TL;DR
The Cyber Security and Resilience Bill cleared the Commons in June 2026 and is now moving through the House of Lords. It overhauls the UK's ageing NIS Regulations, pulls data centres and managed service providers into scope, and introduces 24- and 72-hour incident reporting alongside turnover-based fines. Royal assent is expected in 2026, so the time to prepare is before the obligations bite, not after.
The UK's cyber rulebook is being rewritten. According to the UK Parliament bill page, the Cyber Security and Resilience Bill completed its Commons report stage and third reading on 10 June 2026 and was introduced to the House of Lords on 17 June 2026, with Lords Second Reading scheduled for 14 July 2026. The Bill amends rather than replaces the NIS Regulations 2018, modernising a framework widely seen as no longer fit for the current threat environment.
For GRC leaders, the substance matters more than the timeline. The Bill introduces two-stage incident reporting, a 24-hour initial notification followed by a 72-hour full report, closely mirroring the EU's NIS2. It brings data centres and medium and large managed service providers into scope for the first time, and it carries serious financial consequences: standard maximum penalties of £10m or 2% of global turnover, a higher tier of £17m or 4% of worldwide turnover, and daily fines of up to £100,000 for continuing contraventions.
The reporting clock is where most organisations will struggle. A 24-hour notification duty turns incident response from a technical task into a governance one, requiring you to detect, classify, and escalate fast enough to notify regulators within a single day. This is precisely where a modern GRC platform earns its place.
6clicks lets teams log, triage, and escalate incidents through structured workflows, with the evidence trail tied to the obligation so a notification is retrieved from a live system rather than assembled under pressure. Because 6clicks runs on Sovereign GRC Infrastructure, deployable in UK-hosted sovereign cloud, on-premises, or air-gapped environments, operators of essential services keep sensitive incident data inside UK boundaries while staying audit-ready.
One important caveat for your planning: the Bill is not yet law, and its detailed thresholds and commencement dates depend on royal assent and subsequent secondary legislation. Treat its provisions as scheduled rather than binding, but don't mistake "not yet law" for "not yet urgent." The organisations that fare best will have their reporting workflows and control evidence in place well before the first commencement order lands.
Frequently asked questions