDP. The UK government's own data suggests that 95% of critical national infrastructure organisations experienced a data breach in 2024.
Against that backdrop, the scope of the 2018 NIS regime looked increasingly anachronistic. It covered operators of essential services in energy, transport, water, health, and digital infrastructure — but it did not cover the managed service providers (MSPs) that run the IT systems underpinning those operators. Supply chain attacks had long demonstrated that the perimeter around critical infrastructure was only as strong as its least-regulated dependency. That gap needed closing, and the bill closes it.
A Significantly Wider Net
The bill expands the NIS framework along four main dimensions. First, medium and large managed service providers — companies providing ongoing management, monitoring, and administration of third-party IT systems — become "Relevant Managed Service Providers" (RMSPs) regulated directly by the Information Commissioner's Office. Micro and small enterprises are exempt unless designated as critical suppliers, a proportionate carve-out that avoids swamping smaller operators with compliance costs designed for enterprise-scale actors.
Second, data centres meeting rated IT load thresholds — 1 megawatt for standalone operators, 10 megawatts for enterprise facilities — are designated as operators of essential services, with Ofcom as regulator. Third, large load controllers managing 300 megawatts or more of aggregate electrical load for smart appliances come into scope. Fourth, and most elastically, regulators gain the power to designate "critical suppliers" — indirect dependencies of essential services — without requiring new primary legislation.
On incident reporting, the 72-hour initial notification window under the 2018 regime tightens dramatically to 24 hours for an early warning, followed by a full report within 72 hours. Regulated entities must also notify affected UK customers as soon as reasonably practicable following regulatory notification. The penalty structure moves from three bands to two: standard contraventions face up to £10 million or 2% of global annual turnover (whichever is higher); serious or repeated breaches face up to £17 million or 4% of global turnover. Daily penalties of up to £100,000 apply to ongoing contraventions.
The NIS2 Contrast
The EU's NIS2 Directive, transposed by member states by October 2024, offers a useful comparison. On incident reporting, both frameworks converge on 24-hour initial notification and a 72-hour full report — but NIS2 additionally requires a final incident report within one month, a provision the UK bill does not replicate. That omission is arguably a gap; post-incident analysis reports produce the systemic intelligence that regulators need to calibrate future requirements.
On penalties, the UK bill's headline maximum actually exceeds NIS2. NIS2 caps fines for essential entities at €10 million or 2% of global turnover; the UK's serious-breach band reaches £17 million or 4%. The UK government has framed this as matching GDPR-level deterrence. That framing is internally consistent, but it sits awkwardly alongside the post-Brexit "smarter regulation" agenda, particularly when the UK framework simultaneously covers fewer sectors than NIS2, which extends to manufacturing, food production, and space.
NIS2 also introduces personal liability for management bodies, with mandatory cybersecurity training requirements for executives of essential entities. The UK bill omits this dimension. That omission is a proportionate call for now — personal liability at the board level raises due-process concerns that deserve deliberate drafting rather than hasty transposition — but it means organisations operating under both regimes face meaningfully different accountability structures.
Design Questions for the Lords
The bill's most scrutiny-worthy provision is the critical supplier designation mechanism. In principle, it is the right tool: a flexible, evidence-based power to bring indirect supply chain dependencies into regulatory scope without triggering full legislative cycles. In practice, it hands regulators — and ultimately the Secretary of State — a broadly defined power to expand the regulatory perimeter through secondary legislation. The Lords should press for clear designation criteria, mandatory consultation requirements, and time-limited review obligations to prevent the mechanism from becoming a quiet route to open-ended scope creep.
The sector coverage question also merits attention. The bill's exclusion of manufacturing and food sectors reflects the current designation architecture, but 2025 saw major ransomware incidents affecting UK retailers and automotive supply chains — sectors outside the bill's reach. The critical supplier mechanism offers a safety valve, but reactive designation is slower than proactive coverage.
The deepest question, however, is enforcement credibility. The 2018 NIS regime built an enforcement framework with penalty powers that regulators used sparingly. Raising maximum fines to £17 million achieves nothing if the same structural reluctance to impose penalties persists. Higher headline numbers paired with infrequent enforcement would be worse than moderate penalties reliably applied — they would signal that the new regime, like the old one, is navigable by determined non-compliers.
The bill's direction of travel is correct. The threat landscape made expanding the NIS perimeter to MSPs and data centres not just defensible but necessary. The 24-hour reporting window is demanding and right. The enforcement architecture now needs the Lords to ensure the powers on paper become habits of action.