Skip to content
All Blogs

The UK's Cyber Security and Resilience Bill: What to do now

Published
The UK's Cyber Security and Resilience Bill: What to do now
The UK's Cyber Security and Resilience Bill: What to do now
2:55

 

 


TL;DR

 

The Cyber Security and Resilience Bill cleared the Commons in June 2026 and is now moving through the House of Lords. It overhauls the UK's ageing NIS Regulations, pulls data centres and managed service providers into scope, and introduces 24- and 72-hour incident reporting alongside turnover-based fines. Royal assent is expected in 2026, so the time to prepare is before the obligations bite, not after.

The UK's cyber rulebook is being rewritten. According to the UK Parliament bill page, the Cyber Security and Resilience Bill completed its Commons report stage and third reading on 10 June 2026 and was introduced to the House of Lords on 17 June 2026, with Lords Second Reading scheduled for 14 July 2026. The Bill amends rather than replaces the NIS Regulations 2018, modernising a framework widely seen as no longer fit for the current threat environment.

 

For GRC leaders, the substance matters more than the timeline. The Bill introduces two-stage incident reporting, a 24-hour initial notification followed by a 72-hour full report, closely mirroring the EU's NIS2. It brings data centres and medium and large managed service providers into scope for the first time, and it carries serious financial consequences: standard maximum penalties of £10m or 2% of global turnover, a higher tier of £17m or 4% of worldwide turnover, and daily fines of up to £100,000 for continuing contraventions.

 

The reporting clock is where most organisations will struggle. A 24-hour notification duty turns incident response from a technical task into a governance one, requiring you to detect, classify, and escalate fast enough to notify regulators within a single day. This is precisely where a modern GRC platform earns its place.

 

6clicks lets teams log, triage, and escalate incidents through structured workflows, with the evidence trail tied to the obligation so a notification is retrieved from a live system rather than assembled under pressure. Because 6clicks runs on Sovereign GRC Infrastructure, deployable in UK-hosted sovereign cloud, on-premises, or air-gapped environments, operators of essential services keep sensitive incident data inside UK boundaries while staying audit-ready.

 

One important caveat for your planning: the Bill is not yet law, and its detailed thresholds and commencement dates depend on royal assent and subsequent secondary legislation. Treat its provisions as scheduled rather than binding, but don't mistake "not yet law" for "not yet urgent." The organisations that fare best will have their reporting workflows and control evidence in place well before the first commencement order lands.

Frequently asked questions

Operators of essential services and relevant digital service providers under the existing NIS framework, plus newly in-scope data centres and medium and large managed service providers. 

A 24-hour initial notification followed by a 72-hour full report, closely aligned with the EU's NIS2 approach. 

Standard maximums of £10m or 2% of global turnover, a higher tier of £17m or 4% of worldwide turnover, and daily fines up to £100,000 for continuing contraventions. 

Royal assent is expected in 2026, with obligations phased in through secondary legislation, potentially running to 2028.

 

 

Prepare with peers, not in isolation. Join the 6clicks team at our upcoming in-person UK roadshow to pressure-test your CSR Bill readiness with other GRC leaders. Reserve your place here. 

Ready to transform GRC with 6clicks?

Let’s show you how it works for your team.

awards-mobile-v3