TL;DR: The Bill cleared Second Reading in the House of Commons on 6 January 2026 and has been carried over in the 2024-26 session. It now moves to a Public Bill Committee for line-by-line scrutiny, with dates to be confirmed on the Bill page.
The government introduced the Cyber Security and Resilience (Network and Information Systems) Bill on 12 November 2025. First Reading is a formality that places the Bill before the House, publishes its text and sets up the next stage. Since introduction, the Parliament and GOV.UK pages have become the single sources of truth for status, documents and explanatory factsheets. [Source: Parliament Bills]
On 6 January 2026, MPs held the Commons Second Reading debate. Second Reading is the moment the House agrees the Bill’s overall principles. Approval signals that the Commons wants more detailed scrutiny, which happens at Committee. On the same day, the House agreed the programme motion that governs the timetable, along with the money and ways-and-means resolutions needed to authorise spending and taxation elements. A carry-over motion allows the Bill to continue in the current session rather than fall and be reintroduced later.
Second Reading did not amend the text. It confirmed that the Commons supports the direction of travel: modernising the UK’s 2018 NIS Regulations, clarifying responsibilities for essential services and key suppliers, and updating enforcement so regulators have proportionate powers that are predictable to apply. The Bill remains a government Bill led by the Department for Science, Innovation and Technology, with sector regulators expected to implement the regime once enacted.
The government tied the debate to a broader push on public sector cyber resilience, announcing a Cyber Action Plan around the time of Second Reading. That plan sits alongside the legislation and signals an intent to couple policy with money, capability and operational follow-through. For organisations watching the timetable, the headline is simple: political momentum is there and the Bill is moving. [Source: Gov.uk]
The next step is the Commons Public Bill Committee, which will examine the Bill line by line, take evidence where useful, and can propose amendments. The Committee’s meeting dates and any call for evidence are posted on the official Bill page.
After Committee, the Bill returns to the floor of the House for Report Stage and Third Reading before moving to the House of Lords for the same sequence. The Bill only becomes law after both Houses agree the final text and the Monarch grants Royal Assent.
The exact Committee timetable had not been published at the time of writing. In practical terms, that means stakeholders still have a window to prepare input, align positions and review evidence. If you need a single bookmark to track movement, use the “Stages” tab on the Parliament page, which shows the formal milestones and links to the latest documents. [Source: Paliament Bills]
Although Committees can and do refine drafting, the core architecture is now well signposted by the government’s factsheets. These set out policy intent for faster incident reporting, proportional enforcement and a clearer scope that includes medium and large managed service providers, plus a new designation for UK data centres as essential services. These factsheets are not the law, but they indicate the government’s settled aims that drafters will try to realise in the final text. [Source: Gov.uk]
Incident Reporting: A light-touch notification in 24 hours, followed by a fuller report within 72 hours, with the National Cyber Security Centre informed at the same time as regulators. The intent is earlier visibility, faster coordination and better sector-wide learning.
Scope: Bringing medium and large relevant managed service providers into the regime, reflecting their operational importance and cross-customer reach.
Data Centres: Recognising data infrastructure as a sector, with data centres treated as essential services under NIS-style obligations.
Enforcement: Simplifying penalties and giving regulators tools that are more consistent to apply so compliance is predictable and proportionate.
While the principles look settled, expect attention on four areas.
Definitions & Thresholds
Expect detailed debate on how terms like “relevant managed service provider” are drafted, how size thresholds work, and where exemptions or designations apply. Evidence from DSIT’s market research on MSPs provides a backdrop for sizing and proportionality questions. [Source: Gov.uk]
Incident Reporting Triggers
MPs and stakeholders may probe how the 24-hour notice interacts with operational recovery, how near-misses are treated, and what information is required at each stage. The factsheets frame intent, but technical drafting must balance speed with practicality for complex incidents. [Source: Gov.uk]
Regulator Roles & Cost Recovery
The Bill’s model relies on sector regulators enforcing outcomes with the NCSC in a central advisory role. Committees typically test how costs will be recovered, safeguards on fee regimes and how duplication across regimes is avoided. The enforcement factsheet previews the direction. [Source: Gov.uk]
Alignment With Existing Regimes
Questions often arise about overlap with data protection, procurement rules and sector-specific obligations. While this Bill does not replace those regimes, the government has stressed the aim is a more coherent, outcome-based approach to resilience. Expect drafting that seeks to reduce frictions rather than add new ones. [Source: Gov.uk]
You do not have new duties today simply because the Bill passed Second Reading. Those duties begin only once Parliament passes the Bill, ministers commence the relevant sections through secondary legislation, and regulators publish their guidance and codes of practice. That said, the policy intent is clear and well documented, so waiting for commencement to start preparation is unlikely to be cost-effective.
Three practical moves while the Bill is at Committee:
Track The Timetable At Source
Use the Parliament “Stages” and “Publications” tabs to monitor the Committee schedule, any amendments and updated Explanatory Notes. That avoids relying on third-party summaries that may lag.
Rehearse The 24/72-Hour Flow
Run a short tabletop exercise with your SOC and legal team that produces a 24-hour notification and a 72-hour report. Even if final thresholds shift, the operational muscle memory will serve you well. Use the factsheet structure as a proxy for the artefacts you will need.
Map Scope & Suppliers
If you operate essential services or depend on medium or large MSPs and UK data centres, confirm who is likely in scope, how incident information would be shared and who owns notifications. Align contracts to reflect evidence-sharing and timelines.
The linked Cyber Action Plan announcement underlines that this is not a one-off legislative gesture. Government is trying to harden public services and key suppliers with a mix of law, investment and operational guidance. For boards, the signal is that resilience is moving from aspiration to measurable outcomes supported by credible enforcement. That should inform 2026 planning and investment choices, especially where you have Microsoft Security already deployed and can show control effectiveness from a single platform.
The Bill is alive, moving and now entering the detailed drafting phase in the Commons.
The core pillars - faster incident reporting, clearer scope for MSPs, data centre regulation, proportionate enforcement - are unlikely to disappear, though wording and thresholds may tighten.
The most useful actions before Committee are to track the official page, test your 24/72-hour process, and align supplier contracts and playbooks so information flows are clear.
If you run Microsoft 365 E3 or E5, we can map your current Microsoft Defender XDR, Microsoft Sentinel, Microsoft Entra and Microsoft Purview capabilities to the NCSC Cyber Assessment Framework and highlight any gaps in incident evidence, supplier visibility and reporting workflows. This is a light-touch, four-week exercise that produces a realistic plan without adding tools.
Book a 30-Minute Consultation With The CyberOne Team