Blog
Compliance
Cyber Essentials
ISO 27001
GDPR
June 8, 2026
Approx 8 min read

Cyber Security and Resilience Bill: Commons update

Cyber Security and Resilience Bill: Commons update

The Cyber Security and Resilience Bill is scheduled for its Commons report stage and third reading on 10 June 2026, after which it moves to the House of Lords. Royal Assent is expected later in 2026, with the operational duties phased in over the following period by secondary legislation. For most suppliers in regulated supply chains, that schedule reads as a deadline that has not arrived yet. The more useful way to read it is as a window. The duties are not switched on at Royal Assent, and the months before commencement are the cheapest time to get your security posture evidenced.

This matters to the people who buy from you long before it becomes law. Procurement teams at regulated operators read the same parliamentary timeline, and they harden their supplier requirements ahead of commencement rather than after it. The first request you are likely to see is not a statutory notice. It is a question in a tender asking you to evidence certification you may not hold yet.

Where the Cyber Security and Resilience Bill stands in June 2026

The Bill was introduced to the Commons on 12 November 2025 and had its second reading on 6 January 2026. The Public Bill Committee scrutinised it through February 2026. As of early June 2026 it awaits its Commons report stage and third reading, scheduled for 10 June 2026. Once those stages are complete it passes to the House of Lords for the same process of scrutiny and amendment.

It is worth clearing up one common misreading. This is not the UK's adoption of NIS2. The UK did not bring the EU directive into domestic law. The Cyber Security and Resilience Bill is a domestic overhaul of the Network and Information Systems Regulations 2018, the framework that already governs operators of essential services and relevant digital service providers in the UK. The Bill updates and widens that existing regime rather than importing a European one.

Source for the stages and schedule: House of Commons Library briefing CBP-10442 (2026) and the UK Parliament bill page for Bill 4035.

What happens after the Commons: the Lords stage and the road to Royal Assent

After the Commons third reading, the Lords run their own readings, committee stage and report stage. Peers can table amendments. Where the two Houses disagree, the Bill moves back and forth between them until the wording is agreed, then it receives Royal Assent. The direction of the core architecture is settled. The detail can still move during this stage, so treat specific provisions as near-final rather than final until the Bill is enacted.

Royal Assent is the point at which the Bill becomes an Act, which is not the same as the point at which the duties apply. Much of the operational detail, including the size thresholds that decide which newly in-scope entities are caught and the commencement dates for each part, is left to secondary legislation. That is why implementation is expected to be phased over a period potentially running to 2028. Each phase is brought into force by regulations made after Royal Assent.

For a supplier, the practical reading is straightforward. Nothing changes on a single date; the duties arrive in a sequence, and the run-up to that sequence is preparation time.

What the Cyber Security and Resilience Bill changes: scope and incident reporting

The Bill widens the scope of the 2018 regime. New categories are brought in, including medium and large managed service providers, data centres, designated critical suppliers and large load controllers. The existing essential-services sectors continue to be covered, among them energy, transport, health, drinking water and digital infrastructure, alongside the digital services already in scope such as online marketplaces, online search engines and cloud computing services.

Incident reporting changes for in-scope entities once the relevant provisions commence. There are two distinct obligations. An initial notification of a significant incident is required within 24 hours. A fuller report follows within 72 hours. These are separate deadlines with separate content, not a single 72-hour rule. Data centres and digital and managed service providers also face a customer-notification duty, meaning they must inform affected customers of the likely impact of a significant incident.

Enforcement is restructured around simplified penalty bands. The Bill also gives the Secretary of State power to set a statement of strategic priorities for the regime. The numeric size thresholds for newly in-scope entities are not in the Bill itself; they will be set in secondary legislation.

What the run-up to Royal Assent means for your customers

If you sell into a regulated operator, the Bill reaches you through their procurement before it reaches you through the statute book. Regulated operators carry accountability for the security of the suppliers in their chain, so they push security expectations down to the firms they buy from. The Cyber Resilience Pledge, a voluntary commitment published by the government, is one public signal of operators moving early on this.

We covered the mechanism of how these duties travel down the supply chain in an earlier piece on the Bill and SMEs, which is the deeper read if you want the full flow-down picture. The short version: many smaller suppliers are not regulated directly under the Bill, because the named duties fall on larger in-scope entities. They are still asked to evidence their posture, because the regulated operator above them needs that evidence to satisfy its own obligations.

The end of this chain is a person filling in a security questionnaire for a tender. The smoother that questionnaire is to complete, with certification already in hand and evidence ready to attach, the faster the contract moves. The window before commencement is when you can get that evidence in order without a live deal waiting on it.

Why the window is preparation time, not waiting time

Two things make the months before commencement the right time to act rather than the right time to wait.

The first is procurement timing. Regulated buyers are already adding security requirements to contracts in anticipation of the Bill. A supplier who can answer those requirements with a current certificate wins time against competitors who start the certification process only when a tender lands.

The second is the cost of certification under pressure. Achieving Cyber Essentials or ISO 27001 takes weeks of preparation and evidence-gathering. Doing that work to a self-imposed schedule is cheaper and calmer than doing it against a buyer's clock with revenue on the line.

Getting evidenced now: Cyber Essentials and ISO 27001

For most suppliers in a regulated chain, the two pieces of evidence that carry the most weight are Cyber Essentials and ISO 27001.

Cyber Essentials is a UK government-backed certification scheme covering five technical controls: firewalls, secure configuration, access control, malware protection and security update management. It is a procurement prerequisite in many contracts and increasingly a baseline expectation in regulated supply chains. The Bill does not make it a statutory duty, but buyers ask for the certificate all the same.

ISO 27001 is the international standard for an information security management system. Where Cyber Essentials proves a baseline of technical hygiene, ISO 27001 demonstrates a managed, audited approach to information security across the organisation. Larger buyers and more sensitive contracts tend to ask for it. The two work together: the controls you put in place for one feed directly into the evidence for the other.

For the data-protection side of incident handling, the breach-notification and complaints obligations under UK GDPR sit alongside the Bill's incident-reporting duties. Our piece on the new data-protection complaints process covers what every controller needs in place from 19 June 2026.

Where Naq fits

The Naq platform automates Cyber Essentials, ISO 27001 and UK GDPR compliance from a single dashboard. Controls are mapped across frameworks, so one piece of evidence satisfies requirements in more than one standard at once rather than being collected several times over. For a supplier preparing for the procurement pressure that arrives ahead of the Bill's commencement, that means getting evidenced once and reusing that evidence wherever a buyer asks for it.

Where cross-sector organisations need named expert sign-off on data protection, Naq's in-house virtual DPOs sit alongside the platform.

To see how your Cyber Essentials and ISO 27001 evidence maps across your existing tooling and frameworks before the Bill commences, book a 15-minute demo.

FAQ

Has the Cyber Security and Resilience Bill become law?

No. The Bill is awaiting its Commons report stage and third reading, scheduled for 10 June 2026, after which it passes to the House of Lords. Royal Assent is expected later in 2026, and the duties are then phased in by secondary legislation rather than applying all at once.

Is the Bill the UK's version of NIS2?

No. The UK did not adopt the EU's NIS2 directive. The Cyber Security and Resilience Bill is a domestic overhaul of the Network and Information Systems Regulations 2018, the UK's existing regime for operators of essential services and relevant digital service providers.

What will the incident-reporting requirement be?

Once the relevant provisions commence, in-scope entities will face two distinct deadlines: an initial notification of a significant incident within 24 hours, then a fuller report within 72 hours. Data centres and digital and managed service providers will also have to inform affected customers of the likely impact.

My company is a small supplier. Does the Bill apply to me?

The named duties fall on larger in-scope entities such as managed service providers, data centres and designated critical suppliers, with size thresholds set later in secondary legislation. Many smaller suppliers are not regulated directly, but they are asked to evidence their security posture by the regulated operators they sell to. Our piece on the Bill and SMEs explains how those requirements travel down the supply chain.

Written by
The Naq Team
Share
Share
Compliance
How Can Digital Health Companies Build Compliance That Scales Across Multiple Markets?
January 7, 2026
Compliance
DCB 0129
NHS DSPT v8
NHS DTAC
5 Minutes with Isla Health
May 1, 2024
Compliance
NHS DTAC
ISO 27001
Cyber Essentials
Digital Health Compliance Trends: Top Standards for 2025
January 27, 2025
Compliance
Cyber Essentials
Cyber Essentials Plus: April 2026 Changes for Government Suppliers
April 16, 2026
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a demo
arrow_forward
See the framework set
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy