Cyber Security and Resilience (Network and Information Systems) Bill (Sixth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
David Chadwick
Main Page: David Chadwick (Liberal Democrat - Brecon, Radnor and Cwm Tawe)Department Debates - View all David Chadwick's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Sixth sitting)
David Chadwick ExcerptsTuesday 10th February 2026
(4 days, 13 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 10 February 2026 - (10 Feb 2026)
Kanishka Narayan
I agree with the shadow Minister. The Bill’s focus is on the assessment of compliance with ultimate security duties. The codes of practice will set out approaches to do so, but they will not be the only approaches. I would be happy to write to the shadow Minister and the Committee on the particular legal interpretation, and any relevant case law that might apply.
Question put and agreed to.
Clause 36 accordingly ordered to stand part of the Bill.
Clauses 37 to 39 ordered to stand part of the Bill.
Clause 40
Report on network and information systems legislation
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
I beg to move amendment 26, in clause 40, page 63, line 7, leave out “5” and insert “3”.
This amendment would increase the frequency of the reports that must be published under Clause 40, from every five years to every three years.
David Chadwick
Amendment 26, tabled by my hon. Friend the Member for Henley and Thame, seeks to ensure that the Bill keeps pace with the reality that it seeks to regulate. In the world of cyber-security, five years is a lifetime. In the past five years, the size and scale of cyber-attacks has continued to advance at pace, and we can expect the next five years to be the same. In that context, waiting five years for the first formal parliamentary review of the Bill seems dangerous. It risks leaving us with a regulatory framework designed for the threats of yesterday and not tomorrow. The cyber-threat is real, evolving and urgent.
The NCSC has reported that nationally significant cyber-incidents more than doubled in 2025 alone. That is why the amendment would change the reporting cycle to once every three years. That is a pragmatic timeline, which allows the Government to identify gaps and close them before they are exploited. The EU’s NIS2 directive explicitly mandates a review by the Commission every three years, and it is not clear why the Government have decided to diverge from that standard. Is it because they believe that the cyber-threat here is considerably less than the one facing European member states? It is simply not clear, which adds to the general sense of bewilderment about this provision. If our European neighbours are reviewing their cyber-security approach every three years, why are the UK Government content to wait for five?
Dr Spencer
Clause 40 requires the Secretary of State to publish a report every five years on the operation of the NIS regulations and parts 3 and 4 of the Bill. Reports should include a review of any exercise of powers under parts 3 and 4 by the Secretary of State. Given the wide-ranging powers granted to the Secretary of State under those parts, I have some sympathy for amendment 26, tabled by the hon. Member for Henley and Thame, which seeks to reduce reporting intervals from five years to three.
The shadow Secretary of State, my hon. Friend the Member for Hornchurch and Upminster (Julia Lopez), raised this issue on Second Reading. She suggested that annual or biannual reviews might allow for effective parliamentary scrutiny of the NIS regulations and of the Secretary of State’s exercise of powers to respond to emerging threats. In view of the concerns voiced by the hon. Members for Henley and Thame and for Brecon, Radnor and Cwm Tawe, and by the shadow ministerial team, will the Minister explain why five-year intervals have been selected and whether the Government will look at this important issue again?
David Chadwick
I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 40 ordered to stand part of the Bill.
Clause 41
Regulations under section 24 or Chapter 3
Question proposed, That the clause stand part of the Bill.
Kanishka Narayan
On the broader point about application to the devolved Administrations, changes in UK legislation may indeed need to be reflected in devolved legislation, such as where it refers to and references the name of UK legislation. In those contexts, it is important that consequential provision can be made to ensure coherence. We will continue to engage with our devolved colleagues on the implementation. I am very happy to write to the hon. Gentleman and the Committee, particularly on the Northern Ireland point.
Question put and agreed to.
Clause 41 accordingly ordered to stand part of the Bill.
Clause 42 ordered to stand part of the Bill.
Clause 43
Directions to regulated persons
David Chadwick
I beg to move amendment 27, in clause 43, page 66, line 11, at end insert—
“(fa) a requirement to remove, disable or modify hardware, software or other facilities;”
This amendment would enable the Secretary of State to issue directions to remove, disable or modify hardware, software or other facilities for national security purposes.
David Chadwick
Amendment 27, which I move on behalf of my hon. Friend the Member for Henley and Thame, would give the Government the ability to remove, disable or modify hardware and software that could be used to infiltrate British national infrastructure, such as the cables underneath the now approved Chinese mega-embassy in Tower Hamlets.
The Prime Minister’s greenlighting of the Chinese super-embassy in the heart of London is a grave mistake that presents an open door for the ramping up of Chinese espionage in our country. It sends a regrettable and shameful message to Hongkongers—many of whom have already been targeted, intimidated and coerced by the Chinese Communist party—that trade deals are being prioritised over their safety. The Government must take a robust stance with hostile states such as China.
Dr Spencer
Clause 43 grants the Secretary of State powers to issue directions to regulate entities where there is a risk to national security, or where an action must be taken in the interests of national security. Directions can include requirements relating to the management of systems, the yielding of information and the removal or modification of goods and services. The Secretary of State may also require a regulated entity to engage the services of a skilled person to comply with directions issued. The Secretary of State has wide discretion to dispense with providing reasons for directions or consulting with the affected parties on the basis of national security considerations.
Clause 44 clarifies that the Secretary of State’s directions under part 4 prevail if there is a conflict between those directions and another statutory requirement. The exercise of these powers by the Secretary of State could have far-reaching consequences for businesses, which may experience interruption to their commercial activities, as well as the potentially considerable time and expense in adhering to a request made on national security grounds.
I have spoken on several occasions in the House and in this Committee about the critical risks posed to our cyber-security and national security by hostile state actors and their affiliates. It is, of course, right that the Secretary of State should have this power, but it should be used only in extremis. Like other extensive powers granted to the Secretary of State under part 3, it must be subject to oversight and guardrails. A report to Parliament, which may well be redacted, on the exercise of functions under part 4 will not be sufficient to ensure that this power is used proportionately. Has the Department considered introducing an obligation for the Secretary of State to report to the Intelligence and Security Committee when she exercises powers under part 4?
We discussed the Chinese super-embassy earlier. Later in the Committee’s proceedings, I will talk about an Opposition new clause that would deal with that problem effectively.
Kanishka Narayan
I could not judge a specific situation but, broadly speaking, that is the sort of situation, especially if it is an NIS-regulated entity, and in particular where the exercise of the power is focused on the entity’s network and information systems, that I would expect to come in scope of the powers specified here.
Under clause 44, a direction can be issued only when necessary for national security. It is possible that, in some circumstances, what is needed to protect UK national security could conflict with standard regulatory duties. For example, a direction might relate to a particularly sensitive national security risk, where only those involved in addressing the risk should be aware of it. That is to minimise the risk of hostile actors becoming aware of a vulnerability. A direction could therefore require an entity not to report that national security risk for the period in which the risk was being remedied. They may ordinarily have had to report that national security risk to comply with standard reporting requirements. The clause will resolve that conflict and provide certainty to recipients of directions about what they must do to ensure that the national security risks in a direction are addressed.
David Chadwick
Given the reassurances from the Minister, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 43 ordered to stand part of the Bill.
Clause 44 ordered to stand part of the Bill.
Clause 45
Monitoring by regulatory authorities
Question proposed, That the clause stand part of the Bill.