A parliamentary committee has asked for industry input to help it better scrutinize the Cyber Security and Resilience Bill (CSRB).
First trailed in the King’s Speech in 2024, the CSRB is the long-awaited successor to the NIS Regulations 2018 and promises a NIS2-style revamp of UK cyber regulation for critical infrastructure sectors.
Having completed its second reading in parliament last week, it has now reached the committee stage, where the legislation will be subject to further review.
The Public Bill Committee is asking for anyone with “relevant expertise and experience or a special interest” in the bill to submit written views to it as soon as possible. It will begin receiving oral evidence from February 3, and although scrutiny is set to continue into March, early engagement is encouraged.
“Anyone considering submitting written evidence is strongly advised to do so as soon as possible, as the committee can conclude its considerations earlier than the expected deadline,” it warned.
Read more on the CSRB: UK Government Finally Introduces Cyber Security and Resilience Bill
The committee is expected to report by March 5, after which the bill will receive its third reading in the House of Commons, before reaching the Lords in spring/summer. Royal Assent is scheduled for late 2026.
Given that enhancing cybersecurity has broad cross-party support, it’s unlikely that the bill will be forced to undergo significant revision due to political differences in the House, making industry feedback particularly important.
The bill currently seeks to implement several key updates to the NIS Regulations 2018. These include:
- An expanded scope to include MSPs, datacenters, large load controllers (e.g., EV charging points) and other organizations yet to be defined by regulators
- Stricter rules around incident reporting timelines and a wider scope for reportable incidents
- A mandate for in-scope organizations to manage supply chain risk more proactively
- A requirement for in-scope organizations to meet “proportionate and up-to-date security requirements” drawn from the NCSC Cyber Assessment Framework (CAF)
- Stronger powers for regulators, and potentially higher penalties
Much Still to Be Decided
Trend Micro’s UK cybersecurity director, Jonathan Lee, welcomed the consultation.
“Involving those on the frontline who work with clients on a day-to-day basis is imperative in making sure that the legislation achieves its desired outcomes,” he told Infosecurity.
“I’d caution that the consultation needs to make sure that it reaches all areas of the cybersecurity practitioner community, not just big tech companies. It should seek to ensure that voices from SMEs and MSPs to incident responders, as well as cybersecurity companies are all heard.”
Lee noted that there are several areas where the bill needs revising: “Clearer, risk‑based definitions for managed services and critical suppliers; streamlined and proportionate incident‑reporting thresholds to avoid over‑reporting; consistency across regulators and better alignment with overlapping regimes to cut duplication and cost‑recovery disincentives; and transparent information‑sharing mechanisms that protect sensitive data while improving resilience.”
Mark Bailey, partner at Charles Russell Speechlys, agreed that there are still significant gaps in the legislation.
“A significant amount of the operational detail is still to be set out in secondary legislation, covering areas like incident reporting thresholds, critical supplier definitions and managed service provider obligations,” he told Infosecurity.
“This is where we may see more refinement, especially in response to industry feedback. Key questions around technical standards, portal-based reporting mechanisms and enforcement timelines are likely to be shaped in this next phase.”
More information on submitting written evidence can be found here.
