Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
David Chadwick
Main Page: David Chadwick (Liberal Democrat - Brecon, Radnor and Cwm Tawe)Department Debates - View all David Chadwick's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Fifth sitting)
David Chadwick ExcerptsTuesday 10th February 2026
(4 days, 16 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
New clauses 8 and 9 would close a dangerous gap at the heart of the Government’s cyber-security strategy. Right now, the Bill creates a two-tier system. Private companies running critical national infrastructure face strict legal duties, enforcement and oversight, yet the very public institutions that hold our democracy together and protect our most vulnerable citizens are left outside statutory protection. Nowhere is that more alarming than with our local authorities. Indeed, that is where the Government’s approach diverges from some EU member states. For example, the Netherlands is applying its equivalent legislation to local authorities.
When a council suffers a cyber-attack, it is not just an IT inconvenience; it means real life grinding to halt. Members of the Committee who have served on local authorities will be well aware that a cyber-attack hitting a local authority creates problems with welfare payments, housing services, processing benefits payments, accessing social care for the most vulnerable in our society and collecting bins. Those are crucial activities in the day-to-day life of our society and our democracy. A cyber-attack can leave families without support, vulnerable children without protection and elderly residents without care, yet the Minister has suggested that these services are not necessary to the day-to-day functioning of society. I disagree with that.
We have already seen the consequences at Tewkesbury borough council, where a cyber-attack was so severe that it triggered a major incident and crippled core services. Likewise, the attack on Gloucester city council cost the taxpayer more than £1 million and put at risk some of the most sensitive information held on UK residents, particularly if one considers the nature of employment in Gloucestershire. The reporting from those attacks showed that local authorities, which are cash-strapped and struggling to make do as they are, had to divert staffing resources into addressing those incidents.
Bradley Thomas
I have much sympathy with the hon. Gentleman’s arguments about the importance of local government, and I believe that it should be within scope of the Bill. Essential services are provided by councils on a day-to-day basis, but local councils are increasingly cash-strapped. Does he share my concern about the burden of compliance falling on councils, many of which differ in size and scale from their adjacent neighbours? They have differing degrees of IT infrastructure capability. We run the risk of increasing the compliance and regulatory burden on councils at a time when they may already have stretched budgets and lack the resource and capacity in the system to accommodate that additional burden.
David Chadwick
The hon. Gentleman makes an important point. We cannot allow these services to be interrupted. He will be well aware of the impact that bins not being collected has on our streets.
Councils are being targeted because they hold sensitive personal data and provide much-needed services to the most vulnerable in society, yet they are being left as soft targets, without statutory requirements and the ringfenced resources that accompany them. We cannot claim to be building a cyber-secure Britain while leaving the frontline of public services unprotected. Resilience must extend beyond councils.
Our new clauses also ask that our political parties and electoral infrastructure are properly protected, because we know that hostile states and non-state actors are actively seeking to undermine democratic systems. An attack does not need to change an electoral result to be devastating; it need only cast doubt on the integrity of the count or prevent legitimate voters from casting their ballots. We know that trust, once lost, is extraordinarily hard to rebuild. The security of our elections is too important to be left to secondary legislation made at some future date.
Finally, our new clauses would require the Government to bring critical manufacturing, food production and large-scale retail distribution into scope. When British companies such as JLR lose billions to cyber-incidents, or when national retailers such as Marks & Spencer are paralysed, it is not just a private commercial issue, but a blow to national economic security, and there is no economic security without cyber-security. The Minister will be aware that the ramifications of the JLR attack were felt across south Wales because of the link to the steel industry supply chain. Our neighbours in the European Union already recognise this issue through the NIS2 framework, which covers food production and transport manufacturing as essential sectors. The new clauses simply ask the Government to match that seriousness.
At their heart, our new clauses are about ending the two-tier approach. We seek the Government’s recognition that councils, political parties, electoral infrastructure and core supply chains are just as critical to national resilience as power stations and data centres. A country is not secure if its public services, at any level, are exposed. Its elections are vulnerable, and its economy can be brought to a standstill by a single cyber-attack. These new clauses hope to close those gaps and make Britain safer.
Dr Spencer
Part 3 is a very important part of the Bill. It gives the Secretary of State a range of powers, including ones to bring additional sectors into the scope of regulation, to update the NIS regulations, to publish statements of strategic priorities for regulators and to publish codes of practice that set out cyber-security measures for entities to comply with their regulatory duties.
Clause 24 includes a power enabling the Secretary of State to specify new services that can be brought into the scope of the NIS regulations, and to designate additional regulatory authorities. Those powers are intended to allow the Secretary of State to identify additional critical sectors and respond to emerging threats quickly. That agility introduced by this measure has been broadly welcomed as appropriate, given the fast-evolving nature of malicious cyber-activity.
Given the extent of the Secretary of State’s new powers, however, it is important to put in place guardrails to ensure that the appropriate response to emerging threats is indeed further regulation, rather than market-led or insurance-based mitigations. Can the Minister provide any further information at this stage about the procedure that will be followed in deciding whether to expand the scope of regulation to ensure consistency and transparency?
Hon. Members have tabled several new clauses that would prompt the Secretary of State to use her duties under clause 24. I will speak to new clause 1, tabled by the hon. Member for Warwick and Leamington (Matt Western), and new clause 9, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe, together, as they have some thematic overlap. New clause 1 seeks to bring all entities, other than small businesses and microbusinesses, in the food production, distribution and retail supply chain into the scope of regulation as operators of essential services. New clause 9 also touches on the regulation of food supply chains. It would require the Secretary of State to designate retailers of
“food and essential goods (when part of a large-scale distribution chain)”
and manufacturers of “critical transport equipment” as providers of essential services to be brought into the scope of regulation.
Those new clauses reflect concerns about the cyber-attacks targeting the food retailers M&S and Co-op last year. New clause 9 reflects issues raised by the major attack on JLR, which cause such disruption and threatened the stability of regional jobs and supply chains. Those attacks caused significant public concern, but they would all remain out of scope after the Bill comes into effect.