The Cyber Security and Resilience Bill, a board read

What the Bill actually does, what it changes for boards in and out of scope, and what the executive should be preparing to evidence over the next twelve months.

The Cyber Security and Resilience (Network and Information Systems) Bill had its second reading in January 2026 and is now in committee. The version on the parliamentary website is broadly the version that will become law, subject to amendments at report stage. There is enough on the page now to give boards a sensible read of what they should be preparing for, and there is enough time before commencement to do that preparation properly. This post is the board read of the Bill — not the legal one. For the legal one, go to your in-house counsel or external regulatory adviser. For the board view of what is changing and why, read on.

What the Bill is for

The Bill updates the NIS Regulations 2018, which were themselves the UK transposition of the first EU NIS Directive. The 2018 regulations were narrowly scoped, fragmented across competent authorities, and increasingly out of date relative to both the EU NIS2 Directive and the actual shape of the UK economy in 2026.

The Bill does four substantive things.

It widens the perimeter. The current regulations apply to operators of essential services (OES) in a small number of sectors and to digital service providers (DSPs) of a particular kind. The Bill widens this to capture managed service providers (a defined term), data centres above a threshold, and what the drafting calls upstream critical suppliers — firms whose failure would materially impair an OES or DSP. The widening is significant. Several thousand UK firms that were comfortably outside the 2018 perimeter will be inside the 2026 one.

It sharpens the reporting clock. The current regulations require notification of significant incidents without undue delay, with practical guidance suggesting 72 hours. The Bill tightens this to a 24-hour preliminary notification to the relevant competent authority and the NCSC, with a 72-hour full report. The wording follows the NIS2 model.

It strengthens the supply-chain provisions. The 2018 regulations were largely silent on supply chain. The Bill makes due diligence on critical suppliers an explicit obligation, with a defined right for the regulator to demand evidence of the diligence. The legislative direction is consistent with the lesson SolarWinds wrote into the supply-chain conversation in 2020 and that subsequent events have only reinforced. The Bill is the first UK statutory instrument that operationalises that lesson.

It puts more weight behind enforcement. The Bill clarifies the maximum penalties (up to £17m or 4% of global turnover, as in the 2018 regulations, but with the calculation methodology tightened) and gives competent authorities more direct enforcement instruments. It does not, in the version before Parliament now, create a single cyber regulator — the sectoral approach remains. But it gives the existing competent authorities sharper teeth. The Bill is also expected, in subsequent secondary legislation, to extend personal accountability for senior responsible persons in regulated entities — a direction of travel that the SEC's SolarWinds charges against CISO Tim Brown made internationally visible in 2023, and that the UK is now importing.

What is in scope

This is the part most boards are unsure about. Here is the working interpretation, recognising that statutory definitions will refine the boundaries.

If you were already in NIS 2018 scope as an OES or DSP, you remain in scope, with the new and sharper obligations. You should assume the bar has moved up, not down.

If you provide managed services to in-scope firms, the question is whether you meet the threshold for managed service provider as defined in the Bill. The current drafting catches firms that provide ongoing administrative access to ICT systems or services. That includes most MSPs, MSSPs, and a wide range of IT outsourcers. The threshold for inclusion is being worked through in committee, but the direction of travel is clear.

If you operate a data centre that meets the size threshold, you are in scope as a data centre operator. The threshold under discussion is a floor of 1 MW of IT load, with some operational tests around resilience criticality.

If you are an upstream critical supplier to an OES — that is, your service is something an OES could not do without — the regulator will be able to require diligence on you from the OES side, and may, in some cases, designate you directly. This is the provision that creates the most uncertainty in scoping conversations right now.

If you do not fall into any of these, you are not in NIS scope on the face of the Bill, but you should not relax. Your customers who are in scope will be required to evidence supply-chain diligence on you, and that diligence will land on your desk anyway.

What the executive should be doing

A short list of what I would, as a non-executive director, want to see in board papers in the next two quarters.

A scope determination paper. Written in plain English, signed off by the general counsel, summarising whether the firm is in scope, on what basis, and where the live uncertainties are. Six pages, not sixty. The chair should be able to read it on the train.

A gap analysis against the 24/72 reporting clock. Specifically: if a significant incident were detected today at 10am, what is the path to a preliminary notification to the competent authority within 24 hours? Who calls? Who signs off? Where is the template? Who covers if the named individual is on leave? If the answer to any of these is we will work it out, the work is not yet done.

A supply-chain diligence position. The firm's own critical suppliers — named, classified by criticality, with the diligence already in place evidenced. This is the part that most firms have done in policy but not in operational evidence. The two are not the same.

A position on the data-centre, managed-service, and upstream-supplier reach. If the firm is not in scope on the face of the Bill, the board should still know which of its customers are, and what those customers will require of it as a result. That is the work that gets done late if it gets done at all.

A budget line. Compliance with the Bill will cost. The cost is not enormous, but it is real, and it is concentrated in incident-response readiness, supply-chain evidence systems, and governance capacity. The CFO should have seen the working.

What boards mis-read about this Bill

Three common misreadings.

**One: we are not in scope, therefore this does not apply to us.** As above, the supply-chain provisions reach considerably further than direct scope. Many firms that are not OES, DSP, MSP, or data centre operators will spend more time on this Bill in 2026 and 2027 than firms that are.

**Two: we already have incident response, so the 24-hour clock will not be a problem.** The 24-hour clock is not about incident response capability. It is about notification — a regulatory communication, drafted, approved, and sent, under stress, in time. Most firms with strong IR capability still struggle with the notification clock because the regulatory drafting and approval workflow has not been built. Build it now.

**Three: the penalties will be the issue.** They will, eventually, for the firms that have a bad incident and a bad response. For most firms, the more immediate effect is supervisory friction — letters, requests for evidence, follow-up meetings — which costs management time and reputation long before any fine is contemplated. That is the cost most firms underestimate.

What I am quietly hopeful about

The Bill is, overall, a better instrument than its 2018 predecessor. The widening of perimeter is overdue. The reporting clock is tighter than I would have liked it to be, but it is in line with the EU direction and creates a cleaner cross-border position. The supply-chain provisions are the right shape, even if the implementation will take a few iterations to settle.

The thing I am quietly hopeful about is that the Bill, properly implemented, will pull the median UK firm's cyber resilience up by visible distance. The 2018 regulations did that for the firms in scope. The 2026 Bill, if it lands well, will do it for considerably more.

That is the optimistic read. The pessimistic read is that compliance becomes a paper exercise and the underlying posture moves only marginally. Which read wins will depend, in part, on whether boards take it seriously enough now, before they have to.

That is the work to be doing this year, not next.