The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)

- View Speech - Hansard -

Copy Link

-

First and foremost, I thank all Members for their contributions to the debate. I am glad that the House has welcomed the Bill, with deep expertise shown by Members on both sides of the House. Of course, Members have asked questions and I will try to share the Government’s approach. Before that, let me set out what is at stake.

The UK is the most cyber-attacked country in Europe. In 2024, more than 600,000 businesses were subject to a cyber-attack, the average cost of which was just over £190,000. The cost of cyber-attacks to UK businesses in aggregate is estimated to be £14.7 billion a year. The personal experience of my hon. Friend the Member for Northampton South (Mike Reader) is on my mind, as well the facts that my hon. Friend the Member for Warwick and Leamington (Matt Western) shared, such as the most common password in this country being “password”, and, indeed, the comments of my hon. Friend the Member for Mid Cheshire (Andrew Cooper) about Buffy the Vampire Slayer being an effective name deployed in some contexts. The combination of aggregate impacts and such personal experiences is the motivation for the Bill.

National security is the first responsibility of any Government. Cyber-threats have grown and the previous Government failed to move fast enough in the light of that. This Government are acting robustly to ensure that the British public are secure. The big message is, “Let’s ditch legacy systems and platforms and move to a more secure future.” We have done that by ditching the Conservative party; it is time to do it across our economy.

Let me deal with some of the themes that hon. Members raised, especially threats from AI that will emerge in future. The right hon. Member for Hertsmere (Sir Oliver Dowden) and my hon. Friend the Member for Congleton (Sarah Russell) mentioned those threats. AI will almost certainly continue to make elements of cyber-intrusion operations more effective and efficient, and cyber-threats more frequent and intense. That is why it is important that organisations take steps to bolster their cyber-defences. Under the Bill, organisations must have regard to the state of the art when maintaining the security of their network and information systems. That applies not only to cyber-defences, but to cyber-threats.

The right hon. Member for Hertsmere mentioned agentic AI, and I am conscious that it will be a particular risk. A significant source of mitigation must be the quality of our capability in the private sector, but also in the public sector. I pay tribute to the work of the AI Security Institute, which is right at the frontier of understanding the risk of agentic AI.

Several Members asked questions about scope. Of course, there is a significant risk across our economy, but we have chosen to focus, as NIS regulations have historically done, on essential services, the failure of whose network and information systems poses imminent threat to life to the British public. For that reason, the scope of the Bill is tight. That is not to say that other businesses should not do a great deal to protect themselves against cyber-attacks. However, the Government need assurances that the resilience to cyber-attack of essential services, the disruption of which would have the most profound consequences for public safety, national security and economic stability, is prioritised. Of course, businesses outside the scope of the Bill should make it a critical business priority to gain the same assurance without the need for as much Government intervention.

I am aware of the points made by my hon. Friends the Members for Lichfield (Dave Robertson) and for Warwick and Leamington, the Chair of the Joint Committee on the National Security Strategy, as well as by my hon. Friend the Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), the Chair of the Science, Innovation and Technology Committee, on Jaguar Land Rover. In that instance, the Government acted swiftly in exceptional circumstances by providing a £1.5 billion loan guarantee to protect jobs, support businesses in the supply chain, and preserve this vital part of British industry. However, as the hon. Member for Exmouth and Exeter East (David Reed) noted, that should not be the expectation on Government; businesses must look to their own defences as a matter of corporate responsibility.

Kanishka Narayan

- Hansard -

Copy Link

-

I might just make a bit of progress.

My hon. Friend the Member for Warwick and Leamington mentioned the food sector and food retailers, given recent attacks. Following the attacks on Marks & Spencer and Harrods, my hon. Friend the Minister for Food Security and Rural Affairs has written to and engaged deeply with the chief executive officers of major food retailers to advise on how the food sector can best protect itself from cyber-threats.

There is a broader question about sectors that are not regulated by this Bill, which has been raised by numerous Members from across the House. The fact that a sector is not regulated under the Bill does not mean that organisations in it cannot protect themselves against cyber-attacks. As I said, the Bill is not designed to cover every sector. Where sectors are covered by existing regulations, and where the Government do not consider it essential to regulate a sector through the Bill, we have taken a proportionate approach. Introducing blanket coverage for whole new sectors would create extensive regulatory burdens for more of our economy, stifling economic growth. At the same time, this Bill will enable the Government to bring more sectors into scope in the future, and to take swift action if national security is at risk.

The Bill sits alongside a series of actions that the Government have taken. I highlight in particular the fact that the Government have written to UK businesses and trade bodies across sectors to make sure that they are embedding cyber essentials across their supply chains, that they are making cyber-resilience a board-level priority, and that the NCSC’s early warning system and advice is heeded.

Both Conservative Front Benchers, the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted (Victoria Collins), and my hon. Friend the Member for Congleton spoke about coverage of the public sector. The public sector requires a significant step change in cyber and digital resilience. As has been mentioned numerous times, today we have published the Government’s cyber action plan, backed by £210 million of investment. The plan takes decisive action and holds Government Departments accountable for their cyber-security and resilience, as well as providing them with more direct support and services, and co-ordinating responses to fast-moving incidents.

I will take up the point made by the right hon. Member for New Forest East (Sir Julian Lewis) about the juiciness of local government digital provision. I share his enthusiasm. The Government’s cyber action plan takes into account wider Government and public sector coverage. In fact, it strengthens, clarifies and joins up how lead Government Departments hold the wider public sector, including local government, to account for improved and equivalent cyber-resilience.

I will make an observation about the points raised about not just reporting and assessment, but recovery and resilience. I flag to hon. Members from right across the House that our proposals for security and resilience requirements are being prepared for secondary legislation. They will align with the NCSC’s cyber assessment framework, which relates to effective response and recovery. A consultation is likely in the year ahead.

There were a series of questions and comments about regulators, and proportionate and effective regulation. The Bill allows regulators to make sure that they are well resourced to carry out their duties, and can charge reasonable fees to cover more of the cost of their activities under the regime. It will enhance the regulators’ impact by ensuring clearer information gateways and increased incident reporting, and establishes a unified set of objectives. The shadow Secretary of State talked about regulators not finding enough incidents, and about them finding too many, but I will let her work out the obvious contradiction in her position.

I say in response to the right hon. Member for Hertsmere that there is clear scope for AI capability to be used in triage. I very much hope that the reviews that the Secretary of State must undertake—they are embedded in the Bill’s requirements—will ensure that we look at efficient ways that regulators can do that.

The Chair of the Science, Innovation and Technology Committee, my hon. Friend the Member for Newcastle upon Tyne Central and West, made a point about the frequency and quality of the reviews of the regime in this Bill. The Department for Science, Innovation and Technology will monitor and evaluate the new framework in reviewing the effectiveness of the regime. The Bill requires the Secretary of State to lay before Parliament a report on the operation of certain NIS legislation, and to publish one at least every five years. It will be an extensive review, so we want to make sure that it is proportionate, rather than overly frequent. The commitments made by the Secretary of State to the Chair relate primarily to the Bill.

In response to the points made by my hon. Friends the Members for Warwick and Leamington, and for Mid Cheshire, about the possibility of a cross-sectoral cyber regulation approach, I flag that 12 regulators are responsible for enforcing this regime, because different sectors rely on different technologies, and have very different risk attitudes and responses to vulnerabilities. It is right that we use sector expertise to address sector-specific issues.

The hon. Member for Bognor Regis and Littlehampton (Alison Griffiths) made an appropriate point about enterprise IT and operational technology being differentiated. That is why we have used a sectoral lens; it is a very tractable way of differentiating the risk factors. We have set out a sectoral approach, but that does not preclude the Secretary of State from setting out, in a statement of strategic priorities, the possibility of co-ordination and information sharing across regulators.

In response to the points made by the Liberal Democrat spokesperson, the hon. Member for Harpenden and Berkhamsted, as well as the hon. Member for Exmouth and Exeter East, about making sure that incident thresholds are clear and proportionate, the 24-hour light-touch notification requirement is proportionate. All that is needed is information alerting the regulator and the National Cyber Security Centre to the nature of the incident; the system does not rely on over-regulation. With the exception of data centres, reportable incidents that affect operators of essential services would need to have affected the operation of significant network and information systems right across the entity, and to have a significant national security impact. That is extremely unlikely to include minor matters, such as the receipt of a phishing email.

The Chair of the Treasury Committee, my hon. Friend the Member for Hackney South and Shoreditch (Dame Meg Hillier), made a point about financial services organisations, and I respond simply by flagging that UK financial services are resilient against cyber-threats. The threats are of course growing, but the regulatory approach taken by the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England were some of the sources for the approach we have taken in this Bill. Regulatory overlap was mentioned; this Government will make sure that businesses that have to navigate multiple regulatory frameworks with multiple services will face minimal burdens. We will work with our regulators and international authorities, including those in the EU, on the implementation of the Bill.

Turning to the impact on business, and the Bill ensuring a proportional approach to security, the Government will regulate only when that is necessary to protect our economy and our country from serious harm. A single attack can disrupt hospitals, transport and vital services, putting lives at risk, and we will not gamble with our economy or our people’s safety. The cost of doing nothing is, of course, too great. As I have mentioned, cyber-attacks drain almost £15 billion a year from UK businesses. At the same time, this Bill takes a proportionate approach to ensuring the safety of British people.

Board-level responsibility was brought up by a number of Members from across the House. I simply say that all business leaders need to take responsibility for their organisation’s cyber-resilience. On 13 October last year, the Government wrote to chief executives, requesting that they make cyber-security a board-level responsibility. The Government’s new cyber governance code of practice focuses on the governance of cyber risk specifically, and we will consider using secondary legislation to require companies to clarify their cyber-security responsibilities at board level.

A number of Members raised the issue of the effect on small and medium-sized businesses. Growth is the Government’s No. 1 mission, and small businesses are the engine room of that growth. They provide many of our most important services. That is exactly why small and, particularly, micro-sized managed or digital services are exempt from regulation under this Bill. They can be regulated only if they are designated as critical suppliers, and there will be an extremely high bar for designation. That should answer the question from my hon. Friend the Member for Mid Cheshire about companies meeting the bar for designation. A point was made about the ability of small businesses to tell quickly whether they are in scope. The regulator will complete an investigation process, which will include giving notices and having consultations with relevant businesses, prior to confirming whether an organisation meets the criteria for being in scope. That process needs to be robust, but we hope to make sure that those regulatory processes are proportionate, too.

I turn to a critical question from my hon. Friend the Member for Milton Keynes Central (Emily Darlington), my right hon. Friend the Member for Oxford East (Anneliese Dodds) and the hon. Member for Ceredigion Preseli (Ben Lake) on long-term sovereignty and capability in this country. Over the last decade and a half, the Conservative party in government sold this country’s strategic leverage over the primary sector, software and digital infrastructure. We will not repeat that mistake. We have already committed, right across the board, to extremely robust digital sovereignty measures. We have committed £500 million to a sovereign AI fund. We have made sure that there are tens of billions of pounds pouring into this country as capital infrastructure for AI, and British firms like Nscale are right at the heart of that. There is an advanced market commitment to cloud compute, to make sure that British companies are right at the heart of the provision of core infrastructure in future. Through the British Business Bank, we are committing tens of billions.

Kanishka Narayan

- Hansard -

Copy Link

-

I point the hon. Member to a thriving compound semiconductor cluster in south Wales, as well as chip manufacturing companies. If he doubts how advanced Arm is—the primary chip design company in the world—I would advise him to read a primer on the chip company supply chain.

The Government are pursuing a clear sense of digital sovereignty. On China, I flag that we are taking stronger action to protect our national security, including our critical national infrastructure, as well as making sure that, where appropriate, we look for opportunities for co-operation. The national security strategy, the independent review of state threat legislation and our new powers on counter-terrorism will make sure that we do that.

I am conscious that I am testing your patience, Madam Deputy Speaker, so I will simply flag a final point. The “whole society” approach was mentioned by a number of right hon. and hon. Members. We are making a series of investments in skills to ensure that young people are inspired to pursue careers in cyber-security. On the points made by my hon. Friends the Members for South East Cornwall (Anna Gelderd), and for Portsmouth North (Amanda Martin), I am deeply passionate about ensuring that young people—young women and girls, in particular—in their areas, Wales and across the country pursue thriving careers in cyber-security.

National security is the first responsibility of this Government. The Bill could not be more necessary for confronting developments in global cyber-threat. I thank all right hon. and hon. Members for their engagement with the Bill as it progresses. I encourage them to engage deeply. To all rogue organisations with hackers at the helm—I do not just mean the Conservative party—I say this: your time is up. With this Bill, we will make sure that the British public are secure.

Question put and agreed to.

Bill accordingly read a Second time.

Cyber Security and Resilience (Network and Information Systems) Bill: Programme

Motion made, and Question put forthwith (Standing Order No. 83A(7)),

That the following provisions shall apply to the Cyber Security and Resilience (Network and Information Systems) Bill:

Committal

(1) The Bill shall be committed to a Public Bill Committee.

Proceedings in Public Bill Committee

(2) Proceedings in the Public Bill Committee shall (so far as not previously concluded) be brought to a conclusion on Thursday 5 March 2026.

(3) The Public Bill Committee shall have leave to sit twice on the first day on which it meets.

Consideration and Third Reading

(4) Proceedings on Consideration shall (so far as not previously concluded) be brought to a conclusion one hour before the moment of interruption on the day on which those proceedings are commenced.

(5) Proceedings on Third Reading shall (so far as not previously concluded) be brought to a conclusion at the moment of interruption on that day.

(6) Standing Order No. 83B (Programming committees) shall not apply to proceedings on Consideration and Third Reading.

Other proceedings

(7) Any other proceedings on the Bill may be programmed.—(Jade Botterill.)

Question agreed to.

Cyber Security and Resilience (Network and Information Systems) Bill (Money)

King’s recommendation signified.

Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),

That, for the purposes of any Act resulting from the Cyber Security and Resilience (Network and Information Systems) Bill, it is expedient to authorise the payment out of money provided by Parliament of:

(1) any expenditure incurred under or by virtue of the Act by the Secretary of State or another public authority, and

2) any increase attributable to the Act in the sums payable under or by virtue of any other Act out of money so provided.—(Jade Botterill.)

Question agreed to.

Cyber Security and Resilience (Network and Information Systems) Bill (Ways and Means)

Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),

That, for the purposes of any Act resulting from the Cyber Security and Resilience (Network and Information Systems) Bill, it is expedient to authorise:

(1) the imposition of charges under or by virtue of the Act; and

(2) the payment of sums into the Consolidated Fund.—(Jade Botterill.)

Question agreed to.

Cyber Security and Resilience (Network and Information Systems) Bill (Carry-over)

Motion made, and Question put forthwith (Standing Order No. 80A(1)(a)),

That if, at the conclusion of this Session of Parliament, proceedings on the Cyber Security and Resilience (Network and Information Systems) Bill have not been completed, they shall be resumed in the next Session.—(Jade Botterill.)

Question agreed to.