Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Bradley Thomas
Main Page: Bradley Thomas (Conservative - Bromsgrove)Department Debates - View all Bradley Thomas's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting)
Bradley Thomas ExcerptsTuesday 10th February 2026
(4 days, 16 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I will begin by discussing clauses 15 and 16. Clause 15 updates the incident reporting provisions in the Network and Information Systems Regulations 2018. Under the current regulations, organisations are required to report incidents only once they have had a significant impact on service continuity. It is widely recognised that this is too narrow, and results in a range of concerning incidents going unreported and a distorted picture of how secure and resilient the UK’s essential services actually are.
To take two examples: a ransomware attack where confidential data has been exfiltrated from an organisation without an immediate impact on service would not be reportable; nor would a pre-positioning attack, where a hostile actor has hacked into a network and is in a position to cause significant disruption down the line, such as to the provision of drinking water. That cannot be right, and does not reflect the cyber-threats that critical services face.
To ensure such incidents are caught, the clause sets a new, wider definition of incidents that must be reported. The focus is now on incidents that have successfully affected the security or operation of an organisation’s network and are likely to have a significant UK impact, which will ensure that regulators and the National Cyber Security Centre are fully aware of the range of cyber-threats affecting the UK’s essential services.
The Bill sets out the factors that should be considered when assessing whether an incident has had, or is likely to have, a significant impact in the UK—including, crucially, whether the confidentiality, authenticity, integrity and availability of data has been compromised. The Government will provide further clarity in secondary legislation, setting out thresholds for each sector for when an incident is considered to have had, or be likely to have, a significant impact. That will be consulted on before it is introduced. Taken together, it means that only meaningful incidents are reported. Over-reporting has been a concern raised by hon. Members throughout the Bill’s progress, so I stress this point: things such as unsuccessful phishing emails will clearly not be reportable, as they would not be likely to have a significant impact.
Given our economy’s systemic dependence on data centre facilities, for that sector alone we will also ensure that Ofcom and the NCSC receive reports on a wider range of potential incidents and near misses. That ensures that not only immediate disruptions but incidents posing future risks are reported.
Clause 15 also streamlines the reporting process for all NIS sectors. It ensures that incident notifications and reports go to the NCSC at the same time as the regulator. It also sets out what those organisations can do with the information they receive, including how the information can be shared to manage the wider impacts of an incident or prevent future incidents. Finally, the clause introduces faster reporting, so that the NCSC and regulators are informed within 24 hours of entities becoming aware that a reportable incident is taking place.
The 24-hour notification will be light touch, but will enable the NCSC and regulators to offer faster support to minimise the negative impacts of the incident. Fuller details will need to be reported within 72 hours of the entity becoming aware that a reportable incident is happening. The changes will protect the UK’s essential services, ensuring that the NCSC and regulators are able to provide the best support that they can.
Clause 16 sets out requirements for managed service providers, relevant digital service providers, and operators of data centres to inform customers who are likely to have been adversely affected by a reportable incident. Under the current regulations, there is no requirement for any regulated entity to inform its customers if it has been impacted by a reportable incident. That may have made sense when the NIS regulations were more heavily focused on operators of essential services and the primary concern was service disruption, but it would be an inexcusable omission now that the Bill is expanding to include managed service providers and operators of data centres, in addition to the digital service providers already in scope.
These are organisations that, if compromised, could leave their customers’ systems, data or services exposed or inaccessible. In such circumstances, it is vital that their customers are notified, so that they can take whatever steps they need to in order to mitigate those risks.
Bradley Thomas (Bromsgrove) (Con)
I have two points for the Minister to address. First, could he clarify whether an organisation would face repercussions if a regulator believed in retrospect that notification should have been provided sooner? Secondly, on customer notification, can the Minister address the concern around striking the right balance between informing the customer and ensuring that the update that they receive is meaningful and not so vague that it causes further distress or worry?
Kanishka Narayan
I thank the hon. Member for those two thoughtful points. On the first, in terms of retrospective regulatory action on the adequacy of notification, I expect that the regulators will set out—in their guidance and by working closely with the entities in scope—their expectations about the nature and timeliness of the notification. That will be one input into a regulator’s broader assessment of entities’ compliance with the regime. I expect that timely notification will be assessed on an ongoing basis by the regulator, but I would not expect it to be an exclusive or primary aspect.
On the question of customer notifications being proportionate, I share the hon. Member’s concern about ensuring that it is timely and efficient and at the same time meaningful for the relevant customers. I hope that exactly those principles are embodied in the guidance that regulators share about notification requirements.
Customers being notified is all the more important given that in many cases, those customers will themselves be operators of essential services and other critical national infrastructure. The Bill therefore places new transparency requirements on managed service providers, relevant digital service providers and operators of data centres. Similar requirements were introduced under the NIS2 regulations in the European Union.
Clause 16 requires those regulated entities to take steps to establish which of their customers, if any, are likely to be adversely affected by a reported incident. It then sets out the information that the entity must share with those identified customers. These new requirements will support the overall resilience of the UK’s essential services and economy, which depend so heavily on these services, and reduce the overall impact of disruptive cyber-attacks.
Bradley Thomas
It is a pleasure to serve under your chairmanship, Dr Murrison.
When introducing new legislation, it is essential that those who fall under its new regulations be clearly identified and given adequate time to prepare for compliance. However, despite the aims of the Bill and the wish to avoid worsening a cyber-attack incident, the Bill still presents far too much ambiguity. It is right to recognise the cyber landscape as continuously evolving. There is no dispute that this terrain becomes increasingly complex each day, requiring a level of flexibility in legislation to ensure that it keeps pace. However, this desire to safeguard such adaptability, and the goal of future-proofing, must not come at the expense of the effectiveness of legislation in the present day.
The powers afforded to the Secretary of State to change the classification of essential activity, and to bring new sectors into scope of the Bill at any time, undoubtedly create uncertainty for many sectors and cast a shadow over long-term compliance. To be clear, we want organisations to comply with this legislation. We want to improve national cyber-resilience, gather vital intelligence and restore public confidence in our security. Why, then, would there not be a significant effort to make these regulations as easy to apply as possible, rather than leaving thousands of businesses second-guessing whether they fall within scope, with the pressure of large financial penalties hanging over their heads?
In addition, many will know that I am a firm supporter of parliamentary process. I support the notion that all legislation should receive the scrutiny it is due by the democratically elected Members of the House of Commons. That is why I believe the Bill must not only set out clearer guidelines for who is in scope, but require an official amendment, debated in the House, to permanently bring any new sectors into scope after the Bill has been passed.
I understand that, in times of emergency, the longer process of House of Commons scrutiny may not always be possible. That is why the Secretary of State should have powers to bring in sectors necessary in an emergency temporarily into scope, with less imposing of non-compliance penalties until their inclusion is made permanent by the House. Such an approach would not only allow for the quick reactions that cyber-security demands, but respect parliamentary processes and safeguard against organisations’ being unaware that they had suddenly been brought into scope until they received a potentially financially ruinous penalty notice for non-compliance.
Looking at the need for more definitive guidelines on who will be regulated under the Bill, we have already heard from numerous industry stakeholders that are unsure whether they, or other organisations in their sector, will fall within the mandatory scope. In addition, industry experts have publicly shared concerns about how far the net may be cast in some sectors, leading to the unintentional inclusion of organisations that are critical only to a single larger organisation, rather than to our national security, while ignoring other essential sectors altogether. Looking at recent cyber-attacks that have had a significant impact on our country, it is concerning that the definition of essential services may not include them within scope.
While it is predicted that many of Jaguar Land Rover’s supply chains will be in scope, it has been publicly questioned whether it will be included. As the largest car manufacturer in the United Kingdom, it directly employs over 30,000 people across the UK and supports around 100,000 jobs indirectly. It is therefore no surprise that the cyber-attack it endured, estimated to have had a financial impact of over £1 billion, was significant to many, including more than 5,000 organisations impacted and many of my constituents, with JLR being one of the largest direct and indirect employers in the west midlands region. How, then, if a key aim of the Bill is to ensure that all essential services whose disruption would profoundly impact our nation in the event of a cyber-attack report all major incidents, can the vagueness of the definition of essential services be allowed to stand—especially when it creates a situation in which previous key victims are excluded?
Of course, JLR is not the only victim where questions of inclusion remain. Also potentially falling outside the regulatory reach is Marks & Spencer, whose recent cyber-attack was another stark reminder of the rapidly advancing cyber-crimes scene and caused significant disruption, with costs estimated to run into the millions of pounds. Having met with M&S representatives recently, I had the opportunity to discuss their experience of enduring such an attack. Archie Norman, M&S chair, gave evidence to the Business and Trade Sub-Committee on Economic Security, Arms and Export Controls, where he said that “a growth economy” is “a cyber-resilient economy”.
Having a cyber-resilient UK, and making the UK the safest place to do business, is a competitive advantage. I agree with that sentiment and firmly believe that increasing our cyber-resilience can only benefit our economy. It is imperative that we get this right. These cyber-threats are not going away; they are only going to get stronger and more technically advanced. We have seen that in the past year, with the National Cyber Security Centre reporting a 50% increase in British cyber-incidents deemed highly significant. Indeed, representatives of M&S told me that, at times, they found it much easier to get updates and information from the United States FBI than they did from our own authorities. We also know that foreign hostile states are becoming bolder in their actions against us.
A few months ago—as a reason for introducing my ten-minute rule Bill, the Cyber Extortion and Ransomware (Reporting) Bill—I stated that research had revealed that 74% of UK IT leaders cited China and 71% cited Russia as their top cyber-security concerns. It is undisputable that last year’s espionage trials threw a harsh spotlight on the threatening scale of state-sponsored cyber-attacks.
Improving our national cyber-resilience, and safeguarding all our infrastructure and essential services, including in the private sector, is vital in order to secure a prosperous economy and reinforce public confidence in our ability to defend ourselves against such threats.
Kanishka Narayan
Clause 17 introduces new charging powers for NIS regulators, enabling them to recover the full costs of their regulatory functions under the NIS regime. This is an important reform that will help to ensure that regulators are effectively funded as they take on their expanded responsibilities under the Bill. It will allow them to move away from a funding model that relies on ad hoc invoicing or Government grants, and to approach their duties with greater confidence and certainty.
The clause sets out detailed procedural requirements that determine how and when the charging powers can be used. These will ensure that regulated organisations know what to expect from regulators; fees will be set proportionately and regulators will provide satisfactory accounting for the sums they have charged.
The first requirement is that regulators consult and publish a charging scheme. It must specify what functions the fees are covering, the amount of fees being charged or how those fees will be calculated, and the charging period they cover. Crucially, regulators will be able to set different levels of fee for different types of organisations—for example, varying charges according to size or turnover, or excluding organisations from the charging scheme if it would be disproportionate or counter-productive to include them.
Bradley Thomas
I have two points for the Minister to address. First, can he address concerns around whether funds raised will be directly reinvested into improving cyber-security, rather than covering administrative overheads? Secondly, there is no specific reference to turnover thresholds, so how can the Minister be sure that a one-size-fits-all approach will not be used, causing many similar organisations to suffer financially?
Kanishka Narayan
I thank the hon. Member for those thoughtful points. On the first question, the charging scheme applies to relevant costs, which are costs that regulators incur precisely when they carry out functions under the NIS regulations relating to cyber-security specifically. Those can include the cost of audits, inspections, handling incident reports or enforcement action, as well as other aspects, such as assessments of cyber-security and the provision of advice. It is important to acknowledge that regulators can decide to recover costs in relation to specific functions or their costs relating in particular to the Bill’s provisions. I hope to have assured the hon. Member that the charging scheme has a clear, tight scope that is related to cyber-security functions.
On the second question, regulators probably ought to look at turnover in a way that is sector-specific, in part because there are already a range of ways in which other regulatory regimes define turnover in particular sectors, so the appropriate definitions for their sectors will be familiar to both regulators and regulated entities. At a later date, secondary legislation may be used if it is found necessary to set out factors that regulators ought to consider in setting up charging schemes, including the possibility of nuanced definitions of turnover. Any future regulations for this purpose will be subject to consultation requirements and the affirmative procedure. I would very much expect, at a sector level, a clear and proportionate definition and charging structure in relation to turnover.
The second requirement is to set out, transparently and clearly, what fees have been paid, what fees are still due, and what costs have been incurred in a given charging period. On Second Reading, many hon. Members discussed the need for properly resourced regulators to successfully implement the Bill. I share that concern, and this clause seeks to achieve exactly that, in a way that is fair and proportionate to regulated organisations.
I commend the clause to the Committee.
Kanishka Narayan
Clause 20 introduces important updates to the information-gathering powers that regulators have under the NIS regime. It ensures that regulators are able to collect any information that they might reasonably require to exercise, or to decide whether to exercise, their functions under the regulations.
While the clause sets out some of the purposes for which a regulator might particularly wish to collect information—for example, to determine whether an organisation should be designated as a critical supplier—this is an explicitly non-exhaustive list. The clause also allows regulators to collect information through the issuing of an information notice. It sets out the details that must be included in such a notice, and the form that it may take. An information notice must, for example, explain why the information is being sought and the form in which it must be provided.
New regulation 15A, as introduced by the clause, makes clear that an information notice can be given to an organisation based outside the UK and can apply to information held outside the UK. An information notice may require the obtaining, generating, collecting or retaining of information or documents. Those changes are critical in ensuring that regulators can access the information they need properly to enforce the NIS regulations. I commend this clause to the Committee.
Bradley Thomas
Can the Minister elaborate on how he will ensure that regulators have the capacity to cope with large-scale data reports?
Dr Spencer
Clause 20 grants regulators wide-ranging information-gathering powers, in relation both to regulated entities and to organisations currently outside the scope of the regulations. These new powers will be important to competent authorities in gaining access to the information necessary to consider which businesses should be designated as critical suppliers for their sectors. The Minister will remember that we had a very extensive discussion about the allocation, or otherwise, of critical suppliers. What assurance can he give that requests for information under this new clause will be exercised proportionately? That is especially relevant for SMEs, which might struggle administratively to meet broad requests for information within short deadlines.
I know I will be told off by the Chair if I try to rehash the previous debate on clause 12, but one of the points I made during that debate was that the scope of what could fall under the definition of a critical supplier could, in my view, include any supplier to an operator of an essential service. Potentially, therefore, a request for information under this provision could be incredibly broad. Can the Minister give some reassurance about how this will work in practice, relating to the proportionality of data collection? The concern is that this could become a fishing or dredging exercise, rather than something that is proportionate and targeted on the most high-risk suppliers.
Kanishka Narayan
Clause 21 reforms the enforcement regime for the NIS regulations. It seeks to ensure that providers of the UK’s most essential services are complying with their obligations under those regulations. Where they are not, it will allow for more meaningful penalties that reflect the risks they introduce to our society and economy as a whole. To do that, the clause makes a number of critical changes.
First, the clause introduces a new penalty maximum based on turnover. The current maximum penalty is £17 million, which can appear disproportionately large for smaller organisations, but could also easily be absorbed by larger ones as the “cost of doing business.” The clause therefore increases the penalty limits from £17 million to a maximum of £17 million or 4% of annual turnover, whichever is higher. I am confident that that strikes the right balance within the UK regulatory context. It brings the regime in line with other UK legislation that regulates cyber-security, such as part 1 of the Product Security and Telecommunications Infrastructure Act 2022, without rushing uncritically to the more severe penalties we see in other CNI regulation.
The second change is to create a simple two-band penalty structure that will provide much-needed clarity to regulators and industry about the penalty tiers for specific acts of non-compliance.
Bradley Thomas
On the point about banding, can the Minister assure us that there will be consistency applied across regulators so that different events are not differentially penalised depending on the regulatory body? On the question of turnover and the financial penalty, can the Minister elaborate on how the figure was derived?
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
New clauses 8 and 9 would close a dangerous gap at the heart of the Government’s cyber-security strategy. Right now, the Bill creates a two-tier system. Private companies running critical national infrastructure face strict legal duties, enforcement and oversight, yet the very public institutions that hold our democracy together and protect our most vulnerable citizens are left outside statutory protection. Nowhere is that more alarming than with our local authorities. Indeed, that is where the Government’s approach diverges from some EU member states. For example, the Netherlands is applying its equivalent legislation to local authorities.
When a council suffers a cyber-attack, it is not just an IT inconvenience; it means real life grinding to halt. Members of the Committee who have served on local authorities will be well aware that a cyber-attack hitting a local authority creates problems with welfare payments, housing services, processing benefits payments, accessing social care for the most vulnerable in our society and collecting bins. Those are crucial activities in the day-to-day life of our society and our democracy. A cyber-attack can leave families without support, vulnerable children without protection and elderly residents without care, yet the Minister has suggested that these services are not necessary to the day-to-day functioning of society. I disagree with that.
We have already seen the consequences at Tewkesbury borough council, where a cyber-attack was so severe that it triggered a major incident and crippled core services. Likewise, the attack on Gloucester city council cost the taxpayer more than £1 million and put at risk some of the most sensitive information held on UK residents, particularly if one considers the nature of employment in Gloucestershire. The reporting from those attacks showed that local authorities, which are cash-strapped and struggling to make do as they are, had to divert staffing resources into addressing those incidents.
Bradley Thomas
I have much sympathy with the hon. Gentleman’s arguments about the importance of local government, and I believe that it should be within scope of the Bill. Essential services are provided by councils on a day-to-day basis, but local councils are increasingly cash-strapped. Does he share my concern about the burden of compliance falling on councils, many of which differ in size and scale from their adjacent neighbours? They have differing degrees of IT infrastructure capability. We run the risk of increasing the compliance and regulatory burden on councils at a time when they may already have stretched budgets and lack the resource and capacity in the system to accommodate that additional burden.
David Chadwick
The hon. Gentleman makes an important point. We cannot allow these services to be interrupted. He will be well aware of the impact that bins not being collected has on our streets.
Councils are being targeted because they hold sensitive personal data and provide much-needed services to the most vulnerable in society, yet they are being left as soft targets, without statutory requirements and the ringfenced resources that accompany them. We cannot claim to be building a cyber-secure Britain while leaving the frontline of public services unprotected. Resilience must extend beyond councils.
Our new clauses also ask that our political parties and electoral infrastructure are properly protected, because we know that hostile states and non-state actors are actively seeking to undermine democratic systems. An attack does not need to change an electoral result to be devastating; it need only cast doubt on the integrity of the count or prevent legitimate voters from casting their ballots. We know that trust, once lost, is extraordinarily hard to rebuild. The security of our elections is too important to be left to secondary legislation made at some future date.
Finally, our new clauses would require the Government to bring critical manufacturing, food production and large-scale retail distribution into scope. When British companies such as JLR lose billions to cyber-incidents, or when national retailers such as Marks & Spencer are paralysed, it is not just a private commercial issue, but a blow to national economic security, and there is no economic security without cyber-security. The Minister will be aware that the ramifications of the JLR attack were felt across south Wales because of the link to the steel industry supply chain. Our neighbours in the European Union already recognise this issue through the NIS2 framework, which covers food production and transport manufacturing as essential sectors. The new clauses simply ask the Government to match that seriousness.
At their heart, our new clauses are about ending the two-tier approach. We seek the Government’s recognition that councils, political parties, electoral infrastructure and core supply chains are just as critical to national resilience as power stations and data centres. A country is not secure if its public services, at any level, are exposed. Its elections are vulnerable, and its economy can be brought to a standstill by a single cyber-attack. These new clauses hope to close those gaps and make Britain safer.