Cyber Security and Resilience (Network and Information Systems) Bill
Debate between Julia Lopez and Andrew CooperTuesday 6th January 2026
(6 days, 14 hours ago)
Commons ChamberRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts
Julia Lopez
Absolutely. The hon. Gentleman is correct: this is fundamentally about culture—that is the point that I am making. We can pass as many regulations as we like, but a lot of the holes in our cyber-security systems come down to human frailties. That means this challenge is not just about new laws but about changing a number of things to make us more resilient.
It is right not to dictate technical standards in primary law that will soon be outdated in the fast-moving world of technology, so the question is whether this law has the right mix of carrot and stick to make affected firms act in a way that raises the security bar—there are several areas where we fear it may not.
First, there is potentially an enforcement paradox. The Bill expands regulatory powers and increases the scale of potential fines, but the evidence from the existing regime does not suggest definitively that fines and new regulations deliver us greater cyber-resilience. Under the current NIS regulations, enforcement has been slow, inconsistent and often toothless. Very few significant penalties have been issued. Where they have been issued, the delay between incident and sanction has sometimes stretched beyond two years. That delay matters, because it actively undermines deterrence and disconnects accountability from operational reality. Simply widening the scope of regulation without ensuring that regulators are properly resourced, empowered and required to act quickly risks creating obligations that exist on paper but lack any real-world bite.
We also have concerns about the Bill’s cost recovery model. Funding regulators through levies on the organisations that they oversee risks unintended consequences in terms of improving our resilience. For large firms, the cost burden may be manageable, but for smaller enterprises it amounts to an additional operational tax that could divert scarce capital away from cyber-defence, staff training and innovation.
There is also a structural risk here. Regulators that are reliant on fee income might face incentives to expand scope and complexity unnecessarily, creating bureaucratic drag that crowds out voluntary, market-led initiatives, which often raise standards more effectively than prescriptive regulation.
More generally, I worry that this Bill will play into tech monopolies. The companies that thrive in this kind of environment are those with big compliance and legal departments. That concentrates risk and makes our tech economy less diverse, with serious implications that I shall come on to.
There may be reporting challenges too. A two-stage reporting process within 24 and 72 hours may be achievable for large, well-resourced organisations with in-house cyber teams, but for smaller operators it risks creating a compliance culture focused on speed, not substance.
There is also the danger of duplication. Many organisations already face overlapping reporting obligations under UK GDPR, sectoral rules and existing legislation. Without simplification and proportionality, the administrative load could be significant, once again diverting attention and resource from the very cyber-threat management that the Bill seeks to improve. We need to avoid this legislation becoming a “something must be done” Bill that totally misses the mark.
The Bill also fails to grapple properly with the human factor in cyber-security, which has already been talked about by the hon. Member for Harlow (Chris Vince). Technology alone does not keep organisations safe; governance matters. Yet board-level ownership of cyber-risk is moving in the wrong direction. Only 27% of businesses now have a board member explicitly responsible for cyber-security, down from 38% just three years ago. Without mechanisms to ensure senior accountability, fines risk becoming little more than a cost of doing business. Directors remain insulated while operational teams are left to carry the can. National cyber-resilience depends not just on systems and software, but on leadership, culture and accountability at the very top.
For those reasons, ahead of Committee consideration, we on the Opposition Benches are examining how the legislation can be strengthened, while continuing to support its core objectives. In the meantime, regulators must be properly equipped with the right powers, resources and clarity from Parliament on the intent of the law. Sanctions must be applied swiftly and consistently, and guidance must be clear, so that enforcement is credible and deterrence is real.
The Government should also look at how reporting obligations are calibrated. A one-size-fits-all approach might place disproportionate burdens on smaller firms, and it might be better to ensure that reporting thresholds reflect the size, complexity and risk profile of an organisation.
Equally, the funding of regulators must be transparent and predictable. There have to be safeguards against regulatory expansion for its own sake and firm assurances that funds raised are reinvested directly into improving national cyber-resilience, not absorbed by administrative overheads. While the Bill rightly prioritises critical national infrastructure, it cannot afford to ignore high-risk sectors that sit beyond its immediate scope.
There is also a major role for market-based solutions. Cyber insurance, sector-wide intelligence sharing and collaborative resilience initiatives can all complement regulation. These tools can reduce risk and improve preparedness without adding unnecessary legislative complexity.
The review cycle set out in the Bill may be too slow for the threat landscape we face and the pace of technological change. Annual or biannual reviews might allow Parliament to scrutinise effectiveness, respond to emerging threats and ensure that the legislation remains fit for purpose.
Let me make some more general points about the Government’s approach to cyber-security and resilience, and issues about the risk of dependence and threat from adversaries. I see no evidence from this Government that they are thinking with any clarity about the risks of long-term technological dependency and lock-in—quite the opposite, in fact. Large parts of our economy now depend on secure, high-quality digital infrastructure, and that reliance will only increase as AI advances. Whoever provides that infrastructure will wield huge future leverage. It was that reality that ultimately drove the change of heart over Chinese tech sitting at the core of our 5G telecom networks a few years ago.
However, the Government are seemingly betting every chip on US hyper-scalers. They provide our data centres, supply the platforms on which Government Departments are run and, more often than not, are the ones winning all the Government contracts. These investments will provide our companies with things that they need, from compute power to increasingly sophisticated AI platforms, but the UK is doing little simultaneously to mitigate our increased technological dependency. When I say “technological”, we need to understand that technology is what we now run our defence systems, factories, energy networks and communications on. Technology is the plumbing of our nation.
During September’s much crowed-about state visit by President Trump, this Government were visibly begging for good economic headlines after the humiliating resignations of the Deputy Prime Minister and the ambassador to the US, not to mention the uncontainable mess of the Chancellor’s first Budget and the threat of her second Budget. The US-UK tech partnership was the result, with a huge amount of smoke and mirrors deployed over what it actually contained. Whatever substance lay within it, we heard just before Christmas that it had been paused, used as leverage by the US while other trade negotiations were under way.
I am not criticising the US Administration for skilfully playing their hand in their national interest; I am asking this Government rapidly to wake up to the reality of a new world in which the post-war settlement is coming to an end—one that has been giving clues to its existence for many years, since long before President Trump came into office. The United States remains a vital ally, but in this new era Britain must be very clear-eyed about risk, the reality of hard power and the need to protect our sovereign interests.
Cyber-risk requires as much thought about the fundamentals of plumbing as it does about the laws that try to manage how humans use or exploit technology. The UK Government have a vast procurement budget for which our own firms ought to be able to make a successful bid, but UK tech tells me consistently that, for all the talk in the Government’s AI strategy of sovereign tech capability, it has not got a look-in since Labour has been in power. I am concerned that this Bill should not introduce new, burdensome regulation for UK firms in a way that benefits non-UK incumbents with giant compliance teams and legal resources in a way that would exacerbate the risk of vendor lock-in.
Let us turn to another risk. The private sector will have noticed that the new obligations in this Bill broadly do not touch the public sector, where cyber-risk remains red-light-flashingly large, notwithstanding the public cyber strategy that was thrown out today in implicit acknowledgment of that gaping hole. Knowing that the public sector holds such enormous cyber-risk, this Labour Government choose not to minimise it, but to create a brand-new one—a hulking great identity system mandated for anyone who wants a job and, we now hear, possibly for new-born babies. It is mandatory identity by stealth, not consent, and with no honesty about it.
It is not to be against the ability of people to verify themselves digitally for banking, to access certain online services or to stop fraud to think that Labour’s mandated digital identity plan is a complete rotter. The Association of Digital Verification Professionals called what Labour inherited on digital identity a
“world-leading model for data sovereignty that digitised liberty rather than diluted it”.
The citizen, not Government, would be in control. This naive Government are crowding out private sector expertise and making everyone have one of these identities by stealth. They have no idea what this system will cost, and they will not be honest about what it will be used for.
What of the cyber-security of this system? The system on which this digital identity will be run was breached during red team testing last year. When I asked the Secretary of State if that system has now met the National Cyber Security Centre’s cyber-security standard, no answers came. Whistleblowers have continued to speak out about the vulnerabilities of the system, and there is no sense whatsoever from Government that the dodgy digital identity plan will be paused until such a point when they are confident about cyber-security.
Andrew Cooper (Mid Cheshire) (Lab)
I am absolutely staggered to hear the shadow Secretary of State talk about standard software testing practices as though someone is doing wrong by trying to penetrate systems and find flaws in them. Is not the whole point of software testing to find the flaws in a system and get them fixed, rather than parading them in front of the House of Commons as though they are some sort of failure?
Julia Lopez
The hon. Gentleman is wilfully misinterpreting what I am saying. There is not an issue with having systems tested; there is an issue with the fact that the system test failed. There is no evidence that the Government have therefore acted to deal with those systemic failures.
Julia Lopez
The whistleblowers continue to raise serious concerns about the structures upon which the Government’s digital identity platform will be built. The hon. Member looks absolutely outraged that I might suggest there are some concerns about the cyber-security risk of a national, mandated digital identity platform. I find it extraordinary that he suggests that I am expressing concerns that a system might be tested. Of course every system must be robustly tested—that is not the point I am trying to make, and the hon. Member is being wilfully ludicrous in suggesting otherwise. This Prime Minister cannot run an economy, keep promises or control his Back Benchers, or his Front Benchers, so how on earth does anybody think he can run a secure digital identity system?
At the same time as risking technological lock-in by friendly allies, we are creating new vulnerabilities for adversaries to attack. Just before Christmas, UK intelligence agencies warned about increasing, large-scale cyber-espionage from China, targeting commercial and political information. We discovered from Ministers that the Foreign Office itself was the subject of a major cyber-attack in October, which officials believe was carried out by Chinese hackers, and this came in the midst of a major row between the Government and the Crown Prosecution Service about the prosecution of spies operating here in Parliament.
We will be looking closely at this legislation to identify where the Government should be addressing this cyber-reality with much greater force. An approach to cyber-resilience that looks only at introducing new regulations and compliance burdens without thinking through risks such as a mandated identity scheme, dependence on non-sovereign suppliers, the malign intent of other nations, and a failure to build up our own workforce and skills is one that will fail.