Cyber Security and Resilience (Network and Information Systems) Bill 2024-26

NC16

To move the following Clause— "Digital Sovereignty Strategy (relevant network and information systems) (1) The Secretary of State must prepare and maintain a Digital Sovereignty Strategy ("the Strategy”) in relation to relevant network and information systems. (2) The Strategy must- (a) set out the Government's assessment of the risks to relevant network and information systems arising from or related to— (i) dependence on hardware, software, or digital services that may be subject to foreign interference; (ii) extra-territorial legal requirements that may be imposed on non-domiciled suppliers; (iii) vulnerabilities, undue control, or supply-chain dependency on foreign states or entities; (b) technological developments, market concentration, or strategic dependencies that may affect the security or resilience of relevant network and information systems; set out the Government's approach to mitigating the risks identified under subsection (2); and (c) include an assessment of- (i) the role of open source software, open standards, and open architectures in strengthening the resilience, transparency, and security of relevant network and information systems; (ii) the security and maintenance needs of open source software components used, or proposed to be used, in relevant network and information systems; (iii) the skills, capabilities, and capacity of United Kingdom-based developers, maintainers, and technical experts required to support the use of open source components in relevant network and information systems; (iv) options to increase the use of open source components and to diversify open source suppliers, reduce strategic dependencies, and enhance domestic capability in key technologies used in relevant network and information systems; (v) options for international collaboration in the production of open source components used in relevant network and information systems; (vi) any legislative, regulatory, procurement, or policy measures the Government considers necessary to support digital sovereignty through open source components and reduce systemic risk in relation to relevant network and information systems. (3) The Secretary of State must publish the Strategy and any revisions to it, subject to the redaction of information the publication of which would be reasonably likely to prejudice national security. (4) The Strategy must be reviewed at least once in every three-year period but may be updated whenever the Secretary of State considers that significant new risks have arisen. (5) In this section— "relevant network and information system" means a network and information system belonging to- (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier, within the meaning of the Network and Information Systems Regulations 2018; "digital sovereignty” means the ability of the United Kingdom to maintain secure, resilient, and reliable access to and control over the hardware, software, data, and digital services on which relevant network and information systems depend; "open source” has the meaning given to it in definition published by the Open Source Initiative."

NC14

To move the following Clause— "Register of foreign powers for the purposes of Part 4 (1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must by regulations, and within six months of the passing of this Act, establish and subsequently maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom's critical network and information systems. (2) Foreign powers determined by the Secretary of State as eligible for inclusion on the register under subsection (1) must include states which have been confirmed by GCHQ as posing a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers, including where the relevant risk is posed by state affiliated groups. (3) Regulations under this section are subject to the affirmative resolution procedure. (4) In this section, "foreign power” means— (a) the sovereign or other head of a foreign state in their public capacity; (b) a foreign government, or part of a foreign government; (c) an agency or authority of a foreign government, or of part of a foreign government; (d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or (e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government- (i) hold those posts as a result of, or in the course of, their membership of the party, or (ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party."

NC15

To move the following Clause— "Review of the cyber security risk posed by foreign powers (1) The Secretary of State must, within 12 months of the passing of this Act and annually thereafter, review the extent and nature of the risk posed by relevant foreign powers to the network and information systems of operators of essential services and critical suppliers. (2) A review under this section must identify whether any risk arises from- (a) activities undertaken outside of the UK, or (b) foreign owned or controlled infrastructure or locations within the UK. (3) For the purposes of subsection (1), “relevant foreign powers” include states which have been confirmed by GCHQ as posing a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers, including where the relevant risk is posed by state departments, state agencies or affiliate groups. (4) Within three months of each review under subsection (1), the Secretary of State must- (a) lay before Parliament a report containing the findings and conclusions of the review; and (b) where information is not included in a report on the grounds of being prejudicial to the UK's national security, send such information to the Intelligence and Security Committee of Parliament.”

3

Page 41, Clause 18, line 15, at end insert— "Exemption from disclosure: right to a fair trial 6AB.—(1) Nothing in sub-paragraphs (1)(d) to (1)(f) of regulation 6, or regulation 6A, permits a NIS enforcement authority to share information with another NIS enforcement authority or with a person within paragraph (2) of regulation 6 if the Secretary of State determines that- (a) the receiving jurisdiction is one in which the right to a fair trial cannot be guaranteed, or (b) the disclosure could result in actions being taken that would be incompatible with the right to a fair trial. (2) For the purposes of making a determination under paragraph (1) above, the Secretary of State must have regard to the opinion of— (a) subject matter experts, and (b) competent civil society groups. (3) The Secretary of State must, within 12 months of the passing of the Cyber Security and Resilience (Network and Information Systems) Act 2026, publish and lay before Parliament an annual report detailing the determinations made under paragraph (1) above in the previous 12 months."

NC12

To move the following Clause— ""Last-resort” powers in respect of data centres and Al models (1) Regulations under section 29(1) may confer on the Secretary of State powers ("last-resort powers”) to direct the shutdown of- (a) data centres, or (b) Al systems used or deployed by a data centre, in the event of an Al security or operational emergency. (2) For the purposes of this section— "data centre” has the meaning given in paragraph 11 of the NIS Regulations (as amended by this Act); "Al system” means a machine-based system that, from the input it receives, can infer how to- (a) generate predictions, digital content, recommendations, decisions or other similar outputs, or (b) influence a physical or virtual environment, with a view to achieving an explicit or implicit objective; "used or deployed” means made available to- (a) a substantial number of individuals within the United Kingdom; or (b) providers and operators of essential services; "Al security or operational emergency” means a situation where the Secretary of State has reasonable grounds to believe that— (a) there is a security or operational compromise to one or more relevant network and information systems, (b) this compromise is caused, or contributed to, by the use or operation of an Al system used or deployed by a data centre, whether through autonomous or non-autonomous means; and (c) this compromise poses a catastrophic risk; "catastrophic risk” means a risk carrying a reasonable likelihood of causing or contributing to— (a) large-scale disruption to critical infrastructure or essential services; (b) significant degradation of the national security, national defence, or intelligence capabilities of the United Kingdom; or (c) severe, large-scale harm to human life; "data centre operator” means a person who operates a data centre; (3) As soon as reasonably practicable after, and in any event within seven days of, giving a direction under subsection (1), the Secretary of State must- (a) lay a report before Parliament setting out the direction and the reasons for it; and (b) take all reasonable steps to arrange for the report to be the subject of a debate in each House as soon as is reasonably practicable. (4) Regulations relating to last-resort powers must establish requirements on data centre operators in relation to data centres used for the training, deployment or operation of Al systems, including relating to- (a) the possession or installation of technical infrastructure necessary for compliance with last-resort powers; (b) the provision of secure communication channels for use by the Secretary of State when utilising last-resort powers; (c) the implementation of regular emergency exercises to ensure that a direction under this section can be received safely and implemented; and (d) post-mortem processes to be followed before a data centre is allowed to resume operations after the use of last-resort powers, including- (i) incident reporting; and (ii) implementation of mitigation measures to prevent recurrence. (5) A person commits an offence if they fail to comply with any requirement imposed by regulations made under subsection (4). (6) Regulations relating to last-resort powers may- (a) confer on the Secretary of State, or on a person designated by the Secretary of State, powers to act where they reasonably believe that an offence under subsection (5) is being, has been, or may be about to be committed; (b) include, for the purposes of paragraph (a), powers to— (i) close premises; (ii) turn off systems or require that they be turned off; (iii) take any other action necessary to control the risk arising from an Al security or operational emergency. (7) Regulations must require that, where powers under subsection (6) are exercised, the Secretary of State must— (a) give written notice of the action taken, and the reasons for the action taken, to the operator or provider as soon as reasonably practicable; and (b) inform the operator or provider of their right to apply to the High Court for relief. (8) The High Court may make any order it thinks fit on an application under subsection (7)(b), including- (a) confirming, varying or cancelling the requirements; (b) imposing additional requirements; (c) ordering compensation. (9) The Secretary of State must publish guidance on the use by licensing authorities, planning authorities and other public authorities of their statutory powers to facilitate compliance with regulations relating to this section. (10) A public authority must have regard to guidance issued under subsection (9) when exercising any function to which the guidance relates. (11) The Secretary of State must, within six months of the commencement of this section and subsequently at six-monthly intervals, prepare a report on the causes and potential causes of Al security or operational emergencies and lay a copy of the report before Parliament. (12) The causes and potential causes of Al security or operational emergencies considered in any report under subsection (11) must include- (a) adversarial uses of Al systems by state and non-state actors; (b) the capabilities for cyber-attacks by autonomous Al systems; and (c) the development of Al systems that can autonomously compromise national security, escape human oversight, and upend international stability, including systems described as “superintelligent Al”.”

NC13

To move the following Clause— "Digital Sovereignty Strategy on risks posed by foreign interference and reliance on foreign technologies (1) The Secretary of State must, within 12 months of the passing of this Act, publish a strategy ("a Digital Sovereignty Strategy”) which sets out the Government's approach to maintaining the security and resilience of relevant network and information systems by- (a) assessing, managing and mitigating risks- (i) associated with foreign interference, (ii) arising from reliance on foreign-supplied technologies, and (b) preventing over-reliance on foreign providers by building domestic capacity. (2) For the purposes of this section, a “relevant network and information system” is a network and information system belonging to- (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier, within the meaning of the NIS Regulations. (3) A Digital Sovereignty Strategy published under this section must- (a) include risks associated with- (i) hardware, (ii) software, (iii) supply chains, and (iv) procurement processes; (b) include a specific focus on security and resilience in government digital procurement processes, detailing how the Government intends to reduce strategic dependencies on foreign-owned service providers to mitigate the risk of systemic disruption; (c) include a commitment to prioritise the use of technologies developed in the UK by UK organisations in relevant network and information systems to reduce reliance on foreign technologies, and (d) where risks are identified under subsection (1)(a)(i), state how the Government intends to address these risks by supporting the use of domestic technologies or systems for the purpose of ensuring the security of those systems."

NC1

To move the following Clause— "Statement on risks posed to systems by foreign interference (1) The Secretary of State must, within 12 months of the passing of this Act, publish a statement of the Government's plans in relation to risks to the security and resilience of relevant network and information systems arising from foreign interference. (2) For the purposes of this section, a “relevant network and information system" is a network and information system belonging to— (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier, within the meaning of the NIS Regulations. (3) Any statement under this section must— (a) set out the Government's intentions to assess, manage and mitigate the risks posed, or which could potentially be posed, to the security and resilience of relevant network and information systems by foreign interference in such systems; (b) include risks associated with— (i) hardware, (ii) software, (iii) supply chains, (iv) procurement processes, and (v) the use of, or reliance on foreign technologies or systems; (c) include a specific focus on government digital procurement processes; (d) where risks are identified under (2)(b)(v), state whether the Government intends to address these risks by encouraging or supporting the use of domestic technologies or systems."

NC2

To move the following Clause— "Cyber security support service for SMEs (1) The Secretary of State must, by regulations, make provision for the establishment and operation of a cyber security support service for relevant small and medium-sized enterprises (SMEs) for the purposes of improving the security and resilience of their network and information systems. (2) For the purposes of this section, a relevant SME is one which is— (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier, within the meaning of the NIS Regulations. (3) A support service established under this section must provide— (a) advice and technical assistance to SMEs following a cyber incident; and (b) guidance on recovery and remediation."

NC3

To move the following Clause— "Review of high-risk bodies (1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies. (2) A review under this section must assess— (a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise; (b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and (c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities. (3) In this section— "relevant body" means— (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier, within the meaning of the NIS Regulations. "foreign state-owned enterprise” means a body corporate in which a foreign state has a controlling interest; "network and information systems" has the meaning given by section 24(1)."

NC4

To move the following Clause— “Critical manufacturing and retail sectors (1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities— (a) the manufacture of critical transport equipment; (b) the industrial production and processing of food products; and (c) the retail sale of food and essential goods via large-scale distribution chains. (2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors."

NC5

To move the following Clause— "Local authorities to be regulated as essential services (1) The NIS Regulations are amended as follows. (2) In the table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert— "Local Government Local Government The Secretary of State for Housing, Communities and Local Government" (3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert- "The Local Government Sector 12- (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the local government subsector. (2) For the essential service of the maintenance of electoral registers, the threshold requirement is that the entity is a local authority responsible for the maintenance of an electoral register. (3) For the essential service of the management of social care records, the threshold requirement is that the entity is a local authority responsible for the management of social care records. (4) In this paragraph "local authority means" (a) in England, a county council, a district council, a London borough council, the Common Council of the City of London or the Council of the Isles of Scilly; (b) in Wales, a county council or a county borough council; (c) in Scotland, a council constituted under section 2 of the Local Government etc. (Scotland) Act 1994; (d) in Northern Ireland, a district council constituted under section 1 of the Local Government Act (Northern Ireland) 1972.""

NC6

To move the following Clause— "Computer Misuse Act 1990: security and resilience of network and information systems (1) The Secretary of State must, within twelve months of the passing of this Act, review whether amendments to the Computer Misuse Act 1990 may be conducive to ensuring, maintaining or improving the security and resilience of network and information systems used or relied upon in connection with the carrying on of essential activities. (2) Following the conclusion of the review under subsection (1), the Secretary of State must lay before Parliament a report which outlines– (a) the potential amendments to the Computer Misuse Act 1990 which were considered as part of the review; (b) the review's conclusions as to whether the potential amendments considered could be beneficial in ensuring, maintaining or improving the security and resilience of relevant network and information systems; and (c) the Government's intentions to make amendments to the Computer Misuse Act 1990 or act on any other recommendations of the review.”

NC7

To move the following Clause— “Consultation on resourcing of regulatory authorities and regulated persons (1) The Secretary of State must, within one year of the passing of this Act, carry out a consultation with regulatory authorities and regulated persons for the purpose of assessing- (a) whether regulatory authorities and regulated persons have resources and capabilities adequate to fulfil their requirements under this Act; and (b) whether further government support is needed. (2) The Secretary of State must publish a report setting out the findings of the assessment carried out under subsection (1)"

NC8

To move the following Clause— "Electoral infrastructure to be regulated as an essential service (1) The NIS Regulations are amended as follows. (2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert— "Elections Electoral infrastructure The Electoral Commission" (3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert- "The electoral infrastructure subsector 12- (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the electoral infrastructure subsector. (2) For the essential service of the administration of an election or the maintenance of an electoral register in the United Kingdom, the threshold requirement is that the service relies on network and information systems to- (a) maintain a register of electors containing more than 50,000 entries; (b) issue, receive, or process postal ballots for a parliamentary or local government election; or (c) count or aggregate votes cast in a parliamentary, mayoral or local government election. (3) In this paragraph- "parliamentary election” means an election of a Member to serve in the Parliament of the United Kingdom; "network and information system” has the meaning given by section 24(1) of the Cyber Security and Resilience (Network and Information Systems) Act 2026. (4) In regulation 8A (nomination by an OES of a person to act on its behalf in the United Kingdom), after paragraph 1(b) insert— "(c) provides an essential service of a kind referred to in paragraph 11 of Schedule 2 (elections sector) within the United Kingdom.""

NC9

To move the following Clause— "Political parties to be regulated as an essential service (1) The NIS Regulations are amended as follows. (2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert— "Government Political parties The Secretary of State for Housing, Communities and Local Government" (3) In Schedule 2 (essential services and threshold requirements), after paragraph 11 insert- "The political parties subsector 12 - (1) This paragraph describes the threshold requirements which apply to specified kinds of essential services in the political parties subsector. (2) For the essential service of the management and operation of a registered political party in the United Kingdom, the threshold requirement is that the political party is represented by at least two Members of the House of Commons. (3) In this paragraph- "registered political party” means a party registered under Part 2 of the Political Parties, Elections and Referendums Act 2000.""

NC10

To move the following Clause— "Board oversight of security and resilience of network and information systems (1) Where a relevant body is governed by a board or equivalent management body, that body must exercise oversight of arrangements relating to the security and resilience of the body's network and information systems. (2) In exercising oversight, the management body must— (a) approve the approach taken by the body to the management of risks to the security and resilience of the body's network and information systems; and (b) satisfy itself, on a periodic basis, that appropriate and proportionate measures are in place to manage those risks. (3) The management body may be held accountable for failures by the body to comply with duties relating to the security and resilience of its network and information systems. (4) Members of the management body must undertake training designed to enable them to identify risks and assess appropriate risk-management practices. (5) For the purposes of this section, a relevant body is one which is— (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier, within the meaning of the NIS Regulations.”

NC11

To move the following Clause— “Requirement for regular testing of network and information systems (1) A relevant body must undertake regular testing of the security and resilience of the network and information systems on which it relies in the provision of its services. (2) Testing undertaken in accordance with this section must— (a) be proportionate, having regard to the size, nature and risk profile of the business; and (b) be conducted periodically, at intervals that are appropriate to the risks identified by the body. (3) A relevant body must document – (a) the outcomes of testing undertaken in accordance with this section; and (b) any remedial actions required or taken in response to the testing. (4) Information documented under subsection (3) must be provided to the relevant regulatory authority upon request. (5) For the purposes of this section, a relevant body is one which is – (a) an operator of an essential service, (b) a relevant digital service provider, (c) a relevant managed service provider, or (d) a critical supplier, within the meaning of the NIS Regulations.”

1

Clause 8, page 7, line 36, at end insert- "(1A) In paragraph (1), after “risks” insert “, including risks arising from fraud,””

2

Clause 40, page 63, line 7, leave out “5” and insert "3"

NC8

To move the following Clause—
“Local authorities to be regulated as essential services
(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to the energy sector, insert—

This new clause would bring local authorities within the scope of the NIS Regulations as operators of essential services in relation to their functions managing electoral rolls and social care records. This ensures that public sector bodies holding sensitive data such as electoral rolls and social care records are subject to the same statutory protections as other critical infrastructure.

NC9

To move the following Clause—
“Critical manufacturing and retail sectors
(1) The Secretary of State must, within six months of the passing of this Act, introduce regulations under section 24(3) to specify the following as essential activities—
(a) the manufacture of critical transport equipment;
(b) the industrial production and processing of food products; and
(c) the retail sale of food and essential goods via large-scale distribution chains.
(2) Regulations made under subsection (1) must designate appropriate regulatory authorities for these sectors.”

This new clause would require the Secretary of State to designate the manufacturing of critical transport equipment and retail of food and essential goods (when part of a large-scale distribution chain) as essential activities, bringing them within the scope of Part 3 of the Bill.

NC10

To move the following Clause—
“Consultation on resourcing of regulatory authorities and regulated persons
(1) The Secretary of State must, within one year of the passing of this Act, carry out a consultation with regulatory authorities and regulated persons for the purpose of assessing—
(a) whether regulatory authorities and regulated persons have resources and capabilities adequate to fulfil their requirements under this Act; and
(b) whether further government support is needed.
(2) The Secretary of State must publish a report setting out the findings of the assessment carried out under subsection (1).”

This new clause would require the Secretary of State to consult and report within one year on whether regulatory authorities and regulated persons have sufficient resources and capabilities to meet their statutory obligations, and whether additional government support is required.

NC11

To move the following Clause—
“Electoral infrastructure to be regulated as an essential service
(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—

This new clause would designate the administration of elections and maintenance of voter registers as an “essential service” within the meaning of the NIS Regulations.

NC12

To move the following Clause—
“Political parties to be regulated as an essential service
(1) The NIS Regulations are amended as follows.
(2) In the table in Schedule 1 (designated competent authorities), after the entry relating to digital infrastructure insert—

This new clause would designate political parties as providing essential services for the purposes of cyber security.

NC13

To move the following Clause—
“Statement on risks posed to systems by foreign interference
(1) The Secretary of State must, within 12 months of the passing of this Act, publish a statement of the Government’s plans in relation to risks to the security and resilience of network and information systems arising from foreign interference.
(2) Any statement under this section must—
(a) set out the Government’s intentions to assess, manage and mitigate the risks posed, or which could potentially be posed, to the security and resilience of network and information systems by foreign interference in such systems;
(b) include risks associated with—
(i) hardware,
(ii) software,
(iii) supply chains,
(iv) procurement processes, and
(v) the use of, or reliance on, foreign technologies or systems;
(c) include a specific focus on government digital procurement processes.
(d) where risks are identified under (2)(b)(v), state whether the Government intends to address these risks by encouraging or supporting the use of domestic technologies or systems.”

This new clause would require the Government to publish a statement of how it intends to address and mitigate any risks to network and information systems posed by foreign interference.

NC14

To move the following Clause—
“Cyber security support service for SMEs
(1) The Secretary of State must, by regulations, make provision for the establishment and operation of a cyber security support service for relevant small and medium-sized enterprises (SMEs) for the purposes of improving the security and resilience of their network and information systems.
(2) For the purposes of this section, a relevant SME is one which is—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.
(3) A support service established under this section must provide—
(a) advice and technical assistance to SMEs following a cyber incident; and
(b) guidance on recovery and remediation.”

This new clause would require the Secretary of State to establish a cyber security support service for relevant SMEs.

NC15

To move the following Clause—
“Review of high-risk bodies
(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies.
(2) A review under this section must assess—
(a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise;
(b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and
(c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities.
(3) In this section—
“relevant body” means—
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.
“foreign state-owned enterprise” means a body corporate in which a foreign state has a controlling interest;
“network and information systems” has the meaning given by section 24(1).”

This new clause would require the Government to review the security risks posed by critical suppliers and essential service providers linked to foreign states and evaluate whether current powers are sufficient to address these threats.

NC16

To move the following Clause—
“Board oversight of security and resilience of network and information systems
(1) Where a relevant body is governed by a board or equivalent management body, that body must exercise oversight of arrangements relating to the security and resilience of the body’s network and information systems.
(2) In exercising oversight, the management body must—
(a) approve the approach taken by the body to the management of risks to the security and resilience of the body’s network and information systems; and
(b) satisfy itself, on a periodic basis, that appropriate and proportionate measures are in place to manage those risks.
(3) The management body may be held accountable for failures by the body to comply with duties relating to the security and resilience of its network and information systems.
(4) Members of the management body must undertake training designed to enable them to identify risks and assess appropriate risk-management practices.
(5) For the purposes of this section, a relevant body is one which is –
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.”

This new clause would require active board oversight of, and accountability for, security and resilience measures, where a relevant body is governed by a board or similar body.

NC17

To move the following Clause—
“Requirement for regular testing of network and information systems
(1) A relevant body must undertake regular testing of the security and resilience of the network and information systems on which it relies in the provision of its services.
(2) Testing undertaken in accordance with this section must –
(a) be proportionate, having regard to the size, nature and risk profile of the business; and
(b) be conducted periodically, at intervals that are appropriate to the risks identified by the body.
(3) A relevant body must document –
(a) the outcomes of testing undertaken in accordance with this section; and
(b) any remedial actions required or taken in response to the testing.
(4) Information documented under subsection (3) must be provided to the relevant regulatory authority upon request.
(5) For the purposes of this section, a relevant body is one which is –
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.”

This new clause would require bodies to carry out proportionate, periodic testing of the security and resilience of their network and information systems and provide the results to regulatory bodies upon request.

NC18

To move the following Clause—
“Computer Misuse Act 1990: security and resilience of network and information systems
(1) The Secretary of State must, within twelve months of the passing of this Act, review whether amendments to the Computer Misuse Act 1990 may be conducive to ensuring, maintaining or improving the security and resilience of network and information systems used or relied upon in connection with the carrying on of essential activities.
(2) Following the conclusion of the review under subsection (1), the Secretary of State must lay before Parliament a report which outlines–
(a) the potential amendments to the Computer Misuse Act 1990 which were considered as part of the review;
(b) the review’s conclusions as to whether the potential amendments considered could be beneficial in ensuring, maintaining or improving the security and resilience of relevant network and information systems; and
(c) the Government’s intentions to make amendments to the Computer Misuse Act 1990 or act on any other recommendations of the review.”

This new clause would require the Secretary of State to review, within 12 months, whether amending the Computer Misuse Act 1990 could improve the resilience of network and information systems, and to report the government’s intentions to Parliament.