Cyber Security and Resilience (Network and Information Systems) Bill (First sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Freddie van Mierlo
Main Page: Freddie van Mierlo (Liberal Democrat - Henley and Thame)Department Debates - View all Freddie van Mierlo's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Freddie van Mierlo ExcerptsTuesday 3rd February 2026
(1 day, 18 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Emily Darlington (Milton Keynes Central) (Lab)
Q
David Cook: The original NIS regulations came out of a directive from 2016, so this is 10 years old now, and the world changes quickly, especially when it comes to technology. Not only is this supply chain vulnerability systemic, but it causes a significant risk to UK and global businesses. Ransomware groups, threat actors or cyber-criminals—however you want to badge that—are looking for a one-to-many model. Rather than going after each organisation piecemeal, if they can find a route through one organisation that leads to millions, they will always follow it. At the moment, they are out of scope.
The reality is that those organisations, which are global in nature, often do not pay due regard to UK law because they are acting all over the world and we are one of many jurisdictions. They are the threat vector that is allowing an attack into an organisation, but it then sits with the organisations that are attacked to deal with the fallout. Often, although they do not get away scot-free, they are outside legislative scrutiny and can carry on operating as they did before. That causes a vulnerability. The one-to-many attack route is a vulnerability, and at the moment the law is lacking in how it is equipped to deal with the fallout.
Jen Ellis: In terms of what the landscape looks like, our dialogue often has a huge focus on cyber-crime and we look a lot at data protection and that kind of thing. Last year, we saw the impact of disruptive attacks, but in the past few years we have also heard a lot more about state-sponsored attacks.
I do not know how familiar everyone in the room is with Volt Typhoon and Salt Typhoon; they were widespread nation-state attacks that were uncovered in the US. We are not immune to such attacks; we could just as easily fall victim to them. We should take the discovery of Volt Typhoon as a massive wake-up call to the fact that although we are aware of the challenge, we are not moving fast enough to address it. Volt Typhoon particularly targeted US critical infrastructure, with a view to being able to massively disrupt it at scale should a reason to do so arise. We cannot have that level of disruption across our society; the impacts would be catastrophic.
Part of what NIS is doing and what the CSRB is looking to do is to take NIS and update it to make sure that it is covering the relevant things, but I also hope that we will see a new level of urgency and an understanding that the risks are very prevalent and are coming from different sources with all sorts of different motivations. There is huge complexity, which David has spoken to, around the supply chain. We really need to see the critical infrastructure and the core service providers becoming hugely more vigilant and taking their role as providers of a critical service very seriously when it comes to security. They need to think about what they are doing to be part of the solution and to harden and protect the UK against outside interference.
David Cook: By way of example, NIS1 talks about reporting to the regulator if there is a significant impact. What we are seeing with some of the attacks that Jen has spoken about is pre-positioning, whereby a criminal or a threat actor sits on the network and the environment and waits for the day when they are going to push the big red button and cause an attack. That is outside NIS1: if that sort of issue were identified, it would not be reportable to the regulator. The regulator would therefore not have any visibility of it.
NIS2 and the Bill talk about something being identified that is caused by or is capable of causing severe operational disruption. It widens the ambit of visibility and allows the UK state, as well as regulators, to understand what is going in the environment more broadly, because if there are trends—if a number of organisations report to a regulator that they have found that pre-positioning—they know that a malicious actor is planning something. The footprints are there.
Freddie van Mierlo (Henley and Thame) (LD)
Q
Jen Ellis: You have covered a lot of territory there; I will try to break it down. If you look at the attacks last year, all the companies you mentioned were investing in cyber-security. There is a difficulty here, because there is no such thing as being bullet-proof or secure. You are always trying to raise the barriers as high as you can and make it harder for attackers to be successful. The three attacks you mentioned were highly targeted attacks. The example of Volt Typhoon in the US was also highly targeted. These are attackers who are highly motivated to go after specific entities and who will keep going until they get somewhere. It is really hard to defend against stuff like that. What you are trying to do is remove the chances of all the opportunistic stuff happening.
So, first, we are not going to become secure as such, but we are trying to minimise the risk as much as possible. Secondly, it is really complex to do it; we saw last year the examples of companies that, even though they had invested, still missed some things. Even in the discussions that they had had around cyber-insurance, they had massively underestimated the cost of the level of disruption that they experienced. Part of it is that we are still trying to figure out how things will happen, what the impacts will be and what that will look like in the long term.
There is also a long tail of companies that are not investing, or not investing enough. Hopefully, this legislation will help with that, but more importantly, you want to see regulators engaging on the issue, talking to the entities they cover and going on a journey with them to understand what the risks are and where they need to get to. If you are talking about critical providers and essential services, it is really hard for an organisation—in its own mind or in being answerable to its board or investors—to justify spend on cyber-security. If you are a hospital saying that you are putting money towards security programmes rather than beds or diagnostics, that is an incredibly difficult conversation to have. One of the good things about CSRB, hopefully, is that it will legitimise choices and conversations in which people say, “Investing time and resources into cyber-security is investing time and resources into providing a critical, essential service, and it is okay to make those pay-off choices—they have to be made.”
Part of it is that when you are running an organisation, it is so hard to think about all the different elements. The problem with cyber-security—we need to be clear about this—is that with a lot of things that we ask organisations to do, you say, “You have to make this investment to get to this point,” and then you move on. So they might take a loan, the Government might help them in some way, or they might deprioritise other spending for a set period so that they can go and invest in something, get up to date on something or build out something; then they are done, and they can move back to a normal operating state.
Security is not that. It is expensive, complex and multifaceted. We are asking organisations of all sizes in the UK, many of which are not large, to invest in perpetuity. We are asking them to increase investment over time and build maturity. That is not a small ask, so we need to understand that there are very reasonable dynamics at play here that mean that we are not where we need to be. At the same time, we need a lot more urgency and focus. It is really important to get the regulators engaged; get them to prioritise this; have them work with their sectors, bring their sectors along and build that maturity; and legitimise the investment of time and resources for critical infrastructure.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Q
David Cook: The legislation talks about secondary legislation, so it allows for an agile, flexible programme whereby organisations can be brought within scope very quickly if concerns make that necessary. What that leaves us with, though, is that although legislation can be changed quickly, organisations often cannot. Where there is a definition, as we see with NIS2, as to which entities are in scope, organisations can embark on a multi-year programme to get into a compliant position. They can throw money at it, effectively.
What this legislation talks about, through the secondary legislation, is bringing organisations into scope and mandating specific security controls or specific requirements on those organisations in terms of security, but while the law might come in over a weekend, organisational change will not necessarily follow. There is a potential issue there. I can see the benefit and attractiveness of secondary legislation being used to achieve that aim, but having a clearer baseline as to what that sort of scope might look like—it could be ramped up or down, and the volume could be turned up or down, depending on need—would be more helpful. Reducing scope while diverging from NIS2 might be a benefit in terms of the commercial reality, but it might be a misstep in terms of security and the long tail that it takes to get more secure.
Bradley Thomas
Q
Dr Sanjana Mehta: May I weigh in on the second question first? It is good to note that the definition of reportable incident has expanded in the current legislation. One of the concerns that the post-implementation reviews had from the previous regulatory regime was that the regulated entities were under-reporting. We note that the Bill has now expanded the definition to include incidents that could have an adverse impact on the security and operations of network and information systems, in addition to those incidents that are having or have had a negative impact.
While that is clear on the one hand—some factors have been provided, such as the number of customers affected, the geographical reach and the duration of the incident—what is not clear at the moment is the thresholds linked with those factors. In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators.
We must think about regulatory capacity to deal with all the reports that come through to them, and to understand what might be the trade-offs on the regulated entities, particularly if an entity is regulated by more than one competent authority. For those entities, it would mean reporting to multiple authorities. For organisations that are small or medium-sized enterprises, there is a real concern that the trade-offs may result in procedural compliance over genuine cyber-security and resilience. We call on the Government for immediate clarification of the thresholds linked to those factors.
Jill Broom: I would like to come in on that point. Our members would agree with it. Companies need to be clear about what needs to be reported, when it needs to be reported and where they need to report it. A bit of clarity is required on that, certainly around definitions. As Sanjana said, it is good to see that the definition is expanding, but definitions such as “capable of having” a significant impact remain unclear for industry. Therefore, we need a bit more clarity, because again, it means that we could risk capturing absolutely everything that is out there, and we really want to focus on: what is most important that we need to be aware of? Determining materiality is essential before making any report.
In terms of the where and the how, we are also in favour of a single reporting platform, because that reduces friction around the process, and it allows businesses, ultimately, to know exactly where they are going. They do not need to report here for one regulator and there for another. It is a streamlined process, and it makes the regime as easy as possible to deal with, so it helps incentivise people to act upon it.
I have another point to add about the sequencing of alignment with other potential regulation. We know that, for example, the Government’s ransomware proposals include incident-reporting requirements, and they are expected to come via a different legislative vehicle. We need to be careful not to add any additional layers of complexity or other user journeys into an already complex landscape.
Freddie van Mierlo
Q
Secondly, Dr Mehta, you spoke earlier about what is not in scope in this legislation. I am particularly interested in the fact that local government is not included in it, because it has a critical role in electoral services and in local and national democracy. What do you think are the threats from leaving local government out of scope?
Jill Broom: I think that generally, our members would always call for alignment, where possible, in any kind of legislation that spans the geographies. But we understand that the Bill focuses on a particular sector—the critical national infrastructure in the UK—and we welcome the intent of it.
Dr Sanjana Mehta: On sectoral scope, with the way that the Bill is currently drafted, there is obviously flexibility to introduce new sectors, and to bring in more provisions and guidance through secondary legislation and additional guidance. That being said, our recommendation is certainly to expand the sectoral scope at this stage by bringing in public administration.
There are a number of key reasons for that. First, public administration needs to be role model of good cyber-security to the rest of the economy. I think it was the 2025 state of digital government review that pointed out that the risk of cyber-attacks on Government is critical. You mentioned local government, but there are also central Government Departments that hold and process vast amounts of personal and sensitive information; I think, for example, DWP administered £288 billion of benefits over the past year. More than 23 million people claimed some sort of benefits from DWP and, in responding to those claims, DWP must have processed huge amounts of very sensitive medical and financial information on individuals. We think it is an omission to leave it out, and we recommend that the Government consider bringing it into scope.
Lincoln Jopp (Spelthorne) (Con)
Q
Stuart McKean: I do not think the cyber-criminal really cares, to be blunt. They will attack anywhere. You can, of course—
Freddie van Mierlo
Q
Dr Ian Levy: In October 2025, we had an incident that had quite a widespread impact. We have engaged with regulators around the world, including multiple regulators in the UK, to explain what happened. We published, quite transparently, what had happened during the incident and afterwards. Explaining how the part of the organisation that had built that particular system works is very time-consuming. It is also almost certainly out of date by the time we have finished. In that particular case, it was something called a “race condition”, which is a well understood computer-science hard problem. No amount of regulation or legislation would have made a difference, because it was a race condition, and they are incredibly hard to find in software.
I think that regulating outcomes is the right answer, and making sure that we are doing due diligence, and that our view of appropriate risk management is broadly the same as yours, without making us a national security entity. That is the challenge. How we run our business is not really relevant; it is the outcomes that matter.
Matt Houlihan: It is increasingly important that businesses, parliamentarians and Government officials work together on these issues. As we said earlier, the pace of change in terms of the technology, and indeed the business environment—at both the UK and global levels—is moving very quickly. Having that exchange of information will be important.
It is important—from an international business point of view—that regulation is as aligned as is practicable with the other jurisdictions that a lot of the companies here will be working in. That will not only benefit companies that are headquartered elsewhere and operate in the UK; it will benefit UK-headquartered companies that are looking to expand abroad. It must also be proportionate and targeted. I think that at the nub of your question, there is clearly a need, going forward, for strong co-operation and the sharing of expertise and experiences.