Cyber Security and Resilience (Network and Information Systems) Bill (First sitting) Debate

Full Debate: Read Full Debate
Department: Department for Science, Innovation & Technology

Andrew Cooper

Main Page: Andrew Cooper (Labour - Mid Cheshire)

Department Debates - View all Andrew Cooper's debates with the Department for Science, Innovation & Technology


Finance (No. 2) Bill (Fifth sitting)

Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)

Andrew Cooper Excerpts

Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Committee stage
Tuesday 3rd February 2026

(1 day, 20 hours ago)

Public Bill Committees
Share Debate
Read Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Lincoln Jopp Portrait Lincoln Jopp
- Hansard -
- - Excerpts

Do either of the other witnesses have anything to say on that?

Jill Broom indicated dissent.

Dr Sanjana Mehta indicated dissent.

Andrew Cooper Portrait Andrew Cooper (Mid Cheshire) (Lab)
- Hansard -
-

Q I have a question for Jill Broom. You were talking about the incident reporting requirements. Do you think the legislation strikes the right balance to encourage organisations to come forward when they have been attacked, so that the sector can learn from that and vulnerabilities can be patched out in other areas, or is it so stringent that organisations will be concerned about facing penalties if they are fully transparent?

Jill Broom: I think, again, there is something to be said about the devil being in the detail. A lot is coming with the secondary legislation, so we will learn more about the specifics on incident reporting and penalties that will come into play. There needs to be a balance between those in terms of the risk and the impact. In the Bill itself, there probably need to be some greater safeguards or references to frameworks about how those types of decisions will be made.

Andrew Cooper Portrait Andrew Cooper
- Hansard -
-

Q Stuart, you were nodding, which suggests you have something to contribute.

Stuart McKean: It is an interesting cultural challenge. You want people to be open and to report incidents that are having an impact, but at the same time, if they report those incidents they might get fined, which could be economically challenging, particularly for a small business. Yes, we want to open and to report incidents, but—and this is where the detail comes in—what is the level of detail that needs to be reported and what is the impact of reporting it? When you report it to the regulators, what are they going to do with it? How will they share it and how will it benefit everybody else? The devil is definitely in the detail, and it is a cultural change that is required.

Sarah Russell Portrait Sarah Russell (Congleton) (Lab)
- Hansard -
- - Excerpts

Q Obviously no one wants to put crippling costs on to businesses, but cyber-security costs money—there is no way of avoiding that. We only have to look at the JLR attack to see the scale of the impact on our economy when it does not work, and we are looking at only critical national infrastructure here. Have you had any information from business about whether and to what extent this will promote increased spending on cyber-security?

Jill Broom: We can assume that it will, because if you are in the supply chain or come within scope, you will have certain responsibilities and you will have to invest, not just in technology but in the skills space as well. How easy it is to do that is probably overestimated a bit; it is quite difficult to find the right skilled people, and that applies across regulators as well as business.

Generally speaking, yes, I think it will be costly, but there are things that could probably help smaller organisations: techUK has called for things such as financial incentives, or potentially tax credits, to help SMEs. That could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first.

Dr Sanjana Mehta: If I may expand on that, we have been consulting our members and the wider community, and 58% of our respondents in the UK say that they still have critical and significant skills needs in their organisations. Nearly half of the respondents—47%—say that skills shortages are going to be one of the greatest hurdles in regulatory compliance. That is corroborated by evidence, even in the impact assessment that has been done on the previous regulatory regime, where I think nearly half of the operators of essential services said that they do not have access to skills in-house to support the regulatory requirements. Continuing to have sustained investment in skills development is definitely going to require funding. Taking it a step back, we need first of all to understand what sort of skills and expertise we have to develop to ensure that implementation of the Bill is successful.

--- Later in debate ---
Dave Robertson Portrait Dave Robertson (Lichfield) (Lab)
- Hansard -
- - Excerpts

Q I have a bit of a blended question. Earlier, Stuart, you said that some of the wording in the Bill says that only 11% of managed service providers are likely to be covered by the legislation, but in previous answers we have heard about skills shortages and where we will need to build those skills. Although I think we all want as many organisations covered as possible, where is the line? Do we currently have enough professionals working in this space to be able to deliver this level of compliance across 11% of MSPs? Given the number of people available for this very specialised work, is the 11% figure in the right ballpark, or do we need to make that wider or thinner to ensure compliance?

It is very easy to write a piece of legislation, but if we do not have the professionals needed to deliver the level of compliance at the thresholds we are setting in this place, that raises other potential issues. Do you have a view about whether the 11% you mentioned is in the right ballpark for the number of professionals we have, or whether it needs to move either way?

Stuart McKean: I am referring to the Government’s report on MSPs that was done a couple of years ago. There are some 12,500 MSPs in the UK. Of those that are in scope of the Bill, 11% are medium-sized and large, but they account for something like 85% of the revenue that MSPs generate in the UK. Proportionally, the larger and medium-sized organisations will have the skillsets needed to deliver the requirements set out in the Bill. As it comes down the supply chain, most managed service providers are suitably qualified to deliver, but they will not be in scope of the Bill. Certainly the critical national infrastructure will not be in that sort of space. We have a good industry, and I think most of the MSPs are in that space, but I would highlight that MSPs are generally IT companies, and cyber-security is not an IT problem. It is much bigger than IT.

Although MSPs can be at one end, this goes back to a question that was asked before about why companies do not just do this anyway, and so be more secure. The reality is that they do not generally understand it; they do not understand the risk and they do not have the qualified people, and it goes on in a sort of vicious circle. A lot of those companies will just go, “Yeah, I’ve got an MSP. They deal with that.” It is an interesting challenge, but, to your question directly, I think medium-sized and large MSPs will not have an issue.

Dr Sanjana Mehta: If I may weigh in on this, I just want to take a step back and comment on the state of the profession in the UK. I appreciate that we are having this discussion specifically in relation to the regulated entities, but there is a broader picture. Parts of the industry are not in scope, but they need to have the right skills as well. We are starting off on a good foundation. The work done by industry, academia and professional associations over the past few years has helped to grow the profession steadily. The report by the Department for Science, Innovation and Technology mentions that the number of cyber-security professionals directly employed in the sector has increased by 11% over the past year.

That said, there is more to be done. I urge the Government to think about the skills piece, not only in relation to the Bill but as a wider challenge. We are very proud of our 10,000-plus members in the UK, who work very hard day and night to secure their organisations despite all the challenges and pressures, but the Bill does give Government a pivotal opportunity to elevate the status of the profession and to professionalise the sector.

Andrew Cooper Portrait Andrew Cooper
- Hansard -
-

Q Stuart, as an MSP, you will be familiar with the fact that the large cloud service providers tend to allow you to live failover to different regions. By default you might be hosting in the UK region, but, depending on an outage, you might live failover to the European Union or to the US, depending on the cloud service provider you are using and how it is set up. How does the legislation deal with that and allow you as an MSP to be compliant with it?

Stuart McKean: It is about understanding what your service is delivering. Again, one of the key terms in the Bill is resilience. Needing resilience is a key part of the Bill. Whether you need a service that has international boundaries and you need to fail over to another country will be down to the organisations defining where they want their services to be. If they are happy that they are failed over into the US or another country, that is fine; but the reality is that it will be down to the organisation that has a requirement for a resilient service understanding where its data is. As long as it understands where its data is and what it is asking of the MSP, I am not sure the Bill will cover that as such. It is talking about resilience in general. I do not think it goes into the detail of where your data is.

Bradley Thomas Portrait Bradley Thomas
- Hansard -
- - Excerpts

Q Do the witnesses have a view on the benchmarks that, at the moment, do not appear to sit behind the scale of incidents that must be reported? Do you have a view on the absence of any benchmarks and the impact that they may have on smaller firms, or on the risk of over-reporting?

Stuart McKean: Under the designation of a critical supplier, the Bill says:

“any such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom”.

That is a pretty big statement. As a small business owner, how do I know whether what I do is going to have an economic effect on the UK? It will have an economic effect on my business, but whether it has a wider impact is a big statement. I am not sure that it is clear enough.

Return to start of debate - Return to top of page