Cyber Security and Resilience (Network and Information Systems) Bill (First sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Bradley Thomas
Main Page: Bradley Thomas (Conservative - Bromsgrove)Department Debates - View all Bradley Thomas's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Bradley Thomas ExcerptsTuesday 3rd February 2026
(1 day, 12 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Chris Vince (Harlow) (Lab/Co-op)
Q
David Cook: There is reform all over the world. At its core, we have got a European law that is transposed in UK national legislation, the General Data Protection Regulation. That talks about personal data and has been seen as the gold standard all over the world. Different jurisdictions have implemented, not quite a copycat law, but one that looks a lot like the GDPR, so organisations have something that they can target, and then within their territory they are often going to hit a compliance threshold as well. Because of changes in the geopolitical environment, we are seeing—for example in Europe, but also in Australia and the United States—specific laws coming in that look at the supply chain in different sectors and provide for more onerous obligations. We are seeing that in the environment. NIS2 is being transposed into national laws. Organisations take a long time to get to the point of compliance. We are probably behind the curve, but this is not a new concept. Adapting to change within tech and change within how organisations themselves are relying on a supply chain that is more vulnerable and fragile is common.
Bradley Thomas (Bromsgrove) (Con)
Q
Jen Ellis: For sure, it should not come down to whether you are public or private; it should be about impact. Figuring out how to measure that is challenging. I will leave that problem with policymakers—you’re welcome. I do not think it is about the number of employees. We have to think about impact in a much more pragmatic way. In the tech sector, relatively small companies can have a very profound impact because they happen to be the thing that is used by everybody. Part of the problem with security is that you have small teams running things that are used ubiquitously.
We have to think a little differently about this. We have seen outages in recent years that are not necessarily maliciously driven, but have demonstrated to us how reliant we are on technology and how widespread the impact can be, even of something like a local managed service provider. One that happened to provide managed services for a whole region’s local government went down in Germany and it knocked out all local services for some time. You are absolutely right: we should be looking at privately held companies as well. We should be thinking about impact, but measuring impact and figuring out who is in scope and who is not will be really challenging. We will have to start looking down the supply chain, where it gets a lot more complex.
Tim Roca (Macclesfield) (Lab)
Q
Jen Ellis: As a starting point, I will clarify that I am a fellow at RUSI. I work closely with Jamie, but I do not work for RUSI. I also take no responsibility for Jamie’s comments.
On the comparisons, David alluded to the fact that Europe is a little bit ahead of us. NIS2, its update to NIS1, came into force three years ago with a dangling timeline: nations had until October 2024 to implement it. My understanding is that not everybody has implemented it amazingly effectively as yet. There is some lag across the member states. I do not think we are too out of scope of what NIS2 includes. However, we are talking about primary legislation now; a lot of the detail will be in the secondary legislation. We do not necessarily know exactly how those two things will line up against each other.
The UK seems to be taking a bit of a different approach. The EU has very specifically tried to make the detail as clearly mandated as possible, because it wants all the member states to adopt the same basis of requirements, which is different from NIS1, whereas it seems as though the UK wants to provide a little bit of flexibility for the regulators to “choose their own adventure”. I am not sure that is the best approach. We might end up with a pretty disparate set of experiences. That might be really confusing for organisations that are covered by more than one competent authority.
The main things that NIS2 and CSRB are looking at are pretty aligned. There is a lot of focus on the same things. It is about expanding scope to make sure that we keep up with what we believe “essential” now looks at, and there is a lot of focus on increased incident reporting and information sharing. Again, the devil will be in the detail in the secondary legislation.
The other thing I would say goes back to the earlier question about what is happening internationally. The nations that David mentioned, like Australia or the jurisdiction around the EU, are really proactive on cyber policy—as is the UK. They are taking a really holistic view, which David alluded to in his introduction, and are really looking at how all the pieces fit together. I am not sure that it is always super clear that the UK is doing the same. I think there is an effort to do so, and UK policymakers are very proactive on cyber policy and are looking at different areas to work on, but the view of how it all goes together may not be as clear. One area where we are definitely behind is legislating around vendor behaviour and what we expect from the people who are making and selling technology.
Dr Gardner
Q
Jill Broom: Some of our members have pointed out that the number of organisations under cyber-regulations is very small, and it is only going to increase a small amount with the advent of this particular Bill. Similarly, in the different jurisdictions there are duties at the board level. There is an argument for it. The key thing is that we need to be mindful of it being risk-based, and also that there are organisations that could be disproportionately affected by this. I think it needs a little more testing, particularly with our members, as to whether a statutory requirement is needed.
Bradley Thomas
Q
Dr Sanjana Mehta: May I weigh in on the second question first? It is good to note that the definition of reportable incident has expanded in the current legislation. One of the concerns that the post-implementation reviews had from the previous regulatory regime was that the regulated entities were under-reporting. We note that the Bill has now expanded the definition to include incidents that could have an adverse impact on the security and operations of network and information systems, in addition to those incidents that are having or have had a negative impact.
While that is clear on the one hand—some factors have been provided, such as the number of customers affected, the geographical reach and the duration of the incident—what is not clear at the moment is the thresholds linked with those factors. In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators.
We must think about regulatory capacity to deal with all the reports that come through to them, and to understand what might be the trade-offs on the regulated entities, particularly if an entity is regulated by more than one competent authority. For those entities, it would mean reporting to multiple authorities. For organisations that are small or medium-sized enterprises, there is a real concern that the trade-offs may result in procedural compliance over genuine cyber-security and resilience. We call on the Government for immediate clarification of the thresholds linked to those factors.
Jill Broom: I would like to come in on that point. Our members would agree with it. Companies need to be clear about what needs to be reported, when it needs to be reported and where they need to report it. A bit of clarity is required on that, certainly around definitions. As Sanjana said, it is good to see that the definition is expanding, but definitions such as “capable of having” a significant impact remain unclear for industry. Therefore, we need a bit more clarity, because again, it means that we could risk capturing absolutely everything that is out there, and we really want to focus on: what is most important that we need to be aware of? Determining materiality is essential before making any report.
In terms of the where and the how, we are also in favour of a single reporting platform, because that reduces friction around the process, and it allows businesses, ultimately, to know exactly where they are going. They do not need to report here for one regulator and there for another. It is a streamlined process, and it makes the regime as easy as possible to deal with, so it helps incentivise people to act upon it.
I have another point to add about the sequencing of alignment with other potential regulation. We know that, for example, the Government’s ransomware proposals include incident-reporting requirements, and they are expected to come via a different legislative vehicle. We need to be careful not to add any additional layers of complexity or other user journeys into an already complex landscape.
Freddie van Mierlo
Q
Secondly, Dr Mehta, you spoke earlier about what is not in scope in this legislation. I am particularly interested in the fact that local government is not included in it, because it has a critical role in electoral services and in local and national democracy. What do you think are the threats from leaving local government out of scope?
Jill Broom: I think that generally, our members would always call for alignment, where possible, in any kind of legislation that spans the geographies. But we understand that the Bill focuses on a particular sector—the critical national infrastructure in the UK—and we welcome the intent of it.
Dr Sanjana Mehta: On sectoral scope, with the way that the Bill is currently drafted, there is obviously flexibility to introduce new sectors, and to bring in more provisions and guidance through secondary legislation and additional guidance. That being said, our recommendation is certainly to expand the sectoral scope at this stage by bringing in public administration.
There are a number of key reasons for that. First, public administration needs to be role model of good cyber-security to the rest of the economy. I think it was the 2025 state of digital government review that pointed out that the risk of cyber-attacks on Government is critical. You mentioned local government, but there are also central Government Departments that hold and process vast amounts of personal and sensitive information; I think, for example, DWP administered £288 billion of benefits over the past year. More than 23 million people claimed some sort of benefits from DWP and, in responding to those claims, DWP must have processed huge amounts of very sensitive medical and financial information on individuals. We think it is an omission to leave it out, and we recommend that the Government consider bringing it into scope.
Andrew Cooper
Q
Stuart McKean: It is about understanding what your service is delivering. Again, one of the key terms in the Bill is resilience. Needing resilience is a key part of the Bill. Whether you need a service that has international boundaries and you need to fail over to another country will be down to the organisations defining where they want their services to be. If they are happy that they are failed over into the US or another country, that is fine; but the reality is that it will be down to the organisation that has a requirement for a resilient service understanding where its data is. As long as it understands where its data is and what it is asking of the MSP, I am not sure the Bill will cover that as such. It is talking about resilience in general. I do not think it goes into the detail of where your data is.
Bradley Thomas
Q
Stuart McKean: Under the designation of a critical supplier, the Bill says:
“any such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom”.
That is a pretty big statement. As a small business owner, how do I know whether what I do is going to have an economic effect on the UK? It will have an economic effect on my business, but whether it has a wider impact is a big statement. I am not sure that it is clear enough.
Bradley Thomas
Q
Stuart McKean: It needs more detail, even if that is about providing some boundaries so that we have something to say, “If it is going to do the following, what is a ‘significant economic impact’?”. I would like to think that none of our services would have a significant economic impact, but they may well affect a person, so I would bring it more on to the citizen and the impact on people. We heard this a number of times in relation to the JLR incident: the impact on the supply chain was huge, it was economically very costly and directly impacted people’s lives. Anything that can provide more clarity in the definition of an impact at that level can only help.
Jill Broom: I agree. More clarity is needed. The Bill should be tighter in terms of defining that sort of systemic risk.
Dr Sanjana Mehta: The Bill as it stands requires competent authorities and regulators to designate an organisation as a critical supplier rather than the regulated entity. Organisations work with complex multi-tier supply chains, and the concern is that competent authorities that are one step further removed from those complex supply chains, and have even less visibility, transparency and control over those supply chains, might find it difficult to determine true criticality and risk within the supply chains. We ask for greater collaboration and co-ordination between the regulated entities and the competent authorities in designating an organisation as a critical supplier.
Dr Spencer
Q
Jill Broom: There is probably a broader point around legal certainty, which is not given on the face of the Bill. Some of our members have highlighted language that could create some pretty significant legal jeopardy for regulated entities. The Bill needs to go a bit further. It could and should do more to provide some legal certainty, because the cost to companies could be quite significant. To the point on consistency across regulators and things like that, we need more frameworks around how that is going to work. Leaving all the detail to secondary legislation is what makes it slightly difficult to examine what is on the face of the Bill, so making sure that everything is consulted on in a mandatory and meaningful way will be important.
The Chair
Four colleagues wish to ask questions, and they have only 20 minutes in which to ask them, so I appeal for brevity, both in the questions and, if you do not mind, in the answers.
Bradley Thomas
Q
Dr Ian Levy: I will start with that one.
The Chair
Please, Gentlemen, do not feel obliged to answer each question.
Dr Ian Levy: On the diverse networks and where they are hosted, it is important to be clear that resilience changes as scale changes. When it comes to the statistical model used to talk about resilience for a national system, if you have, say, three physical data centres in the UK connected by a redundant ring, that has a well-understood statistical model, but as you get bigger and bigger and more diverse, the statistics change, so the way you analyse resilience changes. That is not specific to Amazon Web Services; it applies to any large-scale system.
The way that we talk about resilience needs to be thought through carefully. I would urge you to consider outcomes and talk about availability and resilience to particular events. If somebody drives a JCB into a data centre, in a national-scale resilience model that can have a big impact, but in a hyperscale it will not.
We need to be clear about what the regulation is trying to do. If you look at us as a data centre operator, it is very different from someone who is providing co-location services. We provide our data centres for the sole purposes of providing our services, which have a very particular resilience model that is very different from somebody sticking their own racks in a third-party data centre. Some of the terms need to be better defined.
In terms of balancing growth, regulation, oversight and so on, there is a fallacy about putting specific technologies into legislation, except in very specific circumstances. We talked about post-quantum cryptography and AI. They will affect resilience, but probably not in the way we think they will today, so I would caution about putting specific technology definitions on the face of the Bill.
Matt Houlihan: On the cross-border question, very quickly, there are clearly a lot of jurisdictions looking at legislation in this space. There is absolutely an opportunity in the UK to look at things, such as mutual recognition agreements, that would simplify the international regulatory landscape, but there is also the opportunity for the UK to lead in this space as a very well-respected and cyber-capable country.
Touching on getting the balance right on growth and security, we have seen some useful moves recently from the UK Government and previous Governments on looking at codes of practice, which are voluntary in nature but help engage companies, as the recent software security code of practice did with mine and Chris’s. Techniques like that offer a nice balance and engage companies, but get that message around growth absolutely right.