Cyber Security and Resilience Bill Faces Lords Second Reading

News Desk
Cyber Security Bill Faces Lords Second Reading
Credit: Nick Youngson/Unsplash

Key Points

  • The Cyber Security and Resilience (Network and Information Systems) Bill receives its second reading in the House of Lords on Tuesday 14 July 2026.
  • The bill amends the Network and Information Systems (NIS) Regulations 2018 and aims to strengthen cyber protections for essential services such as healthcare, drinking water and energy.
  • It would widen the scope of regulated sectors and update incident-reporting duties for organisations covered by the framework.
  • The bill grants the Secretary of State new powers to amend the legislation via secondary legislation and to issue directions to organisations on national security grounds.
  • Baroness Lloyd of Effra, Minister for Digital Economy, will open the debate and respond on the government’s behalf.
  • Peers expected to contribute include Baroness Alexander of Cleveden, Lord Arbuthnot of Edrom, Baroness Harding of Winscombe, Baroness Kidron and Lord Vaizey of Didcot.
  • The House of Lords Constitution Committee has raised concerns about the scale of powers handed to ministers and the frequency of parliamentary reporting required under the bill.
  • The bill was carried over from the 2024–26 session, completed its Commons stages on 10 June 2026, and was introduced in the Lords on 17 June 2026.
  • Cross-party support for the bill’s general principles has been noted, though disagreement remains over which sectors should be brought within scope.

Westminster (Britain Today News) July 10, 2026 — Members of the House of Lords are due to examine the principles of the Cyber Security and Resilience (Network and Information Systems) Bill during its second reading on Tuesday 14 July, in what will be the first substantive Lords debate on legislation billed by ministers as a response to an increasingly hostile cyber threat landscape facing the United Kingdom’s essential services. According to the UK Parliament website, the bill would amend the Network and Information Systems (NIS) Regulations 2018 to widen their coverage and update the duties placed on organisations when reporting cyber incidents, while also handing the Secretary of State fresh powers to adapt the framework and issue directions where national security is judged to be at stake.

What Is the Cyber Security and Resilience Bill?

The Cyber Security and Resilience (Network and Information Systems) Bill is government legislation intended to strengthen the cyber defences of organisations across the UK that deliver essential services, including healthcare, drinking water supply and energy. As described on the UK Parliament website, the bill would strengthen the cyber security of organisations in the UK that provide essential services, such as healthcare, drinking water and energy. Rather than replacing the existing regulatory framework outright, the bill builds on it, amending the 2018 NIS Regulations that have governed the security of network and information systems since the UK’s departure from direct EU oversight of the area.

The legislation sits under the Department for Science, Innovation and Technology (DSIT) and has progressed through both Houses of Parliament since its introduction. Liz Kendall, Labour MP for Leicester West, has sponsored the bill in the House of Commons, while Baroness Lloyd of Effra has carried responsibility for it in the House of Lords.

Why Has the Government Introduced This Legislation?

Ministers argue that the existing 2018 regulations have not kept pace with a fast-changing threat environment. According to a House of Lords Constitution Committee report examining the bill, the Government argues that the Bill is required to

“address the vulnerabilities in our cyber defences to minimise the impact of attacks”

and improve the resilience of the UK’s critical infrastructure. The same committee report notes that ministers regard the legislation as necessary because

“there are no appropriate powers currently available to update these regulations”

since the UK left the European Union, leaving a gap in the government’s ability to refresh cyber rules as threats evolve.

The Department for Science, Innovation and Technology first signalled its intention to legislate in this area following the King’s Speech in July 2024, before publishing a policy statement in April 2025 setting out the detail of the proposed measures.

What Changes Does the Bill Make to the 2018 NIS Regulations?

Rather than a wholesale rewrite, the bill is designed to modernise the existing NIS framework. The UK Parliament website confirms that the legislation would amend the Network and Information Systems (NIS) Regulations 2018 to include additional sectors and update incident reporting duties. This means organisations already covered by the 2018 regime, as well as newly regulated entities, would face revised obligations when reporting cyber incidents to regulators, alongside a broader definition of what constitutes a reportable event.

The House of Lords Library, in its briefing prepared ahead of second reading, states that the bill has two broad objectives, reflecting both the expansion of the regulatory net and the creation of new ministerial tools to keep the framework current without requiring fresh primary legislation each time.

Which Sectors Will Be Brought Into Scope?

A central feature of the bill is the extension of regulatory coverage to organisations not previously captured by the 2018 regime. The House of Lords Library briefing notes that the legislation would expand the scope of the regulations, bringing new categories of provider under formal oversight for the first time and requiring a wider range of incidents to be disclosed to regulators.

However, the same briefing makes clear that the question of scope remains contested. It states that while the general principle of the bill has received cross-party support and has been welcomed by industry and regulators, disagreement persists over whether further sectors, such as retail and manufacturing, ought to be included, and over the wider consequences of increased regulatory reach for businesses operating in those industries.

What New Powers Will the Secretary of State Have?

Beyond expanding the list of regulated sectors, the bill hands ministers significant discretionary authority. The UK Parliament website states that the legislation would confer powers on the secretary of state to amend the legislation and issue directions to organisations when necessary for national security. In practice, this would allow the framework to be updated through secondary legislation rather than requiring Parliament to pass a fresh bill each time cyber threats evolve.

The House of Lords Constitution Committee has examined this provision closely. Its report identifies clause 43 of the bill as giving the Secretary of State the power to issue directions to regulated persons requiring that specific actions be taken, or not taken, on national security grounds, and flags that the bill therefore raises questions of constitutional significance regarding both the scale of ministerial power and the degree of parliamentary scrutiny attached to it.

How Often Must Ministers Report to Parliament on the Bill?

Under clause 40 of the bill, the Secretary of State would be required to report to Parliament on the operation of the NIS regulations and related powers at least once every five years. The Constitution Committee has questioned whether this interval is sufficient, recommending that, given the pace at which cyber threats change and the breadth of powers granted to ministers, the reporting requirement should be strengthened to demand more frequent updates to Parliament than the five-year minimum currently proposed.

The committee has also noted that Baroness Lloyd of Effra, in her capacity as minister responsible for the bill in the Lords, has issued a statement confirming the legislation’s compliance with the Human Rights Act 1998, though the government has not yet published a full memorandum setting out its reasoning on compatibility with the European Convention on Human Rights, a gap the committee says limits Parliament’s ability to scrutinise the bill fully.

What Happens During a Second Reading Debate?

Second reading is the stage at which members of the House of Lords formally debate the underlying principles of a bill, rather than examining its detailed wording line by line. According to the UK Parliament website, during second reading members discuss the main topics of the bill and draw attention to concerns or specific areas where they believe amendments are needed. No votes on individual clauses take place at this stage; instead, the debate allows peers to set out broad support, opposition or reservations that may shape amendments tabled later, during committee stage.

Who Will Lead the Debate for the Government?

Baroness Lloyd of Effra, who holds the title of Minister for Digital Economy, will open the second reading debate and respond to contributions from other peers on behalf of the government. As the minister responsible for steering the bill through the House of Lords, she is expected to set out the government’s rationale for the legislation and address concerns raised during the debate, including those already flagged by the Constitution Committee regarding ministerial powers and reporting frequency.
Explore More about Technology:
Marshall Unveils Acton IV and Stanmore IV Home Speakers With Auracast Technology
Two-Thirds Back Under-16 Social Media Ban, But Backing Softens Over ID Checks

Which Peers Are Expected to Contribute to the Debate?

A number of peers with relevant professional backgrounds are expected to take part in the second reading debate. Baroness Alexander of Cleveden, who chairs the Electrotechnical Sector Joint Industry Board, brings a background rooted in the engineering and electrotechnical sectors that could be affected by the bill’s expanded scope. Lord Arbuthnot of Edrom, who chairs the advisory board of Thales Group UK, a defence and security systems manufacturer, has a long-standing interest in national security and defence-related technology policy.

Baroness Harding of Winscombe, formerly chief executive of the UK Health Security Agency and previously head of NHS Test and Trace, is expected to draw on her experience overseeing a major public health body during a period of significant operational and cyber-related pressure. Baroness Kidron, a crossbench peer and board member of the Data Protection Foundation, has built a reputation on digital rights and data protection issues. Lord Vaizey of Didcot, a former Minister of State for Culture and the Digital Economy, previously held ministerial responsibility for digital policy within government and is expected to bring that institutional experience to bear on the debate.

What Concerns Have Been Raised About the Bill?

Alongside the Constitution Committee’s concerns about ministerial powers and reporting intervals, the House of Lords Library briefing highlights broader criticism of the bill’s structure. It notes that some have also criticised a lack of legal clarity as many details would be determined later in secondary legislation, rather than being set out in full within the bill itself. This means that, even after the bill receives Royal Assent, significant elements of how the regime operates in practice would depend on regulations introduced separately, at a later date, potentially limiting the ability of Parliament and affected organisations to scrutinise the detail in advance.

What Happens Next in the Bill’s Passage?

Having completed its passage through the House of Commons, where it concluded report stage and third reading on 10 June 2026, the bill was introduced to the House of Lords on 17 June 2026. Should it clear second reading on 14 July, it would proceed to committee stage, where peers examine the text in detail and can table amendments, followed by report stage and a further, third reading in the Lords. Any amendments made in the Lords would then need to be considered by the Commons before the bill can receive Royal Assent and become law, after which its various provisions, including the expanded sector coverage and new reporting duties, would be brought into force according to a timetable to be confirmed by the government.