Chi Onwurah extracts from Cyber Security and Resilience (Network and Information Systems) Bill (6th January 2026)

Cyber Security and Resilience (Network and Information Systems) Bill

Chi Onwurah Excerpts

2nd reading
Tuesday 6th January 2026

(2 days, 23 hours ago)

Commons Chamber

Read Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts

Ian Murray

- Hansard - - - Excerpts

The right hon. Gentleman would have had some involvement in this when he was in government; indeed, the 2018 regulations came from the previous Government. We are all trying to make sure that we are catching up with the technology as quickly as it moves. He makes a very interesting point that I am very conscious of and happy to take away. We are determined to deliver the cyber-security action plan, which is backed by £210 million.

The actions that the previous Government took did not come to fruition in terms of their 2030 target, which is why we have refreshed the action plan and brought it forward with some significant cash. It is important for Ministers to take that forward. I hope that the right hon. Gentleman will hold us to account to ensure that we are fulfilling that promise in the cyber-security action plan. Public services, and indeed central Government, must take the leading role to show businesses that the approach to take is to ensure that all our systems are as secure as possible, not just on economic grounds, but for the people that we all seek to represent.

Dame Chi Onwurah (Newcastle upon Tyne Central and West) (Lab)

- Hansard - -

I thank the Minister for the excellent points he is making on the importance of cyber-security and the cyber-security action plan. Can he say a little bit about how the success of the cyber-security action plan will be measured, monitored and communicated to the House? He is probably aware that only 33,000 cyber essentials certificates were issued in 2024, for example, so an increased take-up of cyber essentials and the guidance in the action plan are essential.

Ian Murray

- Hansard - - - Excerpts

There are some key dates to monitor progress in the action plan itself. I wrote to my hon. Friend, the Chair of the Science, Innovation and Technology Committee, this morning on the publication of the action plan to lay out some of those issues; the letter will be landing soon. I would be happy to discuss that in front of the Committee in more detail. I hope that the Committee, and indeed the Opposition and our own Labour Members, hold us to account for delivering on this, because it is fundamentally important to Government, whether it be digitisation, modernising Government or winning the case with the public about why digitisation is so important and why Government should be as secure as possible and lead the charge on that across the whole economy. I hope that we and the Committee can take that forward in the weeks and months ahead.

As I said, the Government cyber action plan launched this morning is backed by over £210 million of investment and Government Departments will be held to standards equivalent to those set out in the Bill. I hope that that partially answers the question from my hon. Friend the Chair of the Science, Innovation and Technology Committee. Although the focus of the Bill is on essential services, it will also indirectly help businesses, including those damaged by the recent attacks, and Government. Almost all organisations today rely on data centres, outsourced IT or some kind of external supplier. By extending the Bill’s oversight, we are preventing attacks that could, in theory, reach thousands of organisations.

The Bill also gives new powers to regulators responsible for enforcing the NIS framework. Effective compliance is crucial to the success of any regime. These reforms could be world-leading on paper, but without proper enforcement they are meaningless.

--- Later in debate ---

Dame Chi Onwurah (Newcastle upon Tyne Central and West) (Lab)

- View Speech - Hansard - -

Happy new year to you, Madam Deputy Speaker, to all hon. Members and to the staff.

It is appropriate that we begin 2026 by talking about an issue in the House that is of grave importance to all our constituents, but is not discussed enough either here or in the country: cyber-security. At the start of the millennium, only a quarter of the UK and 6% of the world were online. Today, almost 98% of the UK and 68% of the world use the internet. According to Ofcom, we each spend between three and six hours online every day, depending on our age and interests. For many—perhaps too many—life is lived online. Even when people are not online, the infrastructure of their lives is. Whether people use online banking or not, their bank account details will be stored in a cloud somewhere. The same is true of health records, electricity bills, children’s school records, the safety sensors of our nuclear power plants, Christmas Marks & Spencer orders and Uber ride details.

The Prime Minister said that national security is the first duty of any Government. I hope that all hon. Members agree that the Government must ensure the security of the British people as we go about our increasingly online lives. Previous Governments have not taken that issue seriously enough or done enough to protect our citizens. That is why, as Chair of the Science, Innovation and Technology Committee and a self-confessed tech evangelist, I welcome the legislation. I am pleased to see other members of the Committee here. The Committee has not examined cyber-security in detail, but we have expressed significant concerns about public sector data management, for example, after the Afghan data breach came to light.

As we have heard, the UK’s only cross-cutting cyber-security legislation is inherited from the EU. Since Brexit, the EU has updated those regulations, leaving the UK working in an outdated framework. Meanwhile, nationally significant cyber-incidents, as measured by the National Cyber Security Centre, more than doubled last year. The NCSC also warns that artificial intelligence will “almost certainly” increase both the scale and impact of attacks. When everyone can code, thanks to AI, everyone can hack, and we need to respond to that, because those attacks threaten not only our national security, but our economy. In November, the Bank of England cited, for the first time, a major cyber-attack—that on Jaguar Land Rover—as a factor in its decision to hold interest rates. The JLR breach is estimated to have cost the economy almost £2 billion.

I welcome the Bill, which seeks to expand its scope to new sectors, to make regulators more effective, and to grant the Government additional powers to respond to the ever-evolving threat landscape. However, I must be clear that there is more to be done. My main concern relates to the scope of the legislation. The Bill rightly brings data centres, large load controllers and managed service providers within the scope of regulations, and grants competent authorities the power to designate critical suppliers that are vital to the service provided, yet some of our most economically significant sectors remain outside its core obligations.

Retail is the UK’s largest private sector employer. It handles huge volumes of sensitive customer data, runs complex supply chains, and often relies on legacy IT systems, which make it a prime target for cyber-criminals, yet retail is outside the direct scope of the Bill. The legislation would therefore not have prevented the attacks on Marks & Spencer, the Co-op or Jaguar Land Rover, which affected our constituents so greatly.

I welcome the Government’s plan to promote the new cyber governance code of practice to improve preparedness in sectors such as retail. However, even after high-profile breaches, cyber-security is still not prioritised at board level. A recent report by the Information Systems Audit and Control Association—ISACA—shows that only 56% of company boards take cyber-security seriously enough, and that is after JLR.

The Minister, in his excellent speech, said that it was up to private sector companies to manage their cyber-security. I agree, but how will the Government assess whether that is happening? What will the Government do if there is evidence that companies are not managing their cyber-security effectively and that, as a result, our citizens are not adequately protected?

Without a way of monitoring and enforcing governance standards, large parts of our economy remain exposed. ISACA recommends a statutory review of the uptake and effectiveness of the cyber governance code; powers for regulators to mandate periodic external resilience assessments, such as penetration testing and scenario-based exercises; and a requirement for organisations to appoint an accountable individual who meets defined competency standards.

Government Departments, local administrations and public bodies, such as the BBC, are also outside the scope of the legislation. The Bill does nothing to address long-standing weaknesses in public sector data management, which the Select Committee highlighted. As the National Audit Office declared last year, the cyber-threat to the UK Government is “severe and advancing quickly”. The cyber-attack on the Foreign, Commonwealth and Development Office in October is a clear example of how rapidly the attacks are escalating. We need greater rigour to prevent future attacks and build the public trust that is needed for the implementation of digital ID and other digital transformation projects.

I have not been able to study in any detail the action plan that the Government published this morning, but I will look for clear measures of success when it comes to its implementation, and ways in which the cultural change that was mentioned in the debate, which is needed in the public sector as well as the private sector, has been achieved.

The Secretary of State recently told my Committee that the Government would

“assess the improvements the Cyber Security Bill brings to the UK’s cyber defences through post-implementation reviews, regular engagement with NIS regulators and industry, and monitoring the incidence and cost of any future cyber attacks.”

I would welcome clarification of whether those commitments reflect the statutory requirements in clauses 20 to 22 or additional policy commitments, and how they will be funded.

The Bill rightly focuses on critical national infrastructure, but as we all know, we are only as secure as our weakest link. The supply chains for our critical national infrastructure involve many small businesses, who may or may not be within the scope of the Bill, depending on their designation. How quickly does the Minister envisage businesses knowing whether they have been designated as critical suppliers?

I support the Bill’s proposals for mandatory cyber-incident reporting and recognise the value of the Government’s collecting and publishing data on ransomware and other attacks. However, I share the concerns raised by the Association of British Insurers and others about the feasibility of small businesses meeting the proposed two-stage reporting requirement, and particularly the requirement to submit full reports to regulators and the NCSC within 72 hours.

We have seen that the take-up of cyber essentials—the programme to help businesses, and particularly small businesses, achieve the cyber-security they need—is low among businesses. As I said, only 33,000 took it up in 2024. Cyber insurance take-up is also low among small businesses, leaving them vulnerable in terms of skills and protection. Can the Minister say a little about his plans to address that? If the Bill is to succeed, implementation must be done with industry, not to industry, so I echo techUK’s calls for clearer guidance on information sharing and for additional support to help small businesses meet compliance costs.

I hope that the Minister will address the following points specifically. Will the Government consider extending the Bill to economically significant businesses outside its current scope, and empowering regulators to mandate stronger cyber governance and resilience assessments? Will the Government consider including direct measures to strengthen cyber-security and resilience in public administration, including local authorities and Government Departments? Will the Government clarify whether the post-implementation reviews, monitoring of cyber-incidents, and engagement with regulators and industry that the Secretary of State has outlined to my Committee reflect the existing statutory requirements in the Bill? Will the Minister ensure that the new cyber- incident reporting and information sharing requirements are implemented in a practical and proportionate way for small businesses? Will the Government take steps to support cyber insurance take-up? Finally, will they ensure that there is clear guidance on information sharing requirements, and provide additional support to help businesses meet compliance costs?

We need to talk more about cyber-security. I have not touched on some of the national security implications, which the Minister and my hon. Friend the Member for Warwick and Leamington (Matt Western) described very well, but this issue is only going to get more important from the perspective of national security, economic security, and personal safety and security. If we can get the implementation of this Bill right by extending it as necessary, working with industry, supporting smaller businesses, and supporting public trust and public security, then I hope we can build a nation that is not just cyber-secure today, but prepared for the many challenges that lie ahead.